An organization putting AI into daily work needs one decision made early and made once: how much scrutiny each use deserves. Treat every use as equally risky and the program is too slow to live inside; treat every use as equally safe and the first expensive error is a matter of time. This framework makes that decision proportionate to risk, with a tier set by two things: the use case's data classification, and the impact severity of an error — not by which tool is involved. Tools are governed separately, as third-party risk: an approved list, vetted once for data retention, training-use terms, and tenant isolation. A use case runs only on a listed tool.
Once a use case has a tier, three questions are already answered — who approves it, what the human has to check, and what it takes to graduate to standard practice. Nobody relitigates those questions per request.
Scope. A deployer-side policy: it governs the AI people use in their own work — drafting, analysis, code, decisions a named human still owns. Two categories are deliberately out of scope: agentic workflows that act without per-action human approval, and AI embedded in client-delivered products, where the firm takes on provider obligations. Both enter only at Tier 3, which gates them; their full governance — agent permissions and oversight design, product-grade evaluation, liability — belongs to companion artifacts.
The tiers
Tier ∞ — Prohibited (unacceptable use)
A short, enumerated list — not a vibe. Typical contents: fully automated adverse decisions about employees or clients; covert monitoring; emotion inference on staff; inputting data the firm is contractually barred from processing in third-party systems. The list is organization-specific. Not everything is approvable at some price.
Tier 1 — Low consequence
- Covers
- Public or internal data classifications. Errors are caught in normal work and cost little. e.g. Drafting internal documents. Brainstorming. Summarizing public material. Meeting notes.
- Who approves
- Nobody. Covered by general training.
- Verification obligation
- Author reads it before using it. The output is a draft, and the author owns the draft.
- Gate to standard practice
- General training complete. Use is logged, not reviewed.
Tier 2 — Consequential output
- Covers
- Confidential-classified data, or output that leaves the team: client-facing content, analysis feeding a decision. e.g. Client communications. Financial analysis for internal decisions. Report drafting. Code that stays local or feeds analysis a person verifies.
- Who approves
- Department lead or designated champion, once per use case (not per use).
- Verification obligation
- Every factual claim and number checked against source. A named human signs off before it leaves the team. Disclosure follows client terms.
- Gate to standard practice
- Role-specific training, plus an evaluation spot-check on the department's own documents.
Tier 3 — Regulated, autonomous, or consequential to people
- Covers
- Regulated data (PII, payroll, client financials); external deliverables carrying professional liability; any workflow operating human-on-the-loop or autonomously; any use case materially affecting consequential decisions about identifiable people — hiring, promotion, discipline, credit, pricing — regardless of data classification. e.g. Anything touching financial reporting or audit. Agentic workflows. Client deliverables under professional standards. Code shipping to production or touching customer data, auth, or payments — where the gate is the SDLC controls engineering already runs.
- Who approves
- Cross-functional review: technology owner plus Legal / Finance as the data classification requires.
- Verification obligation
- Documented sign-off, logged and auditable. AI assistance disclosed where client terms or professional standards require it. For autonomous steps: escalation thresholds above which a human must look, and a named owner of errors.
- Gate to standard practice
- Independent pre-deployment evaluation on the organization's own data — reviewed by someone who doesn't own the use case's success — before pilot. Standing regression evaluation after, with pre-committed revert criteria. Models change under you.
Five rules that make the table work in practice
- The tier is assigned at intake, not chosen by the requester. A short decision tree triages it, the tier's approver confirms it, and a use case with no tier is not yet permitted. Tier 1 logs are spot-audited — self-classification drifts toward whatever is fastest.
- AI assistance never transfers responsibility. If you send it, sign it, or ship it, it is yours. This norm does more work than the rest of the policy: it makes verification self-interested.
- The fast lane has to be genuinely fast. If a Tier 1 or Tier 2 request takes weeks to approve, usage doesn't stop — it moves to personal accounts as shadow AI, where none of this applies. The safest program is the one people stay inside.
- Approvals age. Tier 2 use cases get a lightweight annual re-attestation, and anyone can trigger a re-tier when the data class, audience, volume, or underlying model changes. Drift happens between anniversaries.
- Good-faith errors get a blameless review; willful violations get the enforcement ladder. Incidents go to one channel, with a three-level severity taxonomy keyed to the tiers. Mix the two up and the incidents don't stop — they just stop being reported.
Structure aligns with NIST AI RMF (risk-proportionate controls), ISO/IEC 42001 (supplier vetting, periodic review), the EU AI Act's risk-category logic (prohibited uses; obligations scaled to consequence), and model-risk practice (independent validation, continuous monitoring).