caversham house

Home AI Training Tools Library Thoughts About Us Contact Us Schedule Call

Home AI Training Tools Library Thoughts About Us Contact Us Schedule Call

← Back to Tools

AI Core Guardrails

Six questions. A governance framework your steering committee can own and publish today.

Organisation name (appears on your policy document)

1. Which AI tools are approved for use?

Select all that apply.

Why only business/enterprise plans? Free and individual plans (Claude Pro, ChatGPT Plus, etc.) use your data to train their models by default. The plans below contractually exclude your data from training.

Claude — Team

Claude — Enterprise / Cowork Enterprise

ChatGPT — Business

ChatGPT — Enterprise

Gemini — Google Workspace (Standard or above)

Gemini — Google Workspace Enterprise Plus

Microsoft Copilot (M365)

GitHub Copilot (Enterprise)

None yet — we are defining our list now

Other

2. What data is classified as Restricted (Red)?

Red data must never enter external AI tools without explicit steering committee approval. Select all that apply.

Customer PII (names, contact details, identifiers)

Employee PII (HR records, payroll, performance data)

Financial records (unreleased figures, forecasts, M&A data)

Legally privileged information

Commercially sensitive IP (source code, roadmaps, pricing models)

Regulated data (GDPR, FCA, HIPAA, or equivalent)

Other

HAIL Framework Reference

Human Integration (H)

H1AI assists, human leads

H2AI produces, human reviews and approves

H3AI produces and quality-checks autonomously

AI Access (A)

A1AI isolated — no system access (copy-paste only)

A2AI can read company systems

A3AI can take actions in systems (write, send, update)

3. What is your default starting HAIL level?

Most organisations start at H1/A1 and graduate upward as they prove value.

H1/A1 — Human-led, AI contained AI assists you; you lead. AI has no access to company systems. Recommended default.

H2/A1 — AI-produced, human QC, no system access AI drafts; you review and approve. AI has no access to company systems.

Assess use cases individually We will define HAIL levels per use case rather than setting an organisation-wide default.

4. Who approves moving beyond your default level?

Set the minimum approver required for each risk tier.

One step up (H1/A2 or H2/A1)

Standard use case expansion — slightly more autonomy or system read access

Manager

IT Lead

Steering Committee

Steering Committee + CISO

Board/CEO

Two steps up (H2/A2 or H1/A3)

AI reads systems and produces output, or has write access with human oversight

Manager

IT Lead

Steering Committee

Steering Committee + CISO

Board/CEO

High risk (H3 any level, or H2/A3)

Autonomous AI operation or write access with minimal human oversight

Manager

IT Lead

Steering Committee

Steering Committee + CISO

Board/CEO

5. Which risks must be explicitly acknowledged?

These appear as named obligations in your policy. Most organisations select all three.

Hallucination AI outputs must be verified by a human before use in any decision or communication

Data leakage Restricted data must never enter unapproved AI tools under any circumstances

Prompt injection AI connected to company systems must undergo security review before deployment

6. How often will you review this policy?

The AI risk landscape changes constantly. Quarterly is strongly recommended.

Quarterly (recommended)

Every 6 months

Annually

Ad hoc / as needed

Your Core Guardrails

Live preview

Date created:

Next review: TBD

Owned by: AI Steering Committee

Approved Tools

Data Classification

🟢

Green (Public) — publicly available or non-sensitive information

🟡

Amber (Internal) — internal business information, not for external sharing

🔴

Red (Restricted) — sensitive data; Steering Committee approval required before any AI use

No restricted categories selected yet.

HAIL Position

Risk Acknowledgements

Review Cycle

Answer the questions on the left to build your policy preview.

The PDF includes additional sections: Prohibited Uses, IP Notice, Disclosure Obligations, and Next Steps guidance for HR and Legal.

© 2026 Caversham House. All rights reserved.

Schedule a Consultation