June 11, 2026

AI Governance for SMBs: The Practical 30/60/90 Day Plan

This article has been written by Tim Hickle

AI governance for SMBs is the set of policies, controls, monitoring, and decision forums that make AI use safe, accountable, and effective. A practical 30/60/90 day plan covers the AUP, shadow AI inventory, training rollout, technical hygiene (sensitivity labels, conditional access), Council convening, and ROI measurement. The plan is intentionally fast — most SMBs cannot sustain a six-month governance engagement, and they should not have to. 


How MSPs Deliver SMB AI Governance in 30/60/90 Days 

For MSPs, the 30/60/90 day governance plan is the operational artifact that takes Phase 0–3 of TaaS and lays it on a calendar the client can see. It removes the abstraction from "governance" and replaces it with named work, named owners, and named dates. 


Days 0–30: Foundation. 

  • AI Leadership Survey with the executive sponsor and department heads. 
  • Tenant Readiness check (Microsoft's ARA) against M365. 
  • Shadow AI inventory baseline using the Continuous Scanner. 
  • AUP first draft, including the approved/conditional/blocked tool list. 
  • AI Champions identified across departments. 
  • Council and QBR AI Segment cadence scheduled. 
  • Phase 0 → Phase 1 transition. 

Days 31–60: Build. 

  • Technical hygiene remediation against the ARA findings (permissions, sensitivity labels, conditional access). 
  • Copilot Quick Wins identified and sequenced for rollout. 
  • Training plan finalized; Copilot 101/102 sessions delivered to the pilot team. 
  • First Monthly AI Council convened. AUP reviewed by leadership; first revisions captured. 
  • AI Maturity Score baseline established across the 8 pillars. 
  • Phase 2 work in flight. 

Days 61–90: Activate. 

  • Copilot Quick Wins deployed to end users. 
  • AUP revised against observed real-world usage (Phase 3). 
  • Use case pipeline launched from the AI Inventory. 
  • Second Monthly AI Council convened. Decisions documented; owners named. 
  • First quarterly AI Recap or QBR AI Segment delivered. 
  • Practice transitions from onboarding mode to recurring rhythm. 

What's not in the 30/60/90 plan: large custom agent builds, departmental AI projects, and broad organizational change initiatives. Those are Program-side work that lives outside the 90-day governance plan. The plan is governance, not strategy execution. 


What SMB Leaders Should Expect at Each AI Governance Gate 

For SMB executives, the 30/60/90 day governance plan is the answer to a question that often stalls AI investment: *how long until we have governance in place?* The honest answer is 90 days under a real practice. 

What you should expect from your MSP at each gate: 


  • Day 30 gate. AUP first draft in hand. Shadow AI inventory baseline produced. AI Champions named. Council on the calendar. 
  • Day 60 gate. Technical hygiene closed against the ARA findings. First Council convened with leadership decisions captured. Pilot team trained. 
  • Day 90 gate. Quick Wins deployed. AUP revised against real usage. Use case pipeline live. First QBR AI Segment delivered. 

If your MSP cannot articulate the 30/60/90 plan in writing during Phase 0, you are likely buying a project rather than a practice. The plan is the most basic test of operational maturity. 

The plan also names the dependency that fails most often: executive sponsorship. Active sponsorship is required at Day 0 for the AI Leadership Survey, at Day 30 for AUP approval, and at Day 60 for the first Council. If the sponsor is not available, the plan slips — and most plans slip on the sponsor, not the technical work. 


How Lemhi Standardizes the 30/60/90 AI Governance Plan for MSPs 

Lemhi makes the 30/60/90 governance plan a standardized, repeatable motion across the MSP's full client book. 


  • Lemhi Engage runs the Day 0–30 motion. AI Leadership Survey, Tenant Readiness check, ROI calculator, AUP first draft. 
  • VCAIO tooling runs the Day 31–60 motion. Council prep, ARA remediation tracking, AI Maturity Score baseline. 
  • Continuous Scanner runs across all 90 days and beyond. Shadow AI, permissions, sensitivity labels — surfaced to the PSA queue. 
  • Standardized artifacts for each gate. Day 30 gate checklist, Council agenda, AUP template, QBR AI Segment slides. 
  • Compass Module variant. For clients too small for the full plan, the Compass Module compresses the 30/60/90 plan to fit the owner-led format. 
  • 

The 30/60/90 plan is what governance looks like when it ships from a practice instead of from a consulting engagement. Lemhi sells the practice; the plan is the visible artifact. 


