What Two Years of AI Governance Looks Like

A year ago, the people on our team who were the most hesitant when using AI were the ones handling the most sensitive work in the company: HR, account management, and operations. They'd seen and heard what the tools could do for other members in different departments, but they didn't really know what they were allowed to do, or could safely do, with these tools themselves.

The gap between what people can do with AI, and what they should be doing, is a problem many organizations are trying to solve right now. What we've learned over the past two years is that closing that gap takes more than a policy. It takes a clear operating model that defines who decides what tools get used, what data is safe to share, how decisions get reviewed, and where to go for help. 

In August 2024, we published our first AI Software Usage Policy and training program. We'd researched what other agencies and organizations were doing, studied several frameworks, taken courses, and built something we thought was solid. And it was, for the moment we were in. But the technology kept changing, and our practice kept evolving with it, so the original policy would eventually need an overhaul. 

Nearly two years later, what began as a single policy document has evolved into a comprehensive AI governance program with a clear organizational structure, a three-document policy architecture, a company-wide platform strategy, and a training program founded on peer-led learning. 

We decided to describe our approach and what we learned along the way because we believe it’s important to share our knowledge with our community, especially when it comes to something as transformational and impactful as AI. If you’re navigating similar questions and challenges within your own organization, our hope is that some of this will be useful to you. 

We Started by Listening

By the end of 2025, it became clear we needed a coordinated AI strategy for the company. The agency model is shifting fast. AI is changing what clients expect from agencies and what they're willing to pay for. New AI-native competitors are emerging. The capabilities of the latest tools keep surprising us, and the pace of change keeps accelerating. We believed that in order to come through this shift intact we needed to move deliberately rather than reactively.

So we set out to build a company-wide AI strategy for 2026, and we made the equally deliberate choice to start by listening. Governance works best when it reflects how people actually work, and the people doing the work often see things that leadership can't. Before writing anything new, we conducted in-depth interviews with every department and functional lead at Kalamuna, including our CEO. The goal was to understand how people on the team were using AI, what was working and what wasn’t, and what they needed.

Almost everyone was experimenting. Our sales team had built sophisticated multi-tool workflows. Our developers had standardized on AI-assisted coding. Designers were synthesizing research and generating placeholder content. 

Enthusiasm was high. What was missing was shared direction. Knowledge was siloing, either around individual tools or in individuals’ heads. Some team members were becoming power users while others barely knew where to start. Some people had access to advanced tools that others didn’t. The people handling the most sensitive information (HR, account management, and operations) were holding back because they were uncertain what was safe to put into an AI tool. And almost everyone reported the same thing: company information was scattered across too many platforms, with no easy way to find what you needed unless you already knew where it lived. That last issue wasn’t an AI problem, but it was something that everyone felt AI should be able to solve.

One of the more insightful observations came from someone on the team who pointed out that the gaps they most wanted to close had to do with process, not AI. Automating a broken process, they reasoned, would just produce broken automation.

Every department acknowledged that while AI could improve the quality of their work, it didn't reduce the time it took to produce it. Clients might expect AI to make services cheaper and faster, but the reality is more complex, and our industry is still trying to find a pricing framework that takes into account the impact of AI subscriptions and tokens on the bottom line. Better outcomes are the real gain for now, and speed may follow once the underlying work is done: process standardization, clear guidance, and investment in skills.

That last finding directly influenced our approach for what came next. It was apparent the tools were already capable, but the operating conditions weren’t. To fix the system we needed to focus on how tools get chosen, how skills are developed, and how knowledge moves between teams. 

From a Single Policy to a Governance Program

Our original AI policy was a good start, but one document trying to cover tool approvals, data governance, development criteria, client consent, and ethical principles gets unwieldy fast, especially as the technology grows more complex. So we rebuilt it, and one policy became three, supported by a set of operational reference documents.

The AI Software Usage Policy governs day-to-day use of AI tools across the company. The current version is the third iteration, rebuilt from the ground up. It includes a risk tiering framework (low, medium, and high) that determines the level of oversight and documentation required for different types of work. It covers data classification, so people know exactly what information can go into which tools under what conditions. It has a dedicated section on agentic AI (tools that take actions autonomously, like browser automation and code agents) because those capabilities didn't exist in a meaningful way when we wrote version one.

The AI Development and Deployment Policy started as a section within the original Usage Policy and has been expanded into a standalone document. It governs situations where we build, integrate, or deploy AI-powered features as part of client deliverables: chatbots, AI-assisted search, automated accessibility scanning, and similar work. This document covers the full lifecycle from scoping through deployment, monitoring, and handoff. Its core principle, which shapes every other requirement, is straightforward: do no harm to end users. 

The Tool Approval Policy is now a standalone reference: the single source of truth for which AI tools are approved, restricted, or under review, along with the approval workflow and criteria for each status. Splitting it out of the main policy means it can be updated as tools evolve without requiring a full policy revision each time.

