AI Governance Sprint

Your engineers are using AI tools. There's no company standard and no security sign-off.

Get an enterprise AI operating model and a 60-day implementation roadmap — before an incident forces the decision.

Schedule a 20-Minute Call ← All Sprints
3 months Rigorous structured pilot before committing
2 teams Head-to-head tool evaluation with real KPIs
Enterprise standard Copilot standardized before a security incident
Fortune 50 Proven at Best Buy scale
The Problem

The AI governance gap most engineering orgs are sitting on

Every CTO I know has the same AI problem right now: engineers are using Copilot, Cursor, ChatGPT, and whatever else launched last week — no company standard, no security sign-off, no way to measure whether it's helping or introducing risk.

What's happening right now

  • Engineers are adopting AI tools ad hoc, team by team
  • No policy on what data can go into which tools
  • Security hasn't signed off on any of the tools in active use
  • No measurement: is AI actually increasing velocity or just satisfaction?
  • No standard means every team has a different setup and different risk profile

The risk if you wait

  • A developer pastes proprietary code into a non-approved tool
  • Customer data or internal IP ends up in a third-party training set
  • A security audit exposes uncontrolled AI tool use across the engineering org
  • A board-level question about AI governance you can't answer
  • The security incident forces the decision in the worst possible moment
The Sprint Deliverable

An enterprise AI operating model. Not a policy document — a model you can implement.

The sprint ends with a recommendation your CTO can accept and a 60-day roadmap your engineering team can execute.

What you receive at the end of week 4

  • Audit of current AI tool use across the engineering org — what's in use, how, and by whom
  • Risk assessment: data handling, security posture, and compliance exposure by tool
  • Enterprise AI operating model recommendation: which tools to standardize, which to prohibit, how to govern ongoing adoption
  • Tool selection rationale aligned to your existing security controls, licensing, and procurement constraints
  • Developer adoption framework: how to roll out the standard without losing the velocity gains
  • 60-day implementation roadmap with named owners and sequenced milestones

Engagement Terms

4-week fixed scope  ·  No retainer required

Scoped to your organization size and current AI tool landscape. Includes direct engagement with engineering leadership and your security/compliance function. Most clients use the deliverable to make the tool standardization decision they've been deferring — and to get security sign-off before rolling it out.

How It Works

Four weeks. Structured. No surprises.

01

Week 1 — Landscape Audit

Document what's in use, how it's being used, and what data is flowing through which tools. Identify the unauthorized and the unvetted.

02

Week 2 — Risk Assessment

Security and compliance review of each tool in active use. Map exposure against your existing policies, enterprise licensing, and regulatory requirements.

03

Week 3 — Model Design

Operating model recommendation: what to standardize, how to govern ongoing adoption, and what the rollout sequence looks like for minimum disruption.

04

Week 4 — Readout & Roadmap

Executive readout with the CTO and CISO. 60-day implementation roadmap finalized. Ownership assigned. Communication plan for the engineering org included.

Why This Works

Done before an incident forced the decision at Best Buy

3 mo.

Structured AI bakeoff → enterprise-wide Copilot standardization at Best Buy

At Best Buy, I designed and led a 3-month structured pilot before committing to any AI tooling standard. Two teams of 10 engineers, head-to-head evaluation of leading tools against real KPIs: developer velocity, code quality, satisfaction, and security posture. The data supported standardizing on Microsoft Copilot — aligned to the existing enterprise license, with governance controls already in the stack. The governance model mattered more than the tool choice: teams with a standard outperformed teams with the "best" tool and no standard. We made the decision before a security incident forced it. That is exactly the window this sprint is designed to open.

What I learned from the bakeoff

  • All major tools performed comparably on core productivity metrics
  • The governance model and adoption framework mattered more than the tool choice
  • Alignment to existing enterprise licensing removed procurement friction
  • Security sign-off is non-negotiable and should drive the process, not follow it

What I see across organizations

  • Most orgs have already lost control of what tools are in use
  • The first step is honest inventory — most CTOs don't know what's running
  • Developers will adopt the standard if it's better than chaos, not worse
  • The security conversation is easier to have before the incident than after

You haven't avoided the problem — you've let it grow unsupervised

A 20-minute call will tell us both whether there's a fit. No commitment required.

Schedule a 20-Minute Call