{"id":146677,"date":"2026-07-14T11:24:26","date_gmt":"2026-07-14T11:24:26","guid":{"rendered":"https:\/\/sii.pl\/?p=146677"},"modified":"2026-07-14T11:24:30","modified_gmt":"2026-07-14T11:24:30","slug":"how-to-scale-ai-safely-in-enterprise-projects-siis-approach-to-ai-governance","status":"publish","type":"post","link":"https:\/\/sii.pl\/en\/news-feed\/how-to-scale-ai-safely-in-enterprise-projects-siis-approach-to-ai-governance\/","title":{"rendered":"How to scale AI safely in enterprise projects? Sii&#8217;s approach to AI Governance"},"content":{"rendered":"<div class=\"wp-block-sii-nsw-container container container-279248a8-c293-4ebb-96f2-125652c27f7e\"><style type=\"text\/css\">.container-279248a8-c293-4ebb-96f2-125652c27f7e {  }\n                         @media screen and (max-width: 991px) { .container-279248a8-c293-4ebb-96f2-125652c27f7e {  } }<\/style><p><\/p>\n\n<p><strong>AI can accelerate software development, but without the right guardrails, it can scale risk just as rapidly. Discover why AI-prospecting&nbsp;organizations&nbsp;in enterprise projects need more than&nbsp;AI&nbsp;tools &#8211; they need&nbsp;governance.<\/strong>&nbsp;<\/p>\n\n<p>In the&nbsp;previous&nbsp;articles in this series, we explained why&nbsp;Sii&nbsp;is developing the AI-Native Delivery Framework and how an AI-native SDLC can help organizations move beyond localized productivity gains for individual engineers toward a more measurable, predictable, and scalable software delivery model.&nbsp;<\/p>\n\n<p>The third pillar of this transformation concerns an area without which AI cannot be scaled responsibly in client projects:&nbsp;<strong>governance and security.<\/strong><strong><\/strong>&nbsp;<\/p>\n\n<p>Access to AI tools is only the beginning. In enterprise environments, the real questions come next: who can use AI, in which project, with what data and permissions, subject to which quality gates, and at what points a human decision is&nbsp;required.&nbsp;<\/p>\n\n<p>For clients, this means one thing: a technology partner cannot simply claim that it&nbsp;\u2018uses&nbsp;AI.\u2019&nbsp;It must&nbsp;demonstrate&nbsp;that it can do so in a controlled, auditable way that reflects the realities of project delivery.&nbsp;<\/p>\n\n<p>This is why&nbsp;Sii&nbsp;treats AI governance not as an administrative layer added alongside software delivery, but as one of the foundations of AI-native delivery.&nbsp;<\/p>\n\n<h2 class=\"wp-block-heading\"><strong>Why governance is a business issue, not just a technical one\u00a0<\/strong><\/h2>\n\n<p>AI can accelerate documentation analysis, development, testing, code reviews, system maintenance, and modernization. It can reduce the time&nbsp;required&nbsp;to build context, support teams during service transitions, and help generate tests, analyze logs, or prepare documentation.&nbsp;<\/p>\n\n<p>But AI can also introduce new risks.&nbsp;<\/p>\n\n<p>Uncontrolled tool use, sending inappropriate data to a model, using client code in an unapproved environment, granting an agent excessive permissions, lacking an audit trail, or automatically executing a change without proper review &#8211; these are not abstract concerns. They are real sources of risk for companies&nbsp;seeking&nbsp;to scale AI across IT services.&nbsp;<\/p>\n\n<p>In many organizations, the first wave of AI adoption starts from the bottom up: individual engineers, teams, or projects test tools and pursue productivity gains. This is a natural stage. The challenge&nbsp;emerges&nbsp;when local experiments are expected to become a repeatable software delivery model for clients.&nbsp;<\/p>\n\n<p>Without a sound governance strategy, an organization cannot be confident that AI is being used safely, and the client lacks visibility into how its data, code, documentation, and intellectual property are protected. Without governance, it is difficult to move from isolated improvements to a model that can scale across teams, technologies, and industries.