OKODISeven questions to ask before approving an AI initiative
Approval meetings for AI initiatives tend to go one of two ways. Either they become a technical interrogation that defeats the proposer and stalls the project, or a friendly nod-through that creates a future audit problem. Neither is governance.
These seven questions cut through both. They are the questions Targe asks of every new initiative on a company's behalf — and the questions any CIO, head of risk or compliance owner can put to a proposing team in under fifteen minutes.
1. What decision or output does this affect?
An AI initiative is only as serious as the thing it changes. A model that drafts emails for an analyst to send is different from a model that approves credit lines. Force the team to name the artefact — the email, the report, the score, the recommendation — and who relies on it. Vague answers here predict vague accountability later.
2. Which data does it see, and where does that data live afterwards?
Ask for specifics, not categories. "Customer data" is a thirteen-letter way of saying "we have not thought about this." You want field-level answers: names, account numbers, transaction histories, internal pricing. And you want to know if the model provider retains it, trains on it, or simply processes it in flight.
3. Which model, and from whom?
Not the brand — the actual model and version, and the contract under which it runs. "We use ChatGPT" covers free, team, and enterprise plans with very different data terms. The same applies to every other provider. The answer should be a vendor, a model identifier, and a tier.
4. What can the model do, beyond generating text?
Modern assistants can browse the web, run code, call your APIs, save memory across sessions and use third-party tools. Each of those is a separate risk surface. Approving "an assistant" without listing its capabilities is approving an unknown. List them, and re-list them every time the tool updates.
5. Who reviews the output before it lands?
Most safe deployments have a human in the loop — at least for the first few months. The question is not "is there review?" but "who, with what authority, against what checklist?" "The user reviews it themselves" is rarely a real answer when the user is rewarded for speed.
6. How will we know if it goes wrong?
Three sub-questions: what is the signal (drop in quality, complaint, error rate), where does it surface (dashboard, ticket, log) and who owns the response? An initiative without a named owner for failures is an initiative whose failures will be everyone's and therefore no one's.
7. When do we revisit this approval?
An AI approval should never be permanent. Models change weekly, capabilities monthly, vendors quarterly. Set an explicit review date — ninety days is a sensible default — and a trigger that forces a re-review when the tool gains new abilities or when the data scope expands. If your governance tool cannot remind you, the date will slip.
A note on the eighth question
If you only ask one of these, ask the second. The data question reveals everything else: a team that has a precise answer to what data, where, and afterward has usually thought about the rest. A team that hedges on the data question is not ready to be approved — and that is a kindness, not a rejection. It is much better to find out in a meeting than in a regulator's report.
Targe asks all seven on your behalf, against your own policy. Book a walkthrough and we will show you how.