Brokenhouse
Back to Startup playbook
Data

AI model governance

Useful for

Common knowledgeAI governanceData protectionGovernance

Introduction

AI models used by the product need their own governance model. They sit close to customer workflows, user data, automatic processing and contractual promises, so they need stronger control than delivery agents used internally.

Knowledge scope

This is common CTO knowledge. It applies beyond the startup journey, but the public playbook places it where it usually becomes important for an early-stage company.

Why it matters

Customers may enter names, emails, case notes, commercial details, staff information or other personal data into product features. The model boundary becomes part of the product data boundary, not an experimental side channel.

How it fits the playbook

This reference supports the POC Started -> Pilot Ready stage of the startup CTO playbook. It gives the public context for the decision without exposing the deeper assessment method behind the agentic operating model.

Design considerations

  • Know which product features use AI and what data is sent to each model.
  • Understand inference location, data residency, retention and provider training terms.
  • Keep UK or EU promises aligned with prompts, embeddings, files, responses and logs.
  • Use redaction or routing controls where models should not receive raw personal data.
  • Treat prompt history as evidence for validation and regulated processing where appropriate.

What good looks like

The product can explain where AI is used, what data is processed, where processing happens and how model outputs are reviewed, retained and validated.

How Brokenhouse helps

Turn this into a practical plan.

I help technology teams turn this guidance into decisions, implementation plans, governance evidence and production-ready operating models.

Talk through your situation

Next guidance

Related decisions to work through

Ops

Is the company ready?

The first few months of a software business are not just about building the product. They are about creating the conditions that allow the product to be built, deployed, governed and supported without the company tripping over its own foundations.

Ops

Can we start the POC?

Before starting the POC, there is a small amount of governance that should be put in place. This is not about slowing the team down or pretending to be an enterprise. It is about creating enough shape that the first few months do not become a mess of forgotten passwords, inconsistent names, unclear decisions and accidental access.

Data

Are we ready for a Pilot?

Before moving from POC to Pilot, the company needs a data governance baseline. This is separate from technical governance. Technical governance asks who can deploy, who can access Azure and how the environment is built. Data governance asks what information the company collects, where it is stored, why it is allowed to hold it and how it protects it.