A pair of scales is silhouetted against a backdrop of AI code

Balancing act: A pragmatic approach can help firms to govern AI as legislation struggles to keep up

The use of AI in the workplace is moving faster than most organizations can govern it.

The challenge is not only technological speed but also organisational diffusion. AI is spreading through everyday software, employee experimentation, vendor platforms, and department-level decisions before many companies have agreed on who is responsible, what uses are acceptable, or how risks should be reviewed.

In practice, AI adoption is often less a single board-approved transformation than a series of small, decentralised choices that gradually reshape how work is done.

Boards are asking whether generative AI should be allowed at work. HR teams are being offered AI tools for recruitment and performance management. Marketing departments are already using AI to produce campaigns. Legal teams are warning about the potential implications for confidentiality, copyright, and liability.

Employees, meanwhile, often use these systems before formal policies are in place.

This is the central AI governance problem for business. AI adoption often happens in the gap between formal law and everyday practice. By the time legislation is drafted, debated, passed, interpreted, and implemented, the technology has already changed. The shift from text-based chatbots to multimodal systems and autonomous agents has widened this gap.

Creating a toolkit to govern AI adoption

Ukraine’s experience offers a useful lesson in how to respond to that challenge. Since Russia’s full-scale invasion, the country has been forced to govern digital technologies under extreme pressure, including institutional disruption, wartime urgency, displaced populations, infrastructure attacks, and constant adaptation.

Ukraine does not yet have a comprehensive AI law equivalent to the EU AI Act. Instead, it has developed a pragmatic ‘soft law’ approach through recommendations, sectoral guidance, voluntary codes, regulatory sandboxes, glossaries, checklists, and implementation tools that can be updated faster than formal legislation.

Ukraine’s Ministry of Digital Transformation describes this as a bottom-up approach. Its White Paper on AI Regulation proposes a staged model in which soft law, voluntary guidance, sandboxes, and sector specific recommendations prepare institutions and markets before binding legislation is introduced.

For business leaders, the lesson is clear. Soft law is not weak governance. When it is designed well and human-centred, it becomes operational infrastructure.

The education sector shows how this works. Ukraine’s recommendations for responsible AI use in higher education are not written as a philosophical manifesto. They are closer to a toolkit for implementation.

They translate AI ethics into operational layers of national guidance, sector-level codes, institutional policies, and course-level procedures. The core pillars are rules, roles, workflows, training, and review. In other words, AI adoption is not treated as a series of individual experiments but as an organisational system that requires accountability. This approach is directly relevant to companies.

Many firms are currently caught between two options, neither of them good. They can ban AI and lose productivity, or allow uncontrolled adoption and create invisible risk. Ukraine’s model suggests a third path. Permit experimentation, but make it governed, documented, and reviewable.

AI adoption requires a shared language

The first business lesson is the importance of shared language. One of Ukraine’s soft-law tools is an AI glossary developed by the Ministry of Digital Transformation.

At first, a glossary may sound administrative. In practice, it is foundational. In AI governance, words become controls. If a company policy says that AI-generated content must be disclosed, what counts as AI-generated? A grammar checker? A large language model? A coding assistant?

If a procurement policy says that high-risk AI requires review, what does high-risk mean in marketing, HR, finance, legal work, or customer service?

Without shared terminology, every department interprets the rule differently. That creates confusion, unfair enforcement, and avoidable disputes.

Terminology is not decorative. It is a coordination mechanism for policy, documentation, procurement, training, and rule-making.

What questions should businesses ask about AI?

The second lesson is that AI risk is contextual. Ukraine has developed guidance across multiple fields, including media, advertising and marketing, public service, intellectual property, higher education, responsible AI development, legal work, and HR.

This matters because AI risk changes depending on the use case. Using AI to brainstorm a public slogan is not the same as using it to screen job applicants, evaluate employees, write legal advice, or monitor students.

The EU AI Act follows a similar risk-based logic. Its Annex III identifies high-risk AI systems across education, employment, access to essential services, law enforcement, migration, and justice.

For companies, this means AI governance should not begin with the question of whether AI should be allowed. A better question is which AI system is being used, by whom, with what data, for what purpose, affecting which people, and under whose responsibility.

Why many firms adopt AI backwards

The third lesson is to move from policy statements to operating routines. Ukraine’s higher education guidance encourages a practical sequence of identifying a real problem, piloting a tool, training users, and reviewing outcomes. This is a useful discipline for business.

