Tech teams are the early adopters. Engineers are running Copilot. Support staff are using AI for ticket triage. Sales is using AI to write outreach. The COO drafted the last board update with a Claude prompt.

That's the good news.

The governance gap is: almost none of this is structured. Nobody decided which tools are approved. Nobody trained the team on what to include in a prompt and what to never paste in. There's no audit trail if something goes wrong. And the junior hire who joined last month has seen exactly zero onboarding on any of this.

At 12 people, this is manageable through proximity. At 40 people, it's a liability.

The Moment the Gap Becomes Visible

There are a few predictable triggers that reveal the governance problem:

An enterprise client asks about your AI practices. Vendor security questionnaires now routinely include questions about AI governance: Do you have an AI use policy? How are employees trained on data handling with AI tools? Can you provide evidence of AI training for staff who handle our data?

A "we don't have a formal program" answer delays or kills deals with compliance-conscious buyers — financial institutions, healthcare organizations, government contractors, large enterprises. This is a real sales problem, not just an internal one.

Someone pastes client data into a free tool. It happens at every company. A support engineer pastes a customer's API keys or error logs into ChatGPT to get help with debugging. A salesperson pastes a prospect's strategic plan into Claude to prepare for a call. A developer pastes proprietary code into an AI coding assistant to work through a bug.

None of them thought they were doing anything wrong. The tool is right there, it's fast, and it solves the problem. Without training on data classification and prompt hygiene, there's no reason to behave differently.

An AI-generated output causes a real problem. AI-assisted code that doesn't get reviewed properly. A customer communication drafted with AI that contains an error and goes out under your brand. A legal clause in a contract generated by AI that nobody with domain expertise checked. These incidents happen when teams adopt AI quickly and skip the "verify before acting" training.

What's Actually Different at Scale

The governance challenges change as the company grows:

At 10–15 people: You can rely on culture and proximity. If someone does something weird with an AI tool, you'll probably hear about it. The founder sets norms informally. Risk is real but contained.

At 25–50 people: You're past the point where informal norms scale. New hires have no institutional knowledge of what's acceptable. Different teams (eng, sales, support, ops) are using AI in completely different ways with no coordination. The first compliance incident or client question exposes the gap.

At 50+ people: The risk is systemic. Multiple teams, multiple tools, multiple use patterns, no documentation, no training records. If a compliance event occurs, there's no defense — you can't demonstrate what employees were trained on because there was no training.

The pattern is consistent: governance gets harder as the team grows, but investment in governance usually doesn't scale with headcount. The result is a gap that compounds over time.

What Governance Actually Requires

For tech companies, an adequate AI governance program doesn't require an enterprise compliance stack. It requires three things:

1. A clear AI use policy with specific guidance

Not a generic "don't share confidential data" memo — those don't change behavior. A policy that specifies: - Which AI tools are approved for which use cases - What data classifications can go into a prompt (public OK, internal OK with caveats, customer PII never, proprietary code never without review) - How AI-generated outputs should be reviewed before shipping to customers or clients - Who is responsible when AI-generated work has a problem

2. Role-specific training that covers the actual risks

Engineers have different AI risks than support staff. Customer-facing roles have different prompt hygiene requirements than internal ops. A generic "here's how AI works" session doesn't train anyone on their specific workflow risks.

Role-specific training covers the actual tools each role uses, the data each role handles, and the verification steps relevant to each role's outputs.

3. A training record that holds up under scrutiny

When an enterprise client asks for evidence of AI governance training, you need a real answer — not "we did a lunch and learn in January." You need names, roles, completion dates, assessment scores, and a verifiable record.

This matters for SOC 2, for client security reviews, for professional services agreements, and increasingly for cyber insurance underwriting.

The Onboarding Problem

One of the places the governance gap is most visible is new hire onboarding.

Most tech companies have solid onboarding for the technical stack: here's the codebase, here are the tools, here's how we deploy. The AI governance onboarding is usually absent or an afterthought — "there's a ChatGPT policy somewhere in Notion."

New hires bring their personal AI habits with them. Some of those habits are fine. Some involve tools that aren't approved, prompting patterns that expose data, or verification shortcuts that work in personal projects but not in a client-facing context.

Without an onboarding track that explicitly covers AI practices, every new hire is a new governance risk until someone happens to correct them.

OpenSkills AI solves this with role-specific onboarding paths. A new engineer gets a path that covers approved coding AI tools, code review requirements for AI-generated output, and data classification in the context of their specific role. A new support hire gets a path covering ticket triage with AI, customer data in prompts, and escalation criteria. Both complete an assessment. Both generate a training record. Both start Day 1 with a foundation instead of figuring it out through trial and error.

The Enterprise Client Forcing Function

For tech companies selling to compliance-sensitive buyers, the AI governance conversation is no longer optional.

Enterprise security reviews now ask: - "Do you have an AI use policy?" - "Are employees trained on AI data handling?" - "Can you provide evidence of AI training for personnel who handle our data?"

These questions come from procurement teams, not technical reviewers. "We're working on it" delays deals. "Here's our program and training records" moves things forward.

For a company selling to financial institutions, healthcare organizations, or enterprise buyers in regulated industries, having a documented AI training program is a sales enablement asset. It answers the question before it becomes a procurement blocker.

What It Costs to Wait

The gap gets harder to close as the team grows. At 15 people, standing up a structured AI training program takes a day. At 40 people, it's a coordination effort across multiple teams. At 100 people, you're looking at a change management project.

The compliance exposure also compounds. Every month without training records is another month of provable gap. Every new hire without onboarding is another person operating on personal habits.

OpenSkills AI for a 15-person tech team runs $9.99/month. For a 25-person team, $29.99/month. The 14-day free trial gives every employee a role-based AI skill assessment and shows you exactly where the gaps are before you've spent anything.

If you're past 20 people and your AI governance program is still informal, this is the week to fix it.

Start your 14-day free trial →