Institutionally, we have moved past the initial phase of AI novelty. The conversation is no longer about whether to adopt AI, but how to weave it into the fabric of the modern enterprise without unravelling the threads of governance and trust. As tools based on AI models become as ubiquitous as email, organisations face a critical pivot point. They can either treat AI policy as a defensive shield, i.e. a list of prohibitions designed to mitigate liability, or they can view it as "behavioural architecture" that guides the workforce toward smarter, safer innovation. The former creates blind spots; the latter builds capability.
The following perspective, authored by Wayne Tassie (Chair, IAB Europe Advertising & Media Committee) and informed by subject-matter expert Dimitris Beis (Data & Innovation Strategist, IAB Europe), argues that effective AI governance is not about restricting access, but about defining what "good" looks like in an era of automated judgement.
Disclaimer: The views expressed in this blog are the author’s own and are provided in their capacity as Chair. They do not represent the views of the author’s employer or any affiliated organisation.
Many contemporary organisations are rushing to incorporate AI applications to streamline operations, aiming to work cleaner, smarter, and faster. Yet, few have articulated a unified view of what a successful AI end-state actually looks like. Instead, we see a fragmented landscape across job functions and teams, with sentiment ranging from unbridled enthusiasm to deep scepticism.
From an organisational perspective, this fragmentation matters. Not because AI is "existential" or "transformative" - adjectives that often inflate the conversation - but because AI quietly alters how work gets done. When these tools begin to shape judgement, delegation, and accountability, treating them merely as productivity enhancements becomes a governance failure.
Organisational AI policy is no longer about whether employees should use AI tools. They already are, whether through mandate or individual preference. The real question is whether organisations intend to remain responsible for the outcomes as the boundaries between human judgement and AI-supported decision-making blur.
Guidance from the field: The IAB Europe Impact of AI on Digital Advertising Report(September 2025)confirms that usage is already pervasive, with 85% of respondents indicating their company uses AI-based tools for marketing purposes.
Crucially, the data reveals a heavy reliance on external vendors: respondents reported a split of roughly 60% third-party solutions vs. 40% proprietary tools. This dominance of third-party tools underscores why internal bans are often ineffective. If your policy doesn't account for the terms, data usage, and security of these third-party vendors, you are missing the majority of your actual risk surface.
A common misstep in early AI policies is framing these tools as neutral assistants. This leads to lightweight rules focused on access control, data security, and baseline compliance. While necessary, these controls are insufficient. They address surface-level risks while leaving deeper vulnerabilities untouched: the potential for misuse, over-reliance, and subtle exploitation.
AI tools do not simply accelerate tasks; they influence how individuals frame problems and navigate ambiguity. They often reward operational efficiency with "plausible fluency," creating an artificial sense of earned knowledge. Over time, this shapes organisational judgement itself. If we accept AI-assisted outputs without interrogating the reasoning behind them, accountability concentrates rather than dissolves. Delegating work to AI transfers decision logic to an algorithm, yet leaves humans answerable for the consequences. Viewed through the lens of governance, this is where serious AI policy begins.
Responding to uncertainty by banning third-party applications is often framed as prudence. In practice, it signals a trade-off between control and reality. The adoption curve of AI mirrors the social media cycle of the early 2000s; just as bans failed to stop social media usage, they are unlikely to prevent AI adoption in a world where it is culturally embedded.
Banning specific tools simply drives usage underground. Employees will continue to use preferred applications, but without shared standards, transparency, or the ability to collectively learn from errors. Critically, banning tools replaces judgement with prohibition, shifting the organisation away from responsible governance toward symbolic control. While this may feel safer, it ultimately erodes oversight.
AI is most often justified on efficiency grounds: faster retrieval, analysis, and execution. Far less attention is paid to the risk of "plausible fabrication", the propagation of inaccurate outputs that sound correct. In the race for efficiency, volume can easily displace quality.
AI makes it possible to sound informed and confident at scale, often without sufficient checks. When plausibility replaces validation, organisations incur significant reputational and strategic risk. Policies must therefore address overuse as much as misuse, encouraging open debate that challenges AI outputs.
Guidance from the field: According to IAB Europe’s AI Prompting Guide, checking organisational policies should be the first step before any AI-powered application is selected or deployed.
This isn't just bureaucratic box-ticking; it is about aligning with established partnerships and data-sharing rules early to avoid rework and issues such as the exposure of business-sensitive information.
Effective policy ensures that teams know which models are approved for specific types of work, preventing a situation where proprietary data is inadvertently exposed to a public model training set.
Many AI policies lean heavily on data protection and ethical principles. These are essential, but increasingly insufficient in a landscape where innovation outpaces policy cycles. Compliance frameworks are effective at preventing known harms but are less capable of managing emerging behaviours.
If the primary focus is merely mitigating data ingestion risks, the organisation misses the opportunity to reshape employee development. The ethical risk is not just limiting AI misuse; it is preventing the normalisation of AI dependency, which can lead to the gradual erosion of critical thinking and professional judgement.
Guidance from the field:
There is a disconnect between adoption and governance. While 85% of companies use these tools, the IAB Europe Impact of AI Report shows that only 43% have developed internal marketing-specific AI guidelines, and 18% operate with no formal AI governance at all. Furthermore, clarity from the top is often missing: only about one-third of respondents claim to receive buy-side guidelines on AI from their clients.
Effective AI policy should not read like a legal disclaimer; it should function as behavioural architecture. Good policy provides guidance rather than rigidity, allowing flexibility for individual preference while vigorously protecting proprietary data and decisioning integrity.
The irony is that strong AI policy requires human empathy. It must move beyond technical rules to focus on decision-making dynamics and capability building. When designed well, AI policy supports growth while mitigating risk through thoughtful governance rather than blunt enforcement. Organisations that fail to embed this narrative risk a negative trajectory. Not because they are careless, but because they neglect to build practices that strengthen, rather than hollow out, their workforce's capability.
Ultimately, AI policy is a signal to employees about what kind of thinking is valued. It should prepare the workforce for a future where AI expands individual bandwidth for learning rather than narrowing it.
AI is not a panacea for productivity issues. Without managerial guardrails, the efficiency it introduces can organically raise output expectations to unsustainable levels, risking burnout. Managerially, this requires sense-checking how AI is used and developing skills that guide healthy engagement with these tools. When supported by clear, regularly updated guardrails, AI policy reframes upskilling from enforcement to intent. It tells the workforce that judgement is taken seriously.
Guidance from the field:
Policy cannot succeed without training. The IAB Europe survey identifies "lack of internal expertise or training" as the single main barrier to AI adoption (cited by 45% of respondents), ranking even higher than integration difficulties or regulatory uncertainty. This suggests that policy must be paired with education. Simply telling employees what to do is insufficient if they lack the expertise to do it effectively. A policy that demands "human oversight" is meaningless if the human lacks the training to audit the machine.
The transition from "using AI" to "governing AI" is not a technical challenge; it is a leadership outcome. Organisations that succeed will be those that treat policy not as a set of brakes, but as a steering mechanism and managerial diagnostic signal. By moving beyond bans and anchoring leadership decision-making in behavioural intent, organisations will prevent AI from legitimising the erosion of human responsibility. The goal is not to automate the work we do today, but to define the standards of the work we will do tomorrow.
For more information on IAB Europe's AI work and how you can get involved, please contact our Data & Innovation Strategist, Dimitris Beis at beis [at] iabeurope.eu.