Alongside these, the Responsible AI Statement is our public-facing commitment, published on this website, alongside our dedication to accessibility and privacy. It describes our commitments to four stakeholder groups (clients, our team, society, and the environment) and explains how we govern AI at an organizational level. It's designed for clients, prospective clients, and anyone who wants to understand how AI touches our work.

We also developed a Project AI Usage Log template for our project managers to maintain throughout engagements that employ AI tools. We worked with our PM team to ensure it would achieve our goals of transparency and traceability without being overly burdensome. Low-risk, routine usage (internal brainstorming, researching public information) doesn't need to be logged at all. Medium risk usage (client-facing content drafts, code generation, data analysis) and high-risk usage (database queries on client systems, any use involving PII) does. The goal here is to ensure that if a question arises about AI's role in any deliverable, the log provides enough context to answer it.

Together, these documents function as a system. The Usage Policy holds the principles; the Development and Deployment Policy applies them to client work; the Tool Approval Policy and Project AI Usage Log keep the operational layer current; and the Responsible AI Statement makes the entire program digestible for anyone outside the company.

Building the Structures Around the Policies

Policies without organizational structures behind them are just documents. Easily read, and easily forgotten. So alongside the policy work, we've built the scaffolding to make governance operational.

Our informal AI working group has been formalized into an AI Steering Committee with cross-departmental representation from technology, design, sales, account and project management, marketing, operations, HR, and leadership. The committee oversees policy, tool adoption, risk management, and compliance.

We've established an AI Champions network: team members from across departments who serve as peer support for AI adoption and responsible use. They're the people you go to when you're not sure which tool to use for a task, or how to approach a new AI workflow. 

We consolidated our LLM use to a single AI platform. Between ChatGPT, Claude, Gemini, and various individual subscriptions, fragmentation created real problems. Prompting techniques refined by one team were invisible to everyone else, knowledge was compounding inside individual tools instead of benefitting the organization, and there was no shared learning. We've now moved to Claude Team as our primary AI platform across the organization, which gives us shared projects, shared learning, and enterprise-grade data controls that directly address the privacy concerns that were holding some team members back.

Our training program still centers around AI fundamentals and certification, but is now supplemented with internal workshops and knowledge-sharing. We developed Claude-specific onboarding materials tailored to our team, we’re running workshops on advanced features like creating Skills to automate common tasks, and we’re conducting department-specific tool-to-process mapping. We continue to run structured AI Office Hours every month to provide a regular venue for questions and peer learning, in addition to a limited run of Claude Office Hours for our AI Champions to get up to speed on the new tools so that they can better support the rest of the team.

And the company-wide AI strategy work that initiated all of this has been distilled into department-specific guides, so that everyone has a clear, relevant picture of what it means for their work, all anchored in the unified AI strategy for 2026.

Governance as Accelerant

This process helped us realize that clear governance can actually speed up adoption. It might sound counterintuitive, but the interviews kept pointing in that direction.

Uncertainty was a real bottleneck. People were unsure which tools were approved to do what, what data was safe to share with AI, and whether their experiments were aligned with what the company needed. So they either forged ahead without guidance or held back entirely.

That’s precisely the problem governance is designed to solve. By setting clear boundaries (here's how you classify your work, here's what data can go where, here's the approved toolset, here's where to get help) you give people the confidence to engage and try things. The more practice they get, the quicker they’ll develop the skills and the more they’ll share with the rest of the team.

We expect the risk framework to work the same way. Instead of treating all AI use the same way, a tiered approach lets low-risk work happen with minimal friction while ensuring high-stakes work gets the oversight it needs. That tiering matters because over-governing low-risk use can stifle adoption, and under-governing high-risk use creates liability. Getting the balance right is key.

What Stays Human

Through all of this, there was one theme that came through clearly and consistently. Every department identified work that must remain human-led: client relationships and strategic conversations, creative direction and design judgment, employee matters requiring empathy, and the ability to build consensus, narrow uncertainty, and create something greater than the sum of its parts.

As our CEO put it during the strategy process: “while AI can do a lot, people still want to work with people. Kalamuna's differentiator is our collective ability to synthesize, align, and create outcomes that clients can't assemble on their own.”

Our governance program makes these commitments explicit: AI augments roles at Kalamuna. All AI-assisted deliverables require human review before delivery. And we invest in tools that amplify our team's strengths and elevate the quality and impact of their work.

The Work Continues

While we’ve already accomplished a lot so far this year, the work isn’t finished. These policies are living documents, reviewed at minimum annually and updated when the technology, the regulations, or our practices change. We're still learning, still adjusting, and still listening to our team as we roll this out. 

If you're curious about how we approach AI, our Responsible AI Statement is the best place to start. Clients and partners are welcome to review our internal policies. And we would love to answer your questions about how we did any of this or how we can help your organization do something similar. You can reach us through our contact form.