AI is now embedded in day-to-day delivery work: drafting requirements, summarising workshops, generating test cases, analysing logs, accelerating reporting. The value is real — and so are the risks.
The PMO problem in 2026 is not choosing whether to use AI. It's setting guardrails that keep delivery moving while protecting your organisation (and your projects) from avoidable compliance, quality, and reputational failures.
This article gives you a lightweight governance model you can adopt without creating a new bureaucracy.
The delivery risks PMOs are now accountable for
Whether you call it “governance”, “assurance”, or “controls”, stakeholders increasingly expect the PMO to have answers to questions like:
- What AI is being used in the project (tools, features, vendors, internal models)?
- What data touches AI (personal data, client data, source code, contract terms, pricing)?
- What decisions AI influences (prioritisation, eligibility, hiring, risk scoring, fraud detection)?
- How outputs are checked (hallucinations, bias, security flaws, unsafe suggestions)?
- How we comply with the evolving regulatory and audit landscape.
Previously, project governance focused on scope / schedule / budget. With AI in the workflow, governance must also cover data, accountability, and decision traceability — even for “small” use cases like report automation.
A simple 4-layer guardrail model (use it as a PMO standard)
Layer 1: Use-case registration (make AI visible)
You cannot govern what you cannot see. Start with a one-page register entry for each AI use case in the project.
Minimum fields for an “AI Use Case Card”
- Use case name (e.g., “Generate test cases from user stories”)
- Owner (role + name)
- Tool/model (vendor + feature; or internal model)
- Data inputs (types; include whether personal data or client confidential data is included)
- Outputs (what will be produced and where it is stored)
- Decision impact (does it influence approvals, eligibility, scoring, prioritisation?)
- Human check (who reviews; what “good” looks like; when sign-off happens)
Layer 2: Risk triage (route the work, don’t debate it)
Most governance slows down because every AI discussion becomes a philosophical debate. Replace debate with a routing rule.
Use a 3-bucket triage that a PMO can run in 10 minutes:
- Green (productivity only): summarisation, drafting, brainstorming, formatting — no personal data, no automated decisions.
- Amber (sensitive inputs or external release): personal data, client confidential data, source code, or outputs that will be published / sent to customers.
- Red (decisioning / regulated): AI that influences decisions about people, access, eligibility, compliance, or safety-critical outcomes. Escalate to legal/compliance and security early.
For EU-based organisations, keep your triage aligned with the EU AI Act’s risk-based approach: some uses are prohibited, some are “high-risk”, and many are lower-risk but still require good controls. You do not need the PMO to be legal experts — you need the PMO to flag and route.
Layer 3: Controls that match the risk (quality + compliance)
Once routed, apply a short set of controls. Start small and scale.
Controls that work in delivery (practical, not theoretical)
- Data handling rule: define what cannot be pasted into external tools (contracts, personal data, secrets, credentials).
- Human-in-the-loop: require review for any external-facing output (customer emails, public docs, policy text, code merged to main).
- Evidence capture: save prompts/outputs when they support requirements, acceptance criteria, or compliance claims.
- Model limitations note: add a standard statement to project docs: “AI-assisted content was reviewed and validated by…”
- Red-team prompts (lightweight): for Amber/Red, run a short misuse test (PII leakage, unsafe advice, bias, prompt injection on internal docs).
- Rollback plan: if AI output quality degrades or the vendor changes behaviour, how do you continue delivery?
Layer 4: Decision traceability (make assurance easy)
Audits and steering committees don’t like “trust us”. They like traceable decisions.
For every Amber/Red use case, keep a simple decision log:
- What was approved (scope boundary)
- What was not approved (explicit exclusions)
- What evidence exists (tests, reviews, sign-offs)
- Who is accountable (single named owner)
- When it will be reviewed (e.g., each release, quarterly, or at phase gate)
What to ask in governance forums (steerco / design authority / stage gates)
These questions reliably surface the issues that later become incidents.
- Which project deliverables are AI-assisted, and who validates them?
- What data is used with AI tools, and what data is explicitly banned?
- Does the AI influence any decisions about people, access, eligibility, or compliance?
- What is our evidence that outputs are accurate and safe enough for the intended audience?
- If we had to switch the AI feature off tomorrow, what breaks and what is our workaround?
A 30-day rollout plan for PMOs
If you want momentum without drama, implement in four weekly sprints:
- Week 1: publish the AI Use Case Card template; pilot it on 2–3 active projects.
- Week 2: introduce triage (Green/Amber/Red) and a clear escalation path (security + legal + data protection).
- Week 3: standardise controls (data handling, human review, evidence capture) and add them to your project start checklist.
- Week 4: run a retrospective with PMs, adjust, then bake it into governance rhythms (stage gates / steerco pack).
The goal is not perfect governance. The goal is predictable delivery — with fewer surprises when a client asks “how did you produce this?” or an auditor asks “what evidence do you have?”
Need a lightweight AI governance pack?
PM Squared can help you set up a practical AI use-case register, triage approach, and stage-gate questions that work in real delivery environments.
Get in touch