- Governance “by the tool” (charter, allow-list, blocking) fails: it creates shadow AI or kills usage.
- The right unit of governance isn't the tool, it's the practice: what teams actually do with AI.
- CREWCREWMarylink's governance framework (Concepts, Roles, Environments, Workflows) grounded in research. (Concepts · Roles · Environments · Workflows) is a grammar for governing practice, mapped 1:1 into Marylink.
Every CIO or CISO knows the dilemma. On one side, employees pasting client data into a personal ChatGPT because “it's faster.” On the other, a board demanding AI everywhere. Between the two, you. And two bad options.
Why governing the tool doesn't work
Ban it. You block the domains, publish a charter, issue threats. Result: your most motivated teams route around it (personal phone, free account, copy-paste). You haven't removed the risk, you've made it invisible. That's shadow AI, and it's worse than governed usage.
Allow everything. You open the floodgates. Usage explodes, and with it the risk surface: data leakage, hallucinations copied verbatim, decisions made on unverifiable grounds, zero traceability. On audit day, you know neither who produced what, nor with what.
Both approaches share the same targeting error. They govern the tool: an object that changes every three months, that you don't control, and that's never where the risk actually plays out.
Risk doesn't live in the tool. It lives in the practice: who does what, with which data, validated by whom, through which stepsValidation stepA stage in a publication's path (draft → review → approved), with rules that gate each transition..
Governing the practice: the CREW framework
CREW is a grammar for operational governance, drawn from our research (“Generative AI as Practice,” published on ResearchGate). It breaks any AI practice down into four bricks, and each maps directly into the platform.
C · Concepts
The intent, the content, the rules, the style of a practice. What must be done, and how to do it well. → PublicationsPublicationA practice published in a space: versioned, reviewed and subject to validation steps. & typed blocks.
R · Roles
Who is author, who is expert, who reviewsReviewAn expert's assessment of a practice: score, comments and recommendations against criteria., who validates. Responsibility is named, not diffuse. → Space rolesSpace rolesThe responsibilities assigned within a space: author, expert, reviewer, moderator, champion. (championChampionThe role that animates a space and surfaces the practices that work to the collective., moderatorModeratorThe role that ensures the quality and compliance of a space's publications., expert).
E · Environments
The spacesSpaceA workspace by domain or topic where a team publishes, shares and governs its practices. where you publish, share and validate, partitioned by domain, by client, by confidentiality level. → Spaces.
W · Workflows
The execution and validation steps: what must pass a review before becoming reusableReuseThe same practice serving many times, across many spaces, the key measure of the Practice Graph's value., what is blocked and why. → Steps & rules.
With this framework, you no longer say “ChatGPT is banned / allowed.” You say: “this practice, on this type of data, must be validated by an expert before reuse, and every execution is traced.” Governance follows the real work, instead of chasing tools.
What it changes for risk
- End of shadow AI: governed usage becomes more convenient than the workaround, because it grants access to the team's asset. The temptation to cheat disappears.
- Native traceability: who produced what, from which practice, validated by whom. The audit stops being a search and becomes a query.
- Governed quality: hallucinations never become “practices”: they have to pass an expert review. Validation is a workflow, not a hope.
- SovereigntySovereigntyEuropean hosting and full control of your data: it is never used to train third-party models. & compliance: data hosted in Europe, never used to train third-party models, aligned with GDPRGDPRThe EU General Data Protection Regulation. Marylink is built for GDPR compliance. and the AI ActAI ActThe EU regulation on AI. Marylink helps scope and trace usage to comply with it.. See Security & trust.
The goal isn't to slow AI down. It's to make sure the governed path is also the fastest path.
That's the promise of a governance that doesn't fight usage but capitalizes on it: you scope, you prove, and you expand, without ever having to choose between speed and control. For the full mechanics and the research publications, see the science behind Marylink.

