How do I govern AI use across a project team?

Without governance, AI use on a project team is already happening. It is just happening inconsistently. One team member uses ChatGPT for status reports. Another pastes client data into a free AI tool without realising it is being used for training. A third has found a tool that accelerates their work significantly and has not told anyone.

The goal of AI governance on a project team is not to control or restrict. It is to make AI use visible, consistent, and safe -- so the team can get the benefits without the risks accumulating invisibly.

The Four Policies Every Team Needs

Effective project team AI governance does not require a lengthy policy document. It requires four clear decisions, written down and agreed by the project sponsor.

Policy 1: Approved tool list. Define which AI tools the team may use without individual approval, which require a quick check-in with the project manager or IT, and which are off-limits for project use. Start with what people are already using. The purpose is visibility, not prohibition.

Policy 2: Data handling rules. Define what categories of project data may and may not be entered into AI systems. At minimum: client names and identifying information, financial data, and confidential project documents should require explicit approval before entering any external AI tool. This single rule prevents the most common category of AI-related data exposure.

Policy 3: Output review standards. Define which AI outputs require human review before use. Any AI output that influences a consequential decision -- a risk assessment, a stakeholder communication, a financial estimate -- should have a human checkpoint. This does not mean every AI-generated sentence needs approval. It means the team has discussed where the review bar sits.

Policy 4: Escalation path. Define what team members do when they encounter an AI-related problem: unexpected outputs, suspected data issues, a tool behaving unexpectedly, or a vendor communication about a data incident. The escalation path should be simple: tell the project manager, who escalates to IT or legal if needed.

Creating the Team AI Charter

Document these four policies in a team AI charter -- a one-page document signed by the project sponsor. A charter does three things: it makes the policies official rather than informal, it gives team members clear guidance they can reference, and it demonstrates to stakeholders that AI use on the project is managed.

A minimal team AI charter includes:

• Approved tool list (with status: approved / check required / off-limits)
• Data classification rules (what can and cannot enter external AI tools)
• Output review triggers (which AI outputs require human review before use)
• Escalation contact (project manager name and how to reach them)
• Review date (when the charter will be revisited -- quarterly is sufficient)

Keeping It Lightweight

The most common failure mode for AI governance is making it too heavy. A twelve-page policy that requires legal sign-off before any AI tool trial will be ignored.

The right weight is: simple enough that team members remember the core rules without looking them up, and formal enough that there is a record of the decision. A one-page charter and a five-minute team briefing is sufficient for most project teams.

Revisit it quarterly or when a new AI tool is adopted. The environment is changing quickly enough that six-month-old policies may not reflect current tools or current risks.

The goal is a team that uses AI with confidence -- knowing what is allowed, what to avoid, and who to ask when something does not feel right.

Free tool: The AI Tool Risk Evaluator walks your team through a structured 5-minute risk evaluation before adopting any AI tool. Free, no login required.

Subscribe to AI for Project Managers at Indigo.pub for practical AI governance guidance delivered to your inbox.