&nbsp;<\/p>\n\n<blockquote class=\"wp-block-quote is-style-nsw-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><em>Do not begin an AI SDLC transformation without a well-defined AI governance strategy. Access to AI tools can increase productivity locally, but without project-level rules, quality gates, human gates, and controlled agent use, organizations cannot build a secure delivery model for clients.<\/em>\u00a0<\/p>\n\n<p><em>This is why\u00a0Sii\u00a0combines software engineering modernization with an AI governance strategy from the outset, says <\/em><strong><em>Marcin Laksander, AI Transformation Lead at\u00a0Sii\u00a0Poland.<\/em>\u00a0<\/strong><\/p><\/blockquote>\n\n<h2 class=\"wp-block-heading\"><strong>Sii&#8217;s approach to AI governance\u00a0<\/strong><\/h2>\n\n<p>Sii&#8217;s experience&nbsp;from&nbsp;transforming how it delivers AI projects shows that a governance strategy for AI-native delivery must&nbsp;operate&nbsp;at three levels.&nbsp;<\/p>\n\n<p>The first is&nbsp;<strong>organizational governance<\/strong>. It covers approved enterprise-grade AI tools, the license access process, user roles, tool usage policies, and controls designed to reduce the risk of uncontrolled AI use, or shadow AI.&nbsp;Sii&nbsp;has already implemented approved AI tools, a process for approving AI tool licenses, and a clear distinction between access to a tool and authorization to use it in a specific project.&nbsp;<\/p>\n\n<p>The second is&nbsp;<strong>project-level governance<\/strong>. Every project has its own context: the client, contract, service model, working environment, data, repositories, security requirements, and contractual constraints. Therefore, granting an employee access to a tool does not automatically authorize its use in a project. A project-level decision is&nbsp;required: which data may be used, which tools are allowed, whether&nbsp;additional&nbsp;client approval is needed, which areas are excluded from AI&nbsp;use, and when escalation is&nbsp;required.&nbsp;<\/p>\n\n<p>The third is<strong>&nbsp;technical and workflow governance<\/strong>. This is where AI starts to&nbsp;operate&nbsp;not only as an assistant but as part of the engineering process through AI agents, skills, workflows, prompt libraries, context packs, integrations based on the Model Context Protocol (MCP), and reusable AI components. This level requires control over who creates these assets, who approves them, where they are versioned, what permissions they have, how they are tested, and in which projects they may be used.&nbsp;<\/p>\n\n<p>This distinction is critical. Governance does not end with a corporate policy. It must extend into each project and the day-to-day workflows used by engineers.&nbsp;<\/p>\n\n<h2 class=\"wp-block-heading\"><strong>From principles to operational controls\u00a0<\/strong><\/h2>\n\n<p>In mature AI-native delivery, principles alone are not enough. They must be enforced in practice.&nbsp;<\/p>\n\n<p>Sii&nbsp;is therefore building an approach in which AI governance is connected to software delivery processes, quality and security monitoring, and project accountability. This includes controlling tool use, classifying data, defining no-prompt zones, setting project-specific AI usage rules, reviewing workflows, restricting agent permissions, and applying quality gates and human gates.&nbsp;<\/p>\n\n<p><strong>No-prompt zones&nbsp;<\/strong>are a particularly important part of this model. They define which types of data or context must not be&nbsp;submitted&nbsp;to AI tools without&nbsp;additional&nbsp;approval or controls. Examples may include personal data, confidential client information, selected parts of source code, secrets, contractual data, security documentation, or information subject to specific project restrictions.&nbsp;&nbsp;<\/p>\n\n<p>Sii&nbsp;is currently developing this area as part of its broader model for the secure use of AI in software delivery.&nbsp;<\/p>\n\n<p>The same applies to governance for AI agents, skills, and workflows.&nbsp;This area is still maturing across the industry, but it is already clear that teams cannot be allowed to create their own instructions, agents, and integrations without common standards.