The AI committee always arrives second

Every AI committee gets formed late. The tools arrive first, quietly: someone in finance drafts variance commentary with a chatbot, a sales rep rewrites cold outreach, an ops manager pastes a vendor contract into a free tool to summarize it. The committee shows up months afterwards to work out what all those people are already doing.

That sounds like an indictment. It isn’t. Late is the normal order of events, and a committee that knows it arrived second behaves differently from one that imagines it’s gatekeeping a future rollout. It writes rules for traffic already moving. The canal lock, not the starting gun.

I sit on one of these committees right now, at a manufacturer I advise. By the time it first met, dozens of employees were using AI tools daily. Nobody had broken a rule.

There were no rules.

Everyone is already using AI

The numbers on this are blunt. Professor Nicole Gillespie at Melbourne Business School led a global study with KPMG that surveyed 48,000 workers in 47 countries, published April 2025. It found 58% of employees deliberately use AI at work, a third of them weekly or daily, and 57% hide their use and present AI output as their own. Another 56% had used AI on the job without knowing whether it was allowed. Nearly half admitted uploading sensitive company information, financials, customer records, into public tools. The fieldwork ran from November 2024 to January 2025, so these numbers are recent and, my guess, conservative; adoption has only climbed since. And they’re global, 47 countries and every major sector, not a tech-industry quirk. This is what employees do when nobody has told them anything either way.

Read that last one again. Half.

So the committee that forms after those numbers exist isn’t deciding whether AI enters the company. Hundreds of individual employees made that decision already, one paste at a time. The committee is deciding whether the use stays hidden or comes into the open.

“AI is happening, widely, quietly, and well ahead of any governance structure. Employees are running customer data through consumer tools.” — Brandi Thomas, former chief audit executive, writing in Fortune

At the manufacturer I mentioned, the leadership sponsors said the quiet part out loud in the first meeting: we’re playing catch-up. I respect that opening more than any glossy AI strategy deck I’ve seen. Naming the real starting position changed what the committee built first. Not a vision statement. An inventory of what people were already doing, and a fast way to say yes to most of it.

What is an AI committee for?

Three jobs. Guardrails for the use you have today. Training that gets the next hundred users up to speed faster than the first hundred. And the least obvious one: a use-case pipeline everyone can see, so two departments don’t quietly build the same thing twice. Everything else a committee does is one of those three in disguise, or a meeting that should’ve been an email.

Call it an AI council, an AI governance committee, or a task force. The label matters less than the remit, and the remit has a formal backbone. An AI committee is a standing cross-functional group that owns how an organization adopts and controls artificial intelligence: it sets acceptable-use rules, approves tools and higher-risk use cases, coordinates training, and keeps a shared register of AI projects. ISO/IEC 42001, the first international AI management system standard, published December 2023, requires exactly this kind of structure: defined policies, roles, and oversight run on a plan-do-check-act cycle. The NIST AI Risk Management Framework calls it the GOVERN function and treats it as cross-cutting, woven through every other risk activity rather than bolted on at the end. The US federal government now mandates the pattern too: OMB memo M-25-21, issued April 3, 2025, gives every major agency 60 days to name a Chief AI Officer and 90 days to convene an AI governance board chaired at deputy-secretary level.

That’s the formal scaffolding. The day-to-day test is smaller: when someone wants to try something, do they know who to ask, and do they know how long the answer takes?

The pipeline job gets underrated. At the manufacturer, the use-case list is published internally on purpose. Partly to stop duplicate builds. Mostly because seeing what the warehouse team shipped makes the billing team wonder what else is possible. One deliberate omission: the committee doesn’t police ROI claims. Each function validates its own numbers, and the committee just makes them visible. A committee that audits every saving becomes a tollbooth, and tollbooths drive me up the wall.

Big-company data says the structure is now standard issue. A Sedgwick survey of 300 senior Fortune 500 leaders found 70% have AI risk committees at their companies, and 41% a dedicated AI governance team. Only 14% called themselves fully ready for AI deployment. Seventy percent have the committee; fourteen percent feel ready. Which is mad, until you notice what it means: committees are where readiness gets built, not proof that it exists. At board level the picture thins out fast. ISS data on 2024 proxy disclosures, written up on the Harvard governance forum, shows 31% of S&P 500 companies disclosing some board oversight of AI and just 11% disclosing it at committee level.

Does a 200-person company need all of this? No. It needs the three jobs done at whatever size fits. A committee can be five people and a shared document.

Big tent or small room

The committee I sit on has more than twenty members. Plant operations, IT, HR, finance, sales, marketing, customer service. My first reaction was a quiet horror, because the research on group size is old and settled. In one 2006 experiment on group problem-solving, Patrick Laughlin found that groups of three outperformed the best individuals, and groups of four or five added nothing further. Wharton’s Jennifer Mueller puts the motivation cliff at about five members, and her colleague Katherine Klein told the same interviewers that past eight or nine people a team stops being a team and splits into sub-teams.

I used to treat that research as the whole answer: keep AI committees tiny or don’t bother. Watching a big one work has me half-convinced I was wrong, and the half matters.

