AI Risk, Policy & Governance: A Live Online Workshop for Leadership Teams.
Live Online Workshop
A structured, facilitated session that takes your leadership team from informal AI use to a written policy, scored risk register, and vendor vetting framework - in a single half-day. Built for the reality of how AI is actually being used in your business, not a theoretical compliance exercise.
What your team walks away with.
Most businesses using AI have no written policy, no documented risks, and no consistent process for evaluating new tools. This session produces all three - plus the staff-facing guidance to make the policy operational.
A written AI policy for your business
A documented policy covering acceptable use of AI tools across your organisation, data handling rules, client confidentiality obligations, output review requirements, and the process for approving new AI tools. Written during the session, reviewed as a group, and ready to distribute to staff.
An AI risk register
A structured register of every material AI risk identified during the session - scored by likelihood and impact, with a named owner and a mitigation action for each. Formatted as a working document your leadership team can review and update as your AI usage evolves.
A vendor vetting framework
A set of criteria and questions for evaluating any AI tool before your business adopts it. Covers data processing terms, storage location, model training on customer data, sub-processor disclosure, and contractual protections. Applicable to tools you're already using as well as new ones.
A staff AI usage guide
A plain-language document for employees covering what AI tools are approved, what data can and cannot be used with each tool, what outputs require human review before use, and how to report a concern. Distinct from the policy document - written for staff rather than leadership.
An EU AI Act readiness assessment
A summary of where your current and planned AI usage sits in relation to EU AI Act risk classifications - particularly relevant for businesses using AI in hiring, customer-facing decisions, or regulated activities. Not legal advice, but a structured view of where legal advice may be needed.
Who it's for.
The session is designed for leadership teams that have moved past 'should we use AI?' and are now managing the practical reality of AI already being in use across the business.
How the session runs.
The session moves sequentially through four phases - each one building on the last. It starts with what's actually happening in your business, not a generic risk framework.
Part 1
Risk identification
Working through your current and planned AI usage systematically, we identify every material risk across data, compliance, operations, and reputation. Nothing is left implicit.
Part 2
Policy drafting
Using a structured template refined across multiple sectors, your team drafts and reviews your AI policy live in the session. The facilitator challenges gaps and ambiguities as they arise.
Part 3
Vendor and tool review
We work through the AI tools your business currently uses and applies the vendor vetting framework to each one - surfacing any immediate concerns and agreeing next steps.
Part 4
EU AI Act and next steps
A focused review of where your AI usage intersects with emerging regulation, followed by a prioritised action plan the leadership team owns.
Sample agenda.
The session runs as a half-day. The agenda is adapted based on your sector and the pre-session questionnaire, but this is the standard structure.
AI usage mapping
30 minsWe open by building a complete map of every AI tool currently in use across your business - who uses it, what data it processes, what it produces, and whether it was formally approved or adopted informally. This is consistently the most revealing part of the session for leadership teams.
Risk identification and scoring
60 minsWorking through the AI usage map systematically, we identify every material risk under six categories: data and privacy, client confidentiality, regulatory compliance, output quality and liability, staff misuse, and reputational exposure. Each risk is scored by likelihood and impact, and an initial mitigation is agreed. The result is a draft risk register by the end of this block.
Break
15 minsAI policy drafting
75 minsUsing a structured template, the team drafts the core sections of your AI policy live in the session: acceptable use, prohibited uses, data handling rules by tool category, client confidentiality obligations, output review requirements, and the approval process for new tools. The facilitator challenges gaps and ambiguities as the draft develops. The session ends with a substantially complete first draft.
Vendor vetting and tool review
40 minsWe apply the vendor vetting framework to each AI tool currently in use. This covers data processing agreements, storage location, model training on customer data, sub-processor transparency, and contractual protections. For tools where concerns are identified, we agree a specific next step - whether that's a vendor question, a contract amendment, or a usage restriction.
EU AI Act readiness and close
35 minsA structured review of where your current and planned AI usage intersects with EU AI Act risk classifications. We identify any uses that may fall into prohibited, high-risk, or limited-risk categories and agree what further review is required. We close with a prioritised action list - the policy, risk register, and vendor review outcomes are summarised and sent within 48 hours.
What's included.
Every AI Risk, Policy & Governance session includes the following. Nothing is sold separately.
Pre-session AI usage questionnaire
Sent two weeks before the session. Each leadership team member lists every AI tool they're aware of in use across the business, the data it handles, and any known concerns. Used to build the AI usage map that opens the session.
Live facilitated policy drafting
The policy drafting session is run live by a Reformat Labs consultant with experience in AI governance across regulated and non-regulated sectors. The facilitator challenges gaps and ambiguities in real time rather than leaving them to be found later.
AI policy document (first draft)
A substantially complete first draft of your AI policy, produced during the session and delivered in an editable format within 48 hours. Ready for legal review if required, or for distribution to staff if your circumstances don't require external review.
AI risk register
A structured register of every material risk identified, scored by likelihood and impact, with owner and mitigation action. Delivered in a format that can be maintained and updated as your AI usage evolves.
Vendor vetting framework
A documented framework for evaluating AI tools before adoption, including a checklist of questions to ask vendors and a template for recording the outcomes. Applicable to tools already in use as well as future evaluations.
Staff AI usage guide
A plain-language document for employees, derived from the policy document but written for a non-leadership audience. Covers approved tools, data rules, review requirements, and how to raise a concern.
30-day follow-up call
A 45-minute call 30 days after the session to review progress on the action list, answer questions that have come up during policy implementation, and update the risk register with any new information.
Who you'll work with.
Governance sessions are run by Reformat Labs consultants with direct experience in AI risk and data protection across regulated sectors - not generic compliance trainers.
Lead facilitator
Runs the full session with experience across AI governance in financial services, healthcare, legal, and professional services. Understands how AI tools actually process data, what vendor agreements typically say and don't say, and where the real risks in SME AI adoption tend to sit. Selected based on your sector.
Documentation lead
A second consultant handles live documentation throughout - maintaining the risk register, capturing policy decisions as they're made, and recording the vendor review outcomes. The policy document and risk register are substantially complete by the end of the session rather than reconstructed from notes afterwards.
From recent leadership teams.
What leadership teams said after their AI governance session.
"We'd been using AI across the team for eight months and nobody had thought properly about the data implications. The session surfaced three tools where we had legitimate concerns we hadn't noticed. We stopped using two of them the same week."
Managing Director, 32-person financial advice firm
"A client asked us directly about our AI policy and we didn't have one. The session gave us a written policy we could share within 48 hours. It's also changed how we think about adopting new tools - the vendor vetting framework is now part of how we evaluate anything."
CEO, 24-person legal services business
"The EU AI Act section was genuinely useful. We use AI in our hiring process and nobody had flagged that as a potential high-risk category. We now have specific guidance on what review is required before we act on any AI-assisted hiring output."
Head of HR, 45-person professional services firm
"I expected the policy drafting to be slow and contentious. The structured template made it move much faster than I anticipated. We had a working first draft by lunchtime and only minor edits to make afterwards."
COO, 28-person healthcare administration company
Quotes are paraphrased from conversations with anonymised clients.
Request a quote.
Pricing is based on team size. All sessions are fixed price, agreed before any commitment is made. Use the form to request a quote and we'll respond within one business day.
Request a quote
Get a fixed-price quote for your AI Governance session
Use the form on the right to request a quote. We'll come back to you within one business day.
FAQs.
Common questions before booking - answered plainly.