AI Governance Playbook
Open search
Business functions

Where each department can use AI.

Use this view to align business units with enterprise AI policy. The pattern remains the same: green for low-risk productivity, amber for private-tenant usage with controls, red for anything that contains sensitive client data.

Wealth Management

AI is valuable for advisor productivity, but client data must stay in controlled environments.

Allowed

  • Portfolio reporting templates
  • Market commentary drafts

Controlled

  • Client briefing prep in private tenant

Prohibited

  • Client holdings or identities in public AI

Example

Create a quarterly market commentary using only public data and firm-approved insights.

Audit & Assurance

Audit evidence is highly sensitive. AI can assist with templates and guidance but never ingest client data.

Allowed

  • Workpaper templates
  • Control testing checklists

Controlled

  • Evidence summaries with redaction

Prohibited

  • Trial balances or payroll data in public AI

Example

Draft a control testing checklist based on the firm's audit methodology.

Tax

Tax guidance can be summarized safely, but returns and identifiers must remain protected.

Allowed

  • Tax memo outlines
  • Regulation summaries

Controlled

  • Private AI over internal tax guidance

Prohibited

  • Client returns or identifiers in open chat

Example

Summarize new VAT requirements using public legislation and internal guidance.

Corporate Finance / Deals

AI can streamline deal workflows, but transaction data is a red-zone asset.

Allowed

  • Deal process checklists
  • Diligence templates

Controlled

  • Private AI over approved deal docs

Prohibited

  • Non-public transaction data in public AI

Example

Generate a diligence checklist based on the firm's standard M&A framework.

Advisory / Consulting

Use AI for structure and scaffolding, not for client strategy content.

Allowed

  • Proposal templates
  • Workshop agendas

Controlled

  • Client deliverables with redaction

Prohibited

  • Client strategy decks in public AI

Example

Draft a workshop agenda using standard engagement patterns.

Risk & Compliance

Compliance teams can use AI to map controls, but submissions require tight oversight.

Allowed

  • Policy drafts
  • Control mapping

Controlled

  • Regulatory analysis in private tenant

Prohibited

  • Regulator submissions in public AI

Example

Map internal controls to a regulatory checklist using approved policy language.

Technology / Engineering

Engineering benefits from AI drafting and tests but must avoid secrets or production configs.

Allowed

  • Code scaffolding
  • Test generation with synthetic data

Controlled

  • Private AI for internal repos

Prohibited

  • Secrets or configs in public AI

Example

Generate unit tests using synthetic fixtures for a payment service.

Family Office

Family offices handle ultra-sensitive data. Use AI only in controlled tenants.

Allowed

  • Operations checklists
  • Investment memo templates

Controlled

  • Private AI for consolidated reporting

Prohibited

  • Client identity, holdings, or cash flows in public AI

Example

Prepare an investment memo template using placeholder allocations.

Private Client Services

AI can improve service consistency but must not process onboarding documents.

Allowed

  • Service playbooks
  • Onboarding checklists

Controlled

  • Private AI for approved materials

Prohibited

  • Client onboarding files in open chat

Example

Draft an onboarding checklist based on internal service standards.

HR & Talent

Use AI for templates and guides, but protect employee records and reviews.

Allowed

  • Job descriptions
  • Interview guides

Controlled

  • Performance summaries in private tenant

Prohibited

  • Employee records in public AI

Example

Create an interview guide aligned to role competencies.

Legal

Legal teams can accelerate drafting but must keep client documents within controlled systems.

Allowed

  • Clause libraries
  • Contract checklists

Controlled

  • Private AI for approved contracts

Prohibited

  • Client legal files in public AI

Example

Generate a clause checklist for a standard services agreement.

Vendor Assessment

AI helps benchmark vendors, but confidential vendor data must remain protected.

Allowed

  • Questionnaire drafts
  • Control comparison tables

Controlled

  • Private AI for vendor docs

Prohibited

  • Vendor confidential data in public AI

Example

Draft a vendor risk questionnaire aligned with SOC 2 controls.

Business line users

Examples of how common roles use AI safely with approved inputs and controlled outputs.

Audit Partner

Uses AI to draft engagement letters and audit plans with firm templates. Reviews outputs and signs off before client delivery.

Tax Director

Summarizes new regulations and prepares memo outlines using public guidance, never client returns.

Wealth Advisor

Builds market commentary drafts from public data and internal research, then edits for client suitability.

Risk Officer

Maps controls to regulatory requirements and maintains the AI use-case registry.

Deal Manager

Generates diligence checklists and process plans without uploading deal data to public tools.

Engineering Lead

Uses AI for code scaffolding and tests, then reviews for auth, logging, and data handling compliance.