&nbsp;Each asset should have an owner who approves its version and scope of use, oversees the process, sets permission limits, and&nbsp;establishes&nbsp;a clear approval path before it is used in a client project.&nbsp;<\/p>\n\n<h2 class=\"wp-block-heading\"><strong>Quality gates and human gates\u00a0<\/strong><\/h2>\n\n<p>In a traditional SDLC, quality gates are well established: testing, code review, static analysis, vulnerability scanning, secret detection, and&nbsp;compliance checks. In an AI-native SDLC, these mechanisms&nbsp;remain&nbsp;essential, but they must be expanded to include AI-specific controls.&nbsp;<\/p>\n\n<p>AI-specific gates may include controls over the data sent to the model, validation of context sources, checks for compliance with no-prompt zones, restrictions on available tool calls, validation of agent-generated outputs, and logging of decisions made within AI workflows.&nbsp;<\/p>\n\n<p>Human gates are equally important. AI can prepare an analysis, plan, code, tests, documentation, or a recommendation, but it should not assume accountability for architectural decisions, security, compliance with client requirements, or releases. At key stages, it must be clear who&nbsp;is responsible for&nbsp;approving the plan, change scope, agent use, test results, exceptions, or a deployment decision.&nbsp;<\/p>\n\n<p><em>Human-in-the-loop<\/em> is therefore more than a marketing slogan. In an AI-enabled software delivery model, human involvement should be a concrete, enforceable part of the workflow.<\/p>\n\n<blockquote class=\"wp-block-quote is-style-nsw-quote is-layout-flow wp-block-quote-is-layout-flow\"><p><em>Scaling AI in delivery is not about approving more tools. The real challenge begins when AI operates on client-provided context, code, documentation, specific workflows, and project decisions. At that point, AI governance must function not only as policy, but as a technically enforced control model &#8211; with quality gates, no-prompt zones, auditability, clear human accountability, and project-specific rules for agent use, says <strong>Micha\u0142 Czy\u017cowicz, AI Governance Stream Leader at Sii Poland.\u00a0<\/strong><\/em><\/p><\/blockquote>\n\n<h2 class=\"wp-block-heading\"><strong>Evidence package: trust requires auditability<\/strong><\/h2>\n\n<p>Another&nbsp;component&nbsp;of the maturing governance model is the evidence package. It is a structured body of evidence showing how AI was used in a specific software delivery process and which controls were performed.&nbsp;<\/p>\n\n<p>An evidence package may include information about the tool or model used, the context pack, inputs, prompts, workflows, tests, security scans, validation results, exceptions, and the person who approved the outcome.&nbsp;<\/p>\n\n<p>For clients, this mechanism has practical value. It&nbsp;provides&nbsp;a clearer view of what work was performed using AI, which risks were assessed, and who was accountable for the final decision. It does not replace compliance assurance processes or guarantee the absence of risk, but it increases transparency, auditability, and control over how AI is used in a project.&nbsp;<\/p>\n\n<p>At&nbsp;Sii, the evidence package is currently being developed as part of the target AI-native delivery model. This is particularly important for clients&nbsp;operating&nbsp;in regulated environments, with stringent security requirements, or seeking greater predictability in how services are delivered.<\/p>\n\n<h2 class=\"wp-block-heading\"><strong>What this means for\u00a0Sii\u00a0clients\u00a0<\/strong><\/h2>\n\n<p>For clients, the most important question is no longer whether a technology partner uses AI, but how they use it.&nbsp;&nbsp;<\/p>\n\n<p>Sii&#8217;s approach is designed to reduce the risk of uncontrolled AI use, strengthen data and code security, improve auditability, and ensure that AI supports project delivery in a way that is&nbsp;appropriate to&nbsp;the project&#8217;s context. This is especially important for enterprise clients, where technology decisions must account for contracts, compliance, security, intellectual property, client environments, and accountability for outcomes.