Almost every conversation a comms team has about AI right now is about output. Which model writes the best first draft. Whether the tone is on brand. How much of the newsletter it can produce before lunch. Those are real questions, and they have mostly been answered: the tools generate fluent, plausible copy at speed, and they will keep getting better at it.
That is exactly why generation is no longer the interesting problem. The leadership question is the opposite one. Not what can it produce, but how do you govern what it produces. In the work that crosses our desk we keep seeing the same pattern: confident copy that turned out to be wrong, a quote that was never said, a number that traced back to nothing. These are not the dramatic cases that make the press. They are the quiet near-misses caught one reviewer before publication, or caught just after. The public version of the same failure is now easy to point to. In October 2025 Deloitte Australia had to refund part of a government report after it shipped with fabricated citations and a court quote that was never spoken (The Register). None of these are generation failures. The tool did its job. They are governance failures. Nobody had decided, in advance, what was allowed to go out and who was accountable when it did.
If you lead communications for a fintech, a financial services brand or an NGO, this is your problem to own before it becomes your problem to explain.
Generation is the easy part
The reason the output debate feels so urgent is straightforward. It is visible. You can see a draft, judge it, argue about the tone, feel productive. Governance is invisible until something goes wrong, and then it is the only thing anyone cares about.
The asymmetry is the whole point. A good prompt library saves your team a few hours a week. A missing review line costs you a correction, a regulator’s attention, or a supporter who stops trusting you, and you only find out after it has happened. The upside of better generation is incremental. The downside of absent governance is not.
This lands hardest in regulated markets. A consumer brand that ships a slightly off AI-written caption has a bad day. A financial services firm that publishes an AI-confident claim about a product, a return, or a protection it does not actually offer has a compliance event. The tool does not know the difference. Your governance has to.
It does not take a regulator to make the stakes real. A stretched NGO comms team runs on trust rather than compliance, and the failure mode is shaped to match. Picture the one senior reviewer away for a week, a supporter appeal going out on schedule and a beneficiary quote that the model has quietly smoothed into something the person never quite said. There is no fine. There is something harder to win back: a donor who reads it, recognises it as off, and concludes the charity is less careful with the truth than they had assumed. The asset that just took the hit is the only one an NGO has.
What the policy actually needs to contain
Most AI policies I see are style guides wearing a policy’s clothes. They tell people how to prompt, which model to prefer, how to coax a better tone. That is useful internal craft, but it is not governance, and calling it a policy gives everyone false comfort that the risk has been handled.
A real policy answers three questions, in plain words.
The first is disclosure. Decide where AI involvement has to be declared and where it does not, and write it down so nobody has to guess in the moment. Internally drafted, human-edited copy is one thing. A published research piece, a quote attributed to a named person, or an image presented as real is another. The rule does not need to be elaborate. It needs to exist before the awkward case arrives, not be invented under pressure once it has.
The second is the human review line, and this is the load-bearing one. There must be a point in the workflow where a named person reads the thing and signs it off, and that step cannot be skipped because the deadline is tight or the volume is high. The failures I see almost all share one feature: the review step existed in theory and was bypassed in practice. The version I run into most often is a Friday-afternoon publish, the usual reviewer already gone, and a piece going out on the unspoken assumption that the model would not have got anything important wrong. A review line that bends under deadline pressure is not a review line, it is a formality.
The third is a short, explicit list of things that never go near a model. Keep it short on purpose, because a list of forty items gets ignored and a list of five gets remembered. The exact contents depend on your business, but the kinds of things that belong on it are clear enough to name now.
- Anything that asserts a regulated fact about a product, a return, a fee or a protection, where a confident wrong answer is a compliance problem rather than an embarrassment.
- Material that depends on a named source or a real quotation, where the model’s tendency to invent a plausible citation is most dangerous.
- Confidential or unpublished information, client data, or anything you would not want training a third party’s system.
- Final sign-off itself: the model can draft, but it does not get to be the last reader before something goes out.
That list is the spine of the whole policy. Everything else is preference. These four lines are where a model’s failure mode and your accountability collide, so these are the places you draw a hard boundary rather than a soft guideline.
The accountability does not move
There is a comfortable idea floating around that AI use spreads responsibility, that if the tool wrote it then the mistake is partly the tool’s. This is not how it works, and not how anyone outside your building sees it.
When an AI-assisted claim is wrong, your organisation made the claim. A regulator does not accept “the model said so”. A supporter who feels misled does not soften because the misleading sentence was generated rather than typed. The byline, the brand and the consequence stay exactly where they were. The tool changed how the work gets made. It changed nothing about who answers for it.
Better generation is a productivity gain you can capture whenever you like. Clear governance is the thing that decides whether that productivity gain ever turns into a credibility loss you cannot take back.
Set the guardrails before the tools set them for you
The honest counterargument is that this is friction, and friction is the thing AI was supposed to remove. Fair. But the friction of a disclosure rule and a review line is small, predictable and one-time. The friction of a public correction, a regulatory query or a rebuilt reputation is large, unpredictable and yours to carry for a long time afterwards. You are choosing which friction to accept, not whether to have any.
The teams that come through the next couple of years with their credibility intact will not be the ones with the best prompts. They will be the ones who decided, early and in writing, what they would never let a model do unsupervised. The tools are not going to draw that line for you. Left alone, their defaults will draw it for you, in the direction of more output and less scrutiny, which is precisely the wrong direction for anyone whose currency is being believed.
Most teams have the generation question well in hand. Few have written the governance down. That gap is where the next year’s avoidable failures are sitting right now.
This is the kind of decision we help communications leaders get right at A&C, often as part of a Fractional Communications Director engagement: senior counsel on what to publish, what to disclose and where the human line has to hold. If you are putting AI into your communications and want the governance settled before the output scales, let’s have a conversation.