The big group was never there to decide. It’s a communication device. Each member carries decisions, training material, and dos-and-don’ts back to their own function, train-the-trainers style, and carries friction from the floor back in. Legitimacy flows the same way. A rule written by a five-person core lands on the shop floor as an edict; the same rule carried home by your own department head lands as “ours.” The tent also surfaces builders you’d never find from the center. The most convincing demo in one early meeting came from someone who insisted he wasn’t technical at all, which did more for adoption than any mandate could, because everyone watching thought the obvious next thought: if he can build that, so can I. No company-wide memo achieves that effect. Twenty messengers carrying it home do.

The deciding happens elsewhere. Inside the big tent sits a small room: a sponsor, a coordinator, an IT lead, an operating executive, plus whoever owns the topic that week. They prep agendas, frame options, and make calls between meetings. Two bodies, one committee. The tent communicates. The room decides.

This might sound counterintuitive, but the failure mode isn’t the big tent. It’s the muddle, a tent that believes it’s a room. Twenty people debating a tool approval is how nothing ships for a quarter. And if your small room exists but holds no budget or veto power, you have the opposite problem; I wrote about giving the committee teeth separately, because a steering committee without authority is decoration.

Build intake lanes, not approval gates

Most committees default to a single gate: every AI idea queues for review, however small. The gate fails twice. Builders wait weeks for permission to try something harmless, and the people who’d rather not wait go back underground.

The Melbourne study has a stat that should end the prohibition argument for good. Rule-breaking AI use was most common at organizations that banned generative AI outright, 67%, against 33% at organizations with no policy at all. Bans don’t reduce use. They reduce visibility. Shadow AI behaves like a supply problem, and an approval gate that acts like a slow ban produces the same shadows.

What works is lanes with clocks on them. The committee I sit on landed on three:

Your own work, your own access: no permission needed. Lane one covers anything someone does with files and systems they could already open yesterday, drafting and summarizing inside their normal job, and that single sentence dissolves most shadow-AI demand overnight, because most use is exactly this. Lane two: a change to a team process gets a committee answer in five business days. Lane three: anything touching sensitive data, customers, or more than one function escalates, with an answer promised in ten. Re-review only happens when scope changes materially. Notice what’s missing: a lane where the answer is a permanent no. Banned categories exist, but they get named in the charter, not discovered in a queue. Fair enough, the clock numbers are a bit arbitrary. The promise isn’t. A builder who knows the answer lands on Tuesday doesn’t go underground on Friday.

Will the lanes get gamed? A bit, sure. Someone will call a team-wide change “personal productivity” to skip the queue. That’s a coaching conversation, and it’s a far better problem than the keen builders giving up or hiding.

This is where it gets tricky: the rules themselves. The committee’s instinct is to write the policy manual up front, every scenario covered, before anyone touches anything. The working rule I push for instead: invest in the ten percent who build things, keep everything low-friction for the rest, and write a rule when something real snags. Not before. Rules written in advance protect against imagined risks; rules written from friction protect against observed ones, and there will be plenty of observed ones to choose from.

Meeting discipline follows the same logic. The early sessions at the manufacturer drifted into AI literacy seminars. Useful, sort of, but a committee meeting is a painful place to teach, with the screen-share fumbles and the ritual dead microphone eating the first five minutes of every call. The fix was clunky and it worked: one topic per meeting, pre-reading sent ahead, every agenda item phrased as a decision. Meetings shrank. Output didn’t.

When the committee should shrink

The committee I’m describing met weekly for its first couple of months, then stepped itself down to every other week. That direction of travel is the health check. An AI committee that can only grow, more members and more mandatory reviews every quarter, is measuring its own importance instead of its effect.

The more I look at governance bodies in general, the more I rate them by what they hand away. Watch for cadence stepping down. Watch for the no-permission lane expanding as patterns prove safe. The third sign is standards migrating into normal management, where a department head approves the routine cases and the committee only sees the ones with no precedent. I made the same argument about why a center of excellence should dissolve itself, and the committee version is no different. I’m skeptical of any committee still approving individual use cases in its third year. That’s not governance anymore. That’s scope creep with a charter.

Hold on, one thing needs unpacking before I close: the charter itself. Keep it to a page. The committees that work write down five things and stop. The mandate, in one sentence. Lanes, with their clocks. Escalation triggers, meaning the specific conditions that move a request from the five-day lane to the ten-day one, like customer data or anything spanning two functions. Names of the people in the small room. And a sunset review date, six or twelve months out, where the committee must argue for its own continued existence at the current size. One page, five entries. If a committee can’t state its own mandate that briefly, it doesn’t have one. A charter that needs its own table of contents is a sign the committee started writing before it started watching. Pages of policy nobody reads protect nobody.

One more pattern worth stealing. At the manufacturer, day-to-day ownership of AI delivery moved out of IT and over to an operating leader. No drama involved; IT kept the platform, security, and access control, and stayed in the room. Something I keep noticing across industries: IT is paid to see risk first, operators are paid to see throughput first, and a committee run from inside IT inherits IT’s queue along with its caution. My guess is more companies end up here than admit it out loud, with technology teams holding the guardrails while an operator holds the delivery list.

So start lighter than feels respectable. Take an inventory of current use, then open three lanes with clocks on them. Add a tent that communicates and a room that decides, backed by a lightweight governance setup you can draft in a week and revise from friction. The lock gates on a canal don’t stop the water; they let boats climb it in stages. Build for the traffic you already have. You’re late, and that’s fine, because so is everyone else who’s doing this properly.