Field Notes

Build the AI service line your clients are already asking for.

Every week, we send practical guidance for MSPs turning AI from scattered conversations into a repeatable managed service. No hype. No generic AI takes. Just the operating playbook.

AI Transformation as a Service VCAIO playbooks MSP-ready sales motions
Subscribe to Field Notes

For MSP leaders building the next recurring revenue category.

Frequently Asked Questions

SMB AI Governance FAQ

Practical answers for MSPs standing up a 30/60/90 AI governance plan with AUPs, shadow AI inventory, technical readiness, leadership cadence, and recurring measurement.

What is AI governance for SMBs?

AI governance for SMBs is the set of policies, controls, monitoring, and decision forums that make AI use safe, accountable, and effective. It includes the AUP, shadow AI inventory, training, technical hygiene, and the Council.

What's the typical AI governance timeline for an SMB?

Under a managed practice, the typical AI governance timeline is 30/60/90 days. Under a project-based consulting engagement, it can take six months or more, and the project version often does not produce a recurring discipline.

What ships in the first 30 days?

The first 30 days include the AI Leadership Survey, Tenant Readiness check, shadow AI inventory baseline, AUP first draft, AI Champions identification, and Council scheduling.

What ships in days 31–60?

Days 31–60 include technical hygiene remediation, Copilot Quick Win sequencing, pilot training, the first Council, and the AI Maturity Score baseline.

What ships in days 61–90?

Days 61–90 include Quick Wins deployed, AUP Phase 3 revision, use case pipeline launch, the second Council, and the first QBR AI Segment.

Who owns the 30/60/90 plan?

The VCAIO inside the MSP owns the 30/60/90 plan, supported by Lemhi's platform tooling and the client's executive sponsor.

What if the executive sponsor isn't available?

The plan slips. Active executive sponsorship is required at Day 0, Day 30, and Day 60. The VCAIO escalates and documents when sponsorship is missing.

What's not in the governance plan?

Large custom agent builds, departmental AI projects, and broad organizational change initiatives are not in the baseline governance plan. Those are Program-side strategic work.

How does the plan handle compliance-sensitive industries?

The VCAIO coordinates with the VCISO and the client's legal contacts. Industry-specific controls for areas like HIPAA, financial services, and other regulated environments layer on top of the baseline plan.

How is the plan adjusted for the Compass Module?

The 30/60/90 cadence holds, but the artifacts are scaled to the owner-led format. The Council is replaced by a 30-minute working session.

What's the role of the AUP in the plan?

The AUP first draft ships by Day 30, is reviewed by leadership by Day 60, and is revised against real usage by Day 90. After that, it is reviewed in every Council.

What's the role of the Continuous Scanner in the plan?

The Continuous Scanner establishes a baseline by Day 30 and runs continuously from Day 0 forward. Findings surface to the PSA queue and the Council Measurement Review.

How is governance success measured?

Governance success is measured through AI Maturity Score movement, AUP compliance rate, shadow AI reduction, training completion, and observability versus survey alignment.

What happens on Day 91?

On Day 91, the practice transitions to recurring rhythm: Monthly Council, monthly Continuous Scanner review, quarterly QBR AI Segment, and annual full AI Readiness Assessment refresh.

Is the 30/60/90 plan industry-specific?

The framework is general, but sequence and emphasis adjust by industry. Heavily regulated industries usually spend more time on Days 31–60 governance work.

Where can I learn more?

Lemhi publishes the 30/60/90 governance plan template, the Day 30/60/90 gate checklists, and the AUP, Council, and QBR runbooks as part of TaaS. Sign up for Field Notes to get the weekly playbook.

The MAGIC Framework

Scale AI transformation across your entire book of business.

Most MSPs are stuck selling AI as scattered projects, Copilot rollouts, or one-off workshops. The MAGIC Framework gives you a repeatable path to package, sell, deliver, and manage AI Transformation as a Service across your client base.

Map the opportunity Align the business Govern the rollout Implement the roadmap Continuously prove value
See the MAGIC Framework

For MSPs ready to turn AI demand into a managed service motion.

< Older Post

Newer Post >