Minimum Viable Governance.

Most organisations that speak to me about AI aren’t starting from zero, they’re starting from overwhelm.

They’ve read about ISO 42001 and the EU AI Act. They’ve been to a webinar or two. They know they need something — but the frameworks feel enormous, the consultants feel expensive, and the whole thing feels like it might take months they don’t have, and at the current pace of development, months is a long time.

Minimum Viable Governance (MVG) is my answer to this problem.

The product development parallel

In product development, a Minimum Viable Product (MVP) is the simplest version of something that actually works — that delivers real value to real users, even if it’s not finished or perfect.

MVG borrows that logic. It’s the smallest amount of governance structure that lets your organisation say “yes” to AI opportunities safely, say “no” when you need to, and demonstrate to regulators, customers, and staff that you’re taking this seriously.

It’s not a framework. It’s not a destination. It’s a starting point.

What MVG looks like

For a 20-person professional services firm, MVG might be:

• A one-page AI Principles document approved by the leadership team
• A simple spreadsheet inventory of the six AI tools already in use
• A WhatsApp-friendly summary of what staff can and can’t use AI for
• A named person (the ops director, say) who owns any new AI decisions

That’s it. That’s enough to get started — and it’s genuinely better than what 90% of comparable organisations have.

For a 100-person organisation, MVG looks a bit different:

• A two-page policy with a public-facing charter
• A proper system inventory with risk ratings and owners
• A documented approval process for new AI adoption
• A quarterly review meeting with a governance lead

Both of these are real governance. Neither requires six months or a consultant on-site every week.

The three questions

When I’m helping an organisation figure out where to start, I ask three questions:

1. What AI are you already using? — You can’t govern what you don’t know you have. The inventory always comes first. It’s almost always more than people expect.

2. What’s your biggest risk right now? — Not a theoretical risk inventory. One specific thing that keeps someone awake at night. Bias in a recruitment tool. Customer data in a public chatbot. A supplier using AI in ways that contradict your values. Start there.

3. Who needs to see that you have governance in place? — Is it your board? A client asking for a due diligence response? A regulator? Understanding the audience shapes the format and level of detail.

The iterative approach

The mistake people make with governance is treating it as a one-time project. You build it, you file it, you forget it.

Good governance is iterative. You build the minimum that works now, you use it, you find the gaps, you fix them. The EU AI Act will change. Your AI use will change. Your organisation will change. Your governance needs to change with it.

MVG isn’t a lower standard — it’s a more honest one. It acknowledges where you are and gets you moving, rather than waiting for perfection that never arrives.

A note on AI Act compliance

If you’re a UK-based organisation, the EU AI Act is relevant to you if you’re deploying AI in the EU, selling AI systems to EU customers, or your supply chain includes AI systems built for the EU market. That’s a lot of organisations.

The good news: MVG is a genuine foundation for compliance. The principles, inventory, and risk register are exactly what regulators want to see when they come knocking. You don’t need a certified AIMS (AI Management System) to start — but you do need to have started.

If this resonates and you want to talk through what MVG looks like for your specific organisation, book a call. Thirty minutes, no deck, no pitch. Just a conversation.