support_agent Zone · The Advisory Clinic

AI Governance & Strategy

calendar_today Tuesday 2 June

schedule 40 minutes

groups Two facilitators

James Arnold

Digital Trends Analyst
Digital Tourism Think Tank

Fábio Caldeira

Digital Trends Analyst
Digital Tourism Think Tank

1 / 8

insights What you told us

Patterns across your submissions

A snapshot of the priorities surfaced in the pre-event Typeform, drawn from eight respondents. The Clinic will focus on the highest ranked themes.

PRIORITY 01

gavel

75%

Aligning AI strategy with goals

The top ranked priority, deciding what AI is for before writing any policy.

PRIORITY 02

shield

38%

Data privacy and compliance

Keeping AI use within data protection and regulatory limits.

PRIORITY 03

workspace_premium

13%

Accountability for AI outputs

A named person responsible for every AI-assisted output.

PRIORITY 04

transform

25%

Defining internal policies

Clear rules on approved tools, data handling and disclosure.

PRIORITY 05

balance

13%

Understanding the regulatory landscape

Tracking what the EU AI Act and adjacent rules ask of destinations.

PRIORITY 06

campaign

25%

Communicating AI strategy to leadership

Making the strategic case in terms leadership already cares about.

Personal AI maturity (3.1 / 5)

62%

Organisational AI maturity (2.1 / 5)

43%

Maturity gap between you and your organisation

20%

2 / 8

checklist AI Governance & Strategy

Easy steps to help you implement this

STEP 01

Decide what AI is for in your organisation before writing any policy. A governance framework without a strategic position becomes a list of restrictions.

STEP 02

Document which decisions stay with people. Draw those lines deliberately rather than discovering them after something goes wrong.

STEP 03

Write a one-page AI policy covering approved tools, output accountability, data handling and disclosure.

STEP 04

Use the EU AI Act enforcement deadline in August 2026 as a forcing function. Use it to get your position documented rather than treating it as a legal problem for later.

Tools worth knowing

Microsoft Copilot Admin Controls

Usage reporting and data handling settings built into Microsoft 365. The lowest-friction starting point for basic governance visibility.

ChatGPT Enterprise

Admin controls, conversation logging and data handling agreements that address shadow AI and compliance concerns directly.

OneTrust

Widely adopted compliance platform extended into AI governance and EU AI Act readiness. Most relevant if you are already using it for GDPR.

Credo AI

Purpose-built AI governance platform for mapping AI use to internal policies and generating compliance documentation. Enterprise-focused with enterprise pricing.

DTTT AI Transparency Framework

Built specifically for tourism organisations. The most directly applicable starting point for this room and requires no procurement.

3 / 8

01

Challenge One

Preventing shadow AI while keeping the door open

Shadow AI creates data and accountability risks that are hard to manage after the fact, while a punitive response only pushes useful adoption out of sight.

Diagnose

Why does this matter for your destination?

Diagnose

What have you tried so far?

Constraint

What is the biggest constraint holding you back?

Next move

What is the first step you can take this week?

→Easy first step. Make the path to approval simple enough that using an unofficial tool takes more effort than asking. Governance works when the compliant route is also the easiest one.

→Easy first step. Create a visible channel for staff to flag tools they want to use. Participation in the process reduces the incentive to go around it.

×What to avoid. Issuing policy before explaining the reasoning behind it. People follow rules they understand and quietly ignore ones that feel arbitrary.

×What to avoid. Treating shadow AI as a conduct issue before addressing it as an information gap. Most people use unofficial tools because nobody told them what to use instead.

4 / 8

02

Challenge Two

Making governance simple enough that people actually use it

Governance that lives only in documents changes nothing, so a simple model people actually consult beats a thorough one they ignore.

Diagnose

Why does this matter for your destination?

Diagnose

What have you tried so far?

Constraint

What is the biggest constraint holding you back?

Next move

What is the first step you can take this week?

→Easy first step. Design the framework around the decisions your team actually faces day to day. Scenarios from the work produce more useful frameworks than hypothetical ones.

→Easy first step. Test for simplicity before completeness. If a colleague cannot apply it on their own in under a minute, it needs to be simpler.

×What to avoid. Adding exceptions and qualifications until the simple model is no longer simple. Every caveat is a reason for someone not to use it.

×What to avoid. Designing governance without involving the people who will apply it. Frameworks built with the team get used. Frameworks handed to the team get filed.

5 / 8

03

Challenge Three

Aligning AI strategy with organisational goals before writing policy

Policy written before strategy reflects anxiety more than intent, so answering what AI is for first turns policy from restriction into confidence.

Diagnose

Why does this matter for your destination?

Diagnose

What have you tried so far?

Constraint

What is the biggest constraint holding you back?

Next move

What is the first step you can take this week?

→Easy first step. Anchor AI strategy to something your organisation is already accountable for. The connection to existing goals makes the leadership conversation easier to have.

→Easy first step. Frame AI strategy as a small number of clear decisions. What AI is for here and which decisions stay human will take you further than any strategy template.

×What to avoid. Starting with tools and working backwards to strategy. The strategy should decide which tools are worth adopting.

×What to avoid. Writing an AI strategy that sits alongside the organisational strategy instead of inside it. AI runs through the work that already exists.

6 / 8

04

Challenge Four

Establishing accountability for AI-generated outputs without slowing teams down

Unowned outputs carry reputational and accuracy risk that a named owner with a clear standard is usually enough to manage.

Diagnose

Why does this matter for your destination?

Diagnose

What have you tried so far?

Constraint

What is the biggest constraint holding you back?

Next move

What is the first step you can take this week?

→Easy first step. Attach accountability to roles where possible. When someone leaves, the responsibility stays with the role.

→Easy first step. Build the review step into the workflow instead of adding it as a separate gate. A brief check that is part of how work is done is more sustainable than an approval process bolted on top.

×What to avoid. Creating a review layer so heavy that teams route around it to stay productive. Light and consistent beats thorough and ignored.

×What to avoid. Applying the same level of scrutiny to every AI output regardless of stakes. A social post and a press release need different oversight. Calibrate the accountability to the risk.

7 / 8

waving_hand Carry the conversation forward

Take this back to your team

Download your notes and the recommendations from the session. If you want to keep working through these questions with us, start a thread or explore the Advisory Membership.

open_in_new Explore Advisory Membership

8 / 8