techletter by Nesibe

techletter by Nesibe

Why Your AI Policy Fails Before Anyone Enforces It

A signed policy is not the same as one that binds. Here is the seven-part outline a governance-grade AI policy needs, and the seven signals that tell you whether yours will hold.

Nesibe Kiris Can's avatar
Nesibe Kiris Can
Jul 07, 2026
∙ Paid

In May 2023, Samsung’s semiconductor division discovered that in under a month, three of its engineers had fed confidential company data into ChatGPT. One pasted proprietary source code to fix a bug. One turned a recorded internal meeting into text and dropped the transcript in to generate notes. One uploaded chip test data to optimize a yield calculation. None of them were doing anything malicious. Each was trying to work faster. Samsung’s response was a company-wide ban on the tools, and within weeks Apple, JPMorgan, Bank of America, Verizon, Amazon, and Deutsche Bank had issued restrictions of their own.

Bans are what companies reach for when they have no policy that works. Three years later, most organizations do have a policy, and the same behavior is still happening underneath it.

That is the problem worth understanding. The policies exist. They assign responsibility for safe AI use, name an owner, list the rules. And then the organization around the document keeps rewarding speed, keeps tolerating workarounds, and funds no enforcement. By the time the policy circulates, the decisions that actually determine whether it works were made somewhere else, in procurement, in performance targets, in how the company is structured across regions.

I spend most of my time advising organizations that operate across borders, and I can usually predict how a policy will perform before I read it. The drafting is rarely the problem. It is everything the drafting cannot reach.


What an AI Policy Is Actually For

An AI policy is an internal governance instrument that defines which AI systems an organization may use, for what purposes, under whose oversight, and with what data. Good concept. The reason it usually stays shallow comes down to who it was written for.

A customer nervous about which AI tool can be trusted with their data.

A board that wants to be seen doing something.

A regulator waiting for evidence, though outside the EU most regulators still have no concrete compliance standard to measure against, so what companies produce gets shaped by what the audience expects rather than by any real threshold. Write to satisfy those three and the result performs seriousness without touching behavior. It only has to exist, look thorough, and carry a signature.

A policy should not be a response to external pressure. It is actually there to protect four internal things:

  • Protecting the data

  • Protecting the customer

  • Protecting the employee

  • Protecting a reputation

Treat all of that as a compliance checklist and you get a document that satisfies an auditor and defends none of it.

  • The 2026 PagerDuty Shadow AI Survey of 1,250 office professionals at companies above $500 million in revenue found that 86% have an AI policy in place, and 66% used AI at work anyway, knowing it was not allowed.

Almost every company has the policy. Far fewer have one that binds.


What Actually Breaks Without a Working Policy

Here is what I keep seeing, and it is almost never a single dramatic failure.

It is a slow build-up of gaps, each one small enough to ignore until it isn’t:

  • Nobody can name what is in use. A tool arrives through a free tier or a feature switched on inside software the company already licenses, a manager two levels down waves it through, and no one writes down that the decision was made. Six months later it sits in three workflows and the governance owner has never heard of it.

  • Data leaves through the fastest door. A client file or a block of source code ends up on someone else’s server, because the sanctioned path was slower and nobody built a fast safe one.

  • Accountability splits until no one holds it. A model makes a call that harms someone, and responsibility divides so neatly between the person who used it, the team that bought it, and the vendor who built it that none of them carries the weight.

  • High-stakes calls run with no human in them. A hiring or credit decision gets automated, and no one ever decided whether a person should look at it before it takes effect.

  • The same failure repeats. An incident gets handled quietly on the spot and never changes a process, so the next team walks straight into it.

  • The affected have nowhere to go. Someone turned down by an automated decision cannot ask why, because a way to challenge it was never built into the design.

None of this reads as a technology problem to me, and I do not think it is one. Each gap traces back to a decision made further upstream, before anyone sat down to write the policy. The responsibility gets assigned. The lever that would make it real stays somewhere else. That is what a working policy has to fix, and here is what one actually contains.


What a Complete AI Policy Actually Contains

A governance-grade AI policy is not a long list of rules. It is seven groups of them, each sitting at one level, each mapping to a framework someone will eventually audit you against. For an organization living under more than one regime at once, the mapping is what lets a single policy answer to ISO assessors, US state law, and the EU AI Act without being rewritten three times. The full one-page version, with every item mapped, is at the end of this post.

The seven groups run like this.


Upgrade to paid!

This post is for paid subscribers

Already a paid subscriber? Sign in
© 2026 Nesibe Kırış Can · Privacy ∙ Terms ∙ Collection notice
Start your SubstackGet the app
Substack is the home for great culture