Across the organisations we work with, one pattern keeps coming up: teams are pushing to build AI quickly, but they don't have the right delivery structure in place to support it.
This isn't a criticism. The pressure to move fast on AI is real. But without the right operating model, you end up with one of two problems.
The first is under-governance. AI tools get built inconsistently, security and compliance gaps appear, and there's no shared standard for how decisions get made. The second is over-governance. Existing IT processes, designed for large, complex, long-running projects, get applied to every AI initiative regardless of size or risk. Everything slows down, teams get frustrated, and innovation stalls.
Neither works. What organisations actually need is a governance model that fits the work.
We recently worked with a UK transport organisation that was facing exactly this. There was strong demand across the business to start building AI solutions. But there was no defined delivery model, no agreed governance process, and the existing IT framework was too heavyweight for many of the use cases teams wanted to pursue.
The goal was straightforward: enable AI experimentation at pace while keeping the right controls in place.
We started by working with IT, security, and business teams together. Rather than imposing a framework from the top, we mapped the full journey from initial idea through to deployment, then looked at what actually varied across different types of work.
The key insight was that AI initiatives aren't all the same. Some are small, self-contained tools with no external connections. Others involve shared infrastructure and enterprise data. Others sit somewhere in the middle.
Treating all of them the same way, either with no governance or with the same process as a major system integration, creates unnecessary risk or unnecessary friction depending on which direction you default to.
So we categorised initiatives by complexity and risk, then designed delivery pathways to match.
Low complexity: fast track
For contained, low-risk use cases, localised tools, citizen development projects, solutions with no external connectors, the framework allows lightweight governance and rapid approvals. These projects don't need a six-week sign-off process. They need clear guardrails and a quick path to deployment.
Medium complexity: structured review
For solutions with shared ownership across IT and business teams, or where clear environment and security standards need to be met, additional review points are built in. These projects move faster than a traditional enterprise delivery process, but with more rigour than the fast track.
High complexity: enterprise alignment
For initiatives involving integrated systems, enterprise data, or higher security and compliance requirements, the framework aligns to existing enterprise delivery processes. Formal architecture and infosec governance applies here. These projects carry real risk and deserve full scrutiny.
One additional piece of the work was helping teams understand when to use off-the-shelf tools versus when to build something bespoke.
Platforms like Copilot Studio are well-suited to a range of use cases. But they're not the right answer for everything. Part of good AI governance is giving teams a clear, shared understanding of where different tools are appropriate, so technology decisions are made deliberately, not by default.
At the end of the engagement, the organisation had a framework that gave them:
The framework is also repeatable. It works for both early-stage experimentation and enterprise-grade delivery, because it scales to the work rather than forcing everything through the same gate.
The organisations making the most progress with AI aren't just moving quickly. They're building on foundations that will hold as they scale.
Getting governance right early isn't about slowing things down. It's what makes sustainable delivery possible.
© Hudson & Hayes | Privacy policy
Website by Polar
