The thing you're buying never shows up in a demo
A workflow-automation vendor can show you a pipeline running. An AI governance consultant can't show you anything moving, because what you're actually buying is a set of decisions: which use cases are allowed, who signs off when an AI output touches a customer record, and what happens at 4pm on a Friday when someone pastes a client contract into a chatbot. None of that renders on a screen. So the demo question is the wrong question. The real one is: when this person leaves, what rules are still standing, and can my team follow them without a consultant in the room?
Start by asking how they classify. Say you run a 60-person services firm and your team uses AI for first drafts, support replies, and internal research. A serious consultant will sort those into risk tiers within the first conversation — drafting a blog post is not the same risk as summarizing a signed NDA — and will name the data-sensitivity line, the human-review trigger, and the exception path for each. The NIST AI Risk Management Framework is the durable backbone for that classification work; what you want to hear is them translating its categories into rules a 26-year-old account manager can actually apply, not reciting the framework back to you.
Three questions that separate operators from policy-writers
Most weak governance engagements end with a 40-page acceptable-use PDF that nobody opens. The IBM Institute for Business Value AI capabilities research draws the line you care about: is this person building a capability your business keeps, or producing a document you file? Three questions flush that out fast.
First: "Walk me through how a rule reaches the actual tool my team uses." Governance that lives only in a policy doc is theater. If your team runs Microsoft 365 Copilot, ask specifically how they'll handle identity, restricted content, and audit trails — the Microsoft 365 Copilot data protection architecture shows how permissions and auditing already work, so a consultant who hasn't touched those controls is governing on paper only. Second: "Who owns this after you leave, and what do they check each month?" A real answer names an owner, a review cadence, and two or three metrics. Third: "Show me what you'd hand my ops lead on day one." The PwC Responsible AI survey keeps surfacing the same gap — leadership and accountability lag the technology — so the consultants worth paying are the ones who treat adoption and ownership as the hard part, not the afterthought.
Ask for the artifacts, then pressure-test one
Before you sign, ask to see redacted examples of what they actually produce: a risk-tier rubric, an acceptable-use policy short enough that people read it, a workflow review checklist, an incident routine for "AI did something wrong," and an adoption scorecard. Then do the test that matters — take one artifact and your most ambiguous real scenario (the contract-pasted-into-the-chatbot case is a good one) and ask them to walk it through, live. A consultant who built operable governance answers in plain language and points to the rule. One who sells slides starts hedging.
If you want a structured way to map your own AI workflows against the controls a consultant should own before you start interviewing, run the AI Opportunity Score, and use AI Governance and Training to see what a working operating model looks like end to end.