Too many organisations adopt AI in reverse. They buy a tool because it is available, then search for a use case, and only later ask whether the system is safe, reliable, or aligned with the organisation’s values. A better approach is more modest but more effective, following principles of human-centred design.

Start with a concrete business problem. Test the AI system in a controlled environment. Define what data may and may not be used. Train employees before deployment. Assign a human owner. Review performance, risks, and unintended consequences.

This is soft law in action. And it is flexible enough to support innovation and structured enough to prevent chaos.

AI literacy means verifying outputs

The fourth lesson is verification fluency. Ukraine’s education guidance does not treat AI literacy as merely knowing how to prompt a chatbot.

It emphasises the ability to verify outputs, recognise hallucinations, protect data, and preserve human responsibility. UNESCO’s Guidance for generative AI in education and research makes a similar point, stressing data privacy, human-centered use, and ethical validation of tools.

For businesses, this may be one of the most important competencies of the AI era. The competitive advantage will not belong simply to firms that use AI the fastest. It will belong to firms that know when AI is wrong, biased, legally risky, or inappropriate for the decision at hand.

Managers should not only ask employees to use AI productively. They should train them to verify AI outputs against reliable sources, document important uses, and know when human expertise must override machine-generated suggestions.

How AI agents can weaken accountability

The fifth lesson is that AI governance is also a question of institutional resilience. Ukraine’s wartime context makes this especially visible.

Digital tools are not ornamental when public institutions are under pressure. They help organisations to continue functioning. But the same pressure creates risk. If AI systems are adopted without review, they can weaken accountability, expose sensitive data, or create dependence on external platforms.

Business leaders should take this seriously. AI agents that book meetings, contact clients, update records, generate reports, or trigger workflows are not just productivity tools. They reshape organisational authority.

If no one understands what the system can access, what actions it can take, and who is responsible when it fails, automation becomes a governance liability.

Why firms should be pragmatic about AI

The practical implications are straightforward. All organisations should have a one-page data rule outlining what employees must never submit to public AI tools, including confidential client information, personal data, trade secrets, unreleased financial information, sensitive HR records, legal materials, etc.

Every organisation should also have a lightweight AI risk checklist for new tools. Each high-impact use case should have a named owner, a review date, and a human oversight process. HR, legal, marketing, finance, and customer service should each receive function-specific guidance, as their risks differ.

Ukraine’s experience does not suggest that soft law can replace formal regulation forever. A binding law is necessary, especially for high-risk systems and fundamental rights. But legislation alone is too slow and too general to govern daily AI use inside organisations.

The real question for leaders is what happens before the law arrives, and how organisations behave in spaces the law cannot fully specify.

The answer from Ukraine is pragmatic. Do not wait for perfect rules. Do not outsource governance to vendors. Do not confuse innovation with unmanaged adoption. Build shared language, risk screening, training, review cycles, and clear responsibility.

AI regulation is not just something that governments impose from outside. It is also something responsible organisations must build internally.

Ukraine’s experience shows that soft law can be a strategic asset. It is a way to move quickly without losing control, to innovate without abandoning judgement, and to govern AI before it quietly starts governing the organisation.

Further reading:

Beyond the hype: What managers need to ask before adopting AI tools

Working on the jagged frontier: How companies should use generative AI

How to reduce AI bias

Do you need an AI teammate?

 

Dmytro Chumachenko is a Visiting Associate Professor at the Gillmore Centre for Financial Technologies and Associate Professor of the Mathematical Modelling and Artificial Intelligence department at National Aerospace University Kharkiv Aviation Institute in Ukraine. He also serves on the Expert Committee on AI Sphere Development under the Ministry of Digital Transformation of Ukraine.

Bo Kelestyn is an Associate Professor in the Information Systems Management (ISM) Analytics group and founded the Ukrainian Education Rebuilding Summer School at the University of Warwick. She teaches Managing and Leading Digital Innovation on the MSc Management of Information Systems and Digital Innovation, as well as Design Thinking for Digital Innovation on the BSc Business and Management and BSc International Business and Management.

Learn more about adapting to AI on the School's two-day Executive Education course AI Leadership programme at WBS London at The Shard.

Discover more about AI and and Digital Innovation. Receive our Core Insights newsletter via email or LinkedIn.