&nbsp;<\/p>\n\n<p>Sii&nbsp;draws on its own experience of redesigning the delivery model to help clients adopt AI safely across IT services. This approach is relevant both to the<strong>&nbsp;Power People&nbsp;powered by AI&nbsp;<\/strong>model, in which clients gain access to teams and specialists prepared to work in an AI-native delivery environment, and to the&nbsp;<strong>Assess-Transform-Deliver<\/strong>&nbsp;model, in which Sii can help a client assess AI potential, transform selected delivery elements, and run the service using a more modern model.&nbsp;<\/p>\n\n<p>The goal is not to sell governance as a standalone product. Governance is a prerequisite for responsible AI-native delivery. It is part of what makes it possible to use AI in client projects without chaos, excessive risk, or uncontrolled experimentation.<\/p>\n\n<h2 class=\"wp-block-heading\"><strong>Why\u00a0Sii\u00a0<\/strong><\/h2>\n\n<p>What sets&nbsp;Sii&nbsp;apart is that it does not approach AI-native delivery solely as a consulting concept.&nbsp;Sii&nbsp;is building the model from within &#8211; across its own delivery organization, multiple Competency Centers, and a wide range of services and technologies.&nbsp;<\/p>\n\n<p>AI-native delivery is not limited to development. It spans testing, DevOps, IT operations, cybersecurity, SAP, Salesforce, data analytics, cloud solutions, as well as system maintenance, service takeovers, and the modernization of existing solutions. This breadth of&nbsp;expertise&nbsp;matters because AI governance for IT services cannot be designed solely from the perspective of one tool or one type of project.&nbsp;<\/p>\n\n<p>At&nbsp;Sii, the model is being developed by delivery teams, technical experts, the AI&nbsp;CoE, security, governance, testing, digital, and ITO specialists, and representatives from multiple service areas. As a result, the governance model is not a standalone document. It is part of a broader transformation in how services are delivered to clients.&nbsp;<\/p>\n\n<h2 class=\"wp-block-heading\"><strong>Summary\u00a0<\/strong><\/h2>\n\n<p>AI-native delivery is not driven by tools alone. It delivers scalable results when security, accountability, and quality are embedded in projects, workflows, agents, quality gates, and human gates.&nbsp;<\/p>\n\n<p>For clients, this means greater control over how AI is used in their projects. For delivery teams, it means clear working rules. For organizations, it creates a path from local experimentation to a predictable, auditable, and scalable model for using AI.&nbsp;<\/p>\n\n<p>This is the direction\u00a0Sii\u00a0is taking: <strong>AI should accelerate project delivery, while AI governance ensures that it happens securely, deliberately, and with humans\u00a0retaining\u00a0full accountability for the\u00a0outcome.<\/strong><\/p>\n\n<p><\/p><\/div>","protected":false},"excerpt":{"rendered":"","protected":false},"author":131,"featured_media":146659,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"tags":[5742],"class_list":["post-146677","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-artificial-intelligence"],"acf":[],"aioseo_notices":[],"featured_media_url":"https:\/\/sii.pl\/wp-content\/uploads\/2026\/07\/M-Czyzowicz-Pressroom-AI.jpg","category_names":[],"_links":{"self":[{"href":"https:\/\/sii.pl\/en\/wp-json\/wp\/v2\/posts\/146677"}],"collection":[{"href":"https:\/\/sii.pl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sii.pl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sii.pl\/en\/wp-json\/wp\/v2\/users\/131"}],"replies":[{"embeddable":true,"href":"https:\/\/sii.pl\/en\/wp-json\/wp\/v2\/comments?post=146677"}],"version-history":[{"count":1,"href":"https:\/\/sii.pl\/en\/wp-json\/wp\/v2\/posts\/146677\/revisions"}],"predecessor-version":[{"id":146678,"href":"https:\/\/sii.pl\/en\/wp-json\/wp\/v2\/posts\/146677\/revisions\/146678"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sii.pl\/en\/wp-json\/wp\/v2\/media\/146659"}],"wp:attachment":[{"href":"https:\/\/sii.pl\/en\/wp-json\/wp\/v2\/media?parent=146677"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sii.pl\/en\/wp-json\/wp\/v2\/tags?post=146677"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}