The AI Project Rulebook for Agencies
Five rules for using AI on client work — pin these to your desk!.
You’ve been using AI on client work for months.
No rulebook. No policy. Nobody checking.
Just you, ChatGPT, and persistent delivery deadlines.
Sadly, for some agency’s, that’s still the normal state of things. AI got into your working week faster than anyone could write rules for it.
Luckily, the first proper standards are starting to appear. The trouble is they’re written for banks and other regulated industries. Risk officers. An “AI policy working group” that meets on a Thursday.
You’ve got a Slack channel, JIRA and no time to think past your 2pm client call.
So this is the version for the rest of us. Not a 200-page framework. Five rules you can actually follow, with no compliance team, no budget, and no extra meetings.
First, why this matters more than it looks like it does.
Quick favour before we get into it:
I want to write more of what’s actually useful to you, and less of what I’m guessing at. I’ve put together a short reader survey — nine questions, about two minutes and your answers shape what I write over the next few months. Take the survey here.
Thanks so much.
You, plus AI. Not AI instead of you.
Let’s be clear about what’s I’m saying, because the word “AI” is still making some people freak out right now.
Nobody’s handing the client project to a robot. You’re still running it. AI is the fast, slightly unreliable (but super intelligent) assistant sat next to you, and you’re the one who checks its work and ALWAYS signs it off.
That’s the whole game. You stay in control. The rules below exist to keep it that way.
The work is still yours. AI just helps you get it out the door more efficiently - it’s like having a stupid genius sat next to you.
Here’s the bit most teams miss.
Want to know the real state of AI governance in most agencies? There isn’t one. Industry estimates put the share of organisations running properly governed, enterprise-grade AI at around one in five. Everyone else, roughly half by the same estimates, is getting by on consumer tools. Free ChatGPT. A personal Claude login — not very sensible.
That’s not surprising. It’s just where we are. The work moved quicker than the rules.
But “no rules” stops being fine the moment a client asks the obvious question. What are you putting our data into? Who checks what it gives back? where did you get those facts from?
If you can’t answer that cleanly today, you’re one awkward email away from a big problem.
So here’s the fix. Five rules. Keep them handy.
Rule 1: A human signs off before your client sees it
If AI touched it, a person checks it before it leaves the building.
This is the rule everything else hangs off. Call it human-in-the-loop if you like. I call it not getting caught out by a confident robot.
AI doesn’t know when it’s wrong. It will hand you a made-up statistic, a misread of the brief, or a subtly off-tone paragraph with exactly the same confidence as the good stuff.
Do this: before anything AI-assisted goes to a client, read it as if you’d written it by hand. Because as far as the client is concerned, you did. Your name’s on it.
Rule 2: Client data never goes into a tool you wouldn’t name to the client
Simple gut check. Would you be happy telling the client exactly which tool you pasted their data into, and what that tool does with it?
If yes, carry on. If you’d rather they didn’t ask, you’ve got your answer.
This is where most agencies are quietly exposed. Around half of organisations are running on consumer-grade AI. Free logins and personal accounts. Convenient, and usually a breach of the data terms you signed with your client.
Do this: use your company’s official LLM — hopefully with an enterprise, zero data retention (ZDR) agreement. If you don’t have one, that’s the conversation to start this week. For ongoing client work, a tool with proper project workspaces keeps each client’s data walled off instead of swimming a shared history.
Rule 3: Treat your first AI initiatives as a pilot
The moment “let’s start using AI for X” gets said out loud, you have a pilot. Treat it like one.
Pilot’s are a great way to run a test before committing to a big roll out. Run it small, with a keen team, on real work, for a set stretch of time. Then look at what happened and decide whether it earns a permanent place. Get some before and after numbers for management. Document the learnings for the next iteration.
Right now most AI use creeps in sideways. One person tries it out on a straight forward task, word spreads through Slack, and four weeks later nobody can say what the benefit was or whether any of it was safe.
Do this: when AI gets introduced to a client’s work, give it an owner, a purpose, and a boundary. How it will be used. How it won’t. Who’s accountable. Ten minutes of scoping, the same as any other piece of work.
Rule 4: Know your three failure modes before your client finds them
AI fails in three ways you can predict. Learn them, and stop nasty surprises.
Made-up facts. Drift. Inconsistency.
Made-up facts: it invents a number, a source, or a quote, and presents it cleanly. Drift: the same prompt gives you a slightly different answer next week, so quality varies. Inconsistency: two people on your team use the same tool and ship two different standards of work.
When using AI tools, invest time up front and more time on QC so you’re checking instead of getting caught out in when presenting to your client.
Do this: Verify any fact, figure or claim before you ship work. Lock your repeatable work into saved prompts so the output stops drifting. (This is exactly why I built a prompt-pack for delivering website projects — the same prompts every time, so the work doesn’t wander.) And agree one house standard so the whole team’s AI work looks like it came from a consistent place.
Rule 5: Write your rules on one page
If your AI rules only live in your head, your team won’t use them. Lead the way.
Sounds simple but a rulebook nobody reads will stay buried in Onedrive. So keep yours to a single page, add it to your briefing documents.
Do this: open a doc. Write down which tools are approved, what’s allowed near client data, who checks AI work before it ships, and the three failure modes everyone watches for. That’s most of rules one to four on a single page. Share it. Done.
BTW — you can’t beat a good process flow that documents your agency process along with where and how AI tools can be used.
That’s the rulebook
Five rules. One page. No working group and no 200-page framework.
This is the version for those of us looking for a little extra guidance and hustling to get the work out the door. You stay in control. AI does the heavy lifting — you’ve checked it and signed off.
Your move this week: write your page. Even a rough one beats nothing.
Speak soon, Tim
Disclaimer
This is general guidance, not legal or compliance advice — follow your own company’s policies.


