Most governance frameworks fail because they're too complex to follow.
21-page policy documents. Multi-stage approval processes. Enterprise platforms requiring 3-day training.
Your team ignores them. Uses AI anyway. Just doesn't tell you.
The Three Simple Rules framework works because it's actually simple:
Data Traffic Light
Human Wrapper
Prompt Dividend
That's it. Three rules. Sustainable compliance. Commercial advantage.
Rule 1: Data Traffic Light
Classify data into three categories before AI touches it:
🔴 RED = Never in any AI
- Client confidential information
- Personally identifiable information (PII)
- Financial data
- Competitive strategy
- Anything under NDA
🟡 AMBER = Enterprise tools only
- Brand briefs
- Draft content
- Anonymised research
- Internal planning
- Anything requiring documentation
🟢 GREEN = Any approved tool
- Public information
- General ideation
- Research summaries
- Skill development
- Anything already published
How to implement this week:
Print the Traffic Light poster. Put it on every desk. Train the team in 10 minutes.
"Before you paste anything into AI, ask: Red, Amber, or Green?"
That's the entire training. One question. Three options. Clear guardrails.
Why this works:
Simple decision tree: Team doesn't need to understand GDPR. Just needs to classify data.
Catches 60% of exposure: Most Shadow AI breaches happen when RED data goes into consumer tools.
Enables safe innovation: GREEN and AMBER usage continues. Innovation doesn't stop.
Audit-ready: You can now answer "What data goes where?" under pressure.
Rule 2: Human Wrapper
AI generates. Humans verify. Always.
Every AI output requires documented human review before client delivery.
Layer 1: Creator Self-Review
Person who used AI checks: accuracy, tone, appropriateness, brand alignment.
Layer 2: Creative Lead Approval
Senior reviewer checks: strategic fit, quality standard, client expectations.
Layer 3: Account Director Sign-Off
Client-facing leader confirms: ready for delivery, meets brief, protects relationship.
How to implement this week:
Add "AI Review" step to your project management system.
Tag outputs: "AI-assisted" vs "Human-only"
Document reviewers: Who checked what?
That's governance. Not preventing AI use. Making it accountable.
Why this works:
Quality protection: Catches AI hallucinations before client delivery
Liability management: You can prove human oversight when questioned
Team development: Reviewers learn AI limitations through repeated exposure
Client confidence: You can answer "Who verified this?" under pressure
Rule 3: Prompt Dividend
Your effective prompts are intellectual property.
Capture them. Share them. Protect margins.
Document the prompts that work
Screenshot them, store them, categorize them
Track time saved
Record: task without AI = X hours, with AI = Y hours, savings = Z hours
Share across team
Build Prompt Library, reduce duplicate discovery, compound effectiveness
Prove value to clients
Show: "Our AI expertise saved you 40 hours on this project"
How to implement this week:
Create shared document: "Effective Prompts Library"
When someone creates excellent AI output, capture: the prompt, the context, the result, the time saved.
Tag by use case: Brand voice, Research summary, Creative brief, Strategy synthesis.
That's your IP. That's your competitive advantage. That's what separates "agency with AI" from "client with ChatGPT."
How The Three Rules Work Together
Data Traffic Light = What data can go where
Human Wrapper = Who reviews what
Prompt Dividend = How you capture value
Together they create:
Visibility: You know what AI usage happens
Accountability: You know who's responsible
Defensibility: You can explain it under pressure
Commercial advantage: You protect margins and win contracts
Not bureaucracy. Infrastructure.
Not slowing down. Building sustainably.
Not preventing innovation. Enabling it profitably.
Implementation Timeline
Week 1: Implement Data Traffic Light
Week 2: Add Human Wrapper
Week 3: Build Prompt Dividend
Week 4: Full governance operational
Four weeks. Three rules. Complete Shadow AI governance.