There’s a job that almost every mid-sized organisation has quietly handed to people who weren’t asked if they wanted it: AI gatekeeper. Someone has to say yes or no when a team member wants to start using an AI writing tool, or an AI scheduling assistant, or an AI that reads CVs. In most companies right now, that someone is a mid-level manager with no technical background, a full diary, and no training whatsoever for the decision they’re being asked to make.

I’ve started thinking about what a genuinely useful one-hour workshop for that person would look like. Not a compliance lecture. Not a slide deck about large language models. Something that would actually change how they make the next approval decision.

Here’s what I’d build.

The first fifteen minutes: the approval question most managers are answering wrong

Most managers, when asked to approve an AI tool, are thinking about the wrong thing. They’re asking “does this tool do what it says?” when the question they should be asking is “what does this tool touch?”

Start the workshop here. Give the manager a single sheet with four boxes: what data goes in, who sees the outputs, what decisions get influenced, and who could be harmed if it goes wrong.

That last one is where most approvals fall apart. A manager approves an AI scheduling tool and doesn’t think about what happens when it starts making inferences about which employees are “reliably available” versus “difficult to schedule.” The tool doesn’t make any explicit decisions. But if a manager later uses its outputs when thinking about who to put on a high-visibility project, the AI influenced something consequential without anyone noticing.

The exercise for this section: take one AI tool the team is already using and fill in those four boxes. Not a hypothetical. A real tool. You’ll find at least one box that nobody has thought about.

Minutes fifteen to thirty: two questions that change how you read a vendor’s pitch

AI vendors are good at explaining what their tool does. They’re considerably less forthcoming about two specific things, and managers approving tools need to know to ask for them.

The first is where the data goes after it leaves your system. When a team member pastes customer information into an AI writing tool, or uploads a document to an AI summariser, that data goes somewhere. It may go to a third-party model provider. It may be used to train future versions of the model. It may be retained for months. The vendor’s privacy policy almost certainly covers this, buried somewhere in section 14, and almost nobody reads it.

The workshop exercise here: take a vendor’s privacy policy (any vendor, any tool) and give the group five minutes to find the answers to three questions. Where does user-submitted data go? Can it be used for training? How long is it retained? If the group can’t find the answers in five minutes, that’s worth knowing before you approve the tool.

The second question managers need to start asking: what happens when it’s wrong? AI tools produce confident-sounding outputs that are sometimes factually incorrect, sometimes biased in ways that aren’t obvious, and occasionally just weird. The question isn’t whether the tool makes mistakes. They all do. The question is whether your team will catch those mistakes before acting on them. If the tool is being used to draft customer communications, there’s a review step. If it’s being used to summarise candidate CVs, is there a review step for that too, or does the manager just trust the summary?

Minutes thirty to forty-five: what “high-risk” actually means in practice

This section will feel like regulation. Keep it brief and specific.

For managers working in the EU, or for any company with EU customers or employees, the EU AI Act is now in force. For the manager in the room, one concept matters more than all the others: certain categories of AI use are classified as high-risk and require formal oversight, documentation, and human review of decisions. The categories that will come up most often for a typical mid-level manager are AI used in hiring or promotion decisions, AI used to assess or evaluate employees, and AI that makes recommendations about who should be flagged for performance review.

If any AI tool the team is using touches those categories, the approval process changes. It’s not just “does this tool work?” It’s “do we have documented oversight, a way to audit what the AI recommended, and a process for a human to review and override those recommendations?”

For managers in the UK, the Data (Use and Access) Act came into force in February 2026. Any automated decision with significant effects on a person now requires the organisation to tell that person the decision was automated, give them a route to request human review, and allow them to challenge the outcome. For most managerial teams, that means: if an AI tool is contributing to any decision that affects an employee’s role, pay, workload, or opportunities, there has to be a human review route.

The workshop exercise: the manager reviews two hypothetical approval requests, one clearly low-risk (an AI tool that drafts internal meeting notes) and one that sits in a grey area (an AI tool that scores customer support calls and flags agents for coaching). For the second one, what additional questions would you ask before approving?

The last fifteen minutes: a one-page approval checklist the manager can actually use

End with something the manager can take away and use tomorrow. Not a policy document. A single page with five questions:

What data does this tool process, and does that include personal data about employees or customers? Where does that data go after it leaves our systems, and how long is it retained? Does this tool influence any decision that affects a person’s role, pay, career, or access to something? If the tool produces a wrong or biased output, will we catch it before acting on it? Who in our organisation is responsible for reviewing this tool’s performance after it’s been approved?

If the manager can answer all five in writing before approving a tool, the approval is defensible. If they can’t answer one of them, that’s the thing to resolve before saying yes.

One thing I’d add if there were time

The scenario that most managers aren’t prepared for: a team member starts using an AI tool informally, without approval, because it makes their job easier. By the time the manager finds out, the tool has been in use for three months. Half the team is relying on it. And nobody has checked where three months of customer data or employee information went.

This isn’t a disciplinary problem. It’s a design problem. The approval process needs to be fast enough and light enough that people actually use it, or they’ll route around it. A five-question checklist that takes twenty minutes is more likely to get used than a twelve-page policy that takes a week to navigate.

The workshop ends with the manager drafting their version of that checklist. Not filling one in. Drafting one for their specific team, their specific tools, their specific risk profile. That’s the one they’ll actually use.

DISCLAIMER

The information is intended to be helpful but is in no way a substitute for seeking professional advice for your specific situation or intent. This applies to business, financial, legal, or other matters discussed herein. Please read the full DISCLAIMER