Implementing AI Governance in 90 Days: A Concrete Plan
Most AI governance programs stall at the policy document. An executive sponsor commissions a working group. The working group produces a 40-page framework. The framework lands in Confluence. Six months later the engineering org is still generating code with the same AI tools under the same defaults, and the only thing that has changed is that there is now a document nobody reads.
This post is an implementing-AI-governance-in-90-days plan that avoids that failure mode. It is scoped narrowly: 90 days to take one pilot team from ungoverned to production-grade, not 90 days to roll out governance across thousands of developers. It is opinionated: it assumes your organization already uses Claude Code (or a comparable agentic coding tool), that you have an engineering sponsor at the VP or CTO level, and that you are willing to start with a pilot rather than a company-wide rollout. Under those conditions, the timeline is realistic.
This plan also sits alongside, not instead of, the compliance-side AI governance work your Chief AI Officer or Chief Compliance Officer may already own. For regulated industries, a compliance GRC platform that produces model inventories and regulator-facing documentation is non-optional. What follows is the engineering control surface: what makes the AI actually honor your standards at the keyboard. Both layers are legitimate. They solve different problems.
Why the usual approach fails
An AI governance implementation that begins with a policy document inverts the control surface that actually matters. Policy documents are read by humans at orientation. AI coding tools are read by agents at every session start. If your governance does not live in files the agent reads, it is not governance. It is documentation about governance.
The 90-day plan below reverses this. You will write no governance document in the first 30 days. You will instead take the standards your team already enforces informally and move them into files the agent reads at session start.
Days 1-30: Standards as code
Week 1: Baseline audit. Inventory what your pilot team already agrees on informally: banned libraries, preferred patterns, required test coverage, secret-handling rules, architectural constraints. Get these out of Slack, PR comments, and senior-engineer heads, and into a single document. Do not make it pretty. Make it complete.
Weeks 2-3: Translate to agent-readable files. Move the audit output into files that Claude Code reads at session start. This is the CLAUDE.md / agent definitions / skills layer. Do not try to be comprehensive. Start with the ten to fifteen highest-impact rules. If your team has an existing security guide, pull the top five items from it and put them in the agent context. Same for architecture, same for testing.
Week 4: Session-level hooks. Add basic in-session enforcement: a pre-commit secret scanner, a hook that blocks direct commits to main, a hook that requires a test file for any new endpoint. These are not new rules. They are the existing rules, enforced by the agent session instead of by senior-engineer vigilance.
Checkpoint at day 30: Your pilot team is running Claude Code with standards loaded and session-level hooks firing. You have not written a governance document. You have produced something better: governance that the AI itself enforces.
Days 31-60: Agent routing and secrets gating
Weeks 5-6: Classification and routing. Identify three to five domains where request type changes the handling required. Security-sensitive changes (authentication, authorization, crypto) should route to a security-reviewer agent. Infrastructure changes (IaC, cloud resources, deployment configs) should route to an infrastructure specialist. Data pipeline changes route to a data-engineering specialist. Build a routing layer that classifies incoming requests and dispatches to the right specialist automatically.
Weeks 7-8: Secrets gating. Stop loading .env files blindly into every Claude Code session. Build a session-scoped credential system: the session declares what it needs (“I am working on UI; I need no database credentials”), and the gating layer loads only what is declared. This is the single change that will do the most to close the AI-credential-leak risk surface.
Checkpoint at day 60: Your pilot team is working with automatic specialist routing, and secrets are gated by session type. The standards from day 30 are now enforced by the right specialist agent depending on what the developer is doing.
Days 61-90: Telemetry and rollout
Weeks 9-10: Durable audit telemetry. Every session, every agent dispatch, every tool execution, every generated artifact must be captured to a log your security and compliance teams can query. This is where “we deployed AI governance” becomes a claim you can defend to an auditor.
Weeks 11-12: Cross-team rollout. The pilot team’s configuration becomes the baseline. A second team adopts it, layering their specific standards on top without disturbing the baseline. This is where policy inheritance matters: if you built your day 1-60 work as a single flat file, the second team will break it; if you built it with inheritance, the second team layers on cleanly.
Checkpoint at day 90: One team in production with session-level governance, full audit telemetry, and a second team onboarding. You have not solved the enterprise-ai-rollout problem across thousands of developers. You have solved it for one team, produced a repeatable pattern, and built the telemetry to prove it works.
What you need before day 1
This plan assumes you have three things in place:
- Engineering sponsor at the VP/CTO level who will pay the coordination cost between the pilot team and the rest of the org during rollout.
- One pilot team willing to adopt friction in exchange for solving a problem they already feel. Pick a team that is already running Claude Code and already frustrated with
CLAUDE.mddrift. - An AI coding tool already deployed. This plan is for orgs that have adopted Claude Code and need to govern it. If you are still at the “should we adopt an AI coding tool” stage, governance is a day-90 problem, not a day-1 problem.
If any of these three is missing, the 90-day timeline slips. That is not a failure of the plan. It is a signal that the prerequisite work is the actual first step.
Where Enterprise Intelligence fits
Most of the layers in the plan above (standards-as-code, agent routing, secrets gating, session hooks, audit telemetry, policy inheritance) are what Enterprise Intelligence ships. Building the equivalent from scratch takes an engineering team most of a year. Deploying it on top of Claude Code takes most of a quarter.
If you are evaluating an AI governance implementation for 2026, the 30-minute 90-day roadmap review with the Encephalon team is the fastest way to assess fit. Bring your sponsor, your pilot team lead, and the two or three standards you most need the AI to honor. We will map them to the 90-day plan above and tell you honestly whether you need Enterprise Intelligence or whether CLAUDE.md plus hooks will cover your situation.
