Skip to main content
Lab Notes
Frameworks

Quick‑Start Guide: First 48 Hours (AI Safety Pack)

AI Safety Pack Component

PeopleSafetyLab|February 24, 2026|4 min read|intermediate

Quick‑Start Guide: First 48 Hours (AI Safety Pack)

Version: v1.0 A condensed deployment guide for immediate action.

Hour 0–2: Emergency triage

Stop the bleeding (immediate)

If you have no AI policy in place:

  1. Send the interim directive (copy/paste below)
  2. Block unapproved tools at network level (if possible)
  3. Set up incident reporting channel

Interim directive (send via email/Slack)

Subject: Interim AI Use Directive — Effective Immediately

Team,

Until our formal AI policy is published (within 7 days), please follow this interim guidance:

DO:
✓ Use approved tools only: [list your approved tools]
✓ Use AI for drafting internal documents (no restricted data)
✓ Complete AI safety training when assigned

DON'T:
✗ Paste customer PII, passwords, or secrets into any AI tool
✗ Use AI for hiring decisions or candidate ranking
✗ Send AI‑drafted customer messages without human review
✗ Use unapproved AI tools for work

Questions? Contact [Risk/Security contact]
Incidents? Report to [incident channel/email]

[Name, Title]
[Date]

Hour 2–8: Core setup

1. Tailor the policy (2–3 hours)

Copy 01-ai-use-policy.md and fill in:

  • [ ] Your org's approved tools list (Section 5.1)
  • [ ] Data classification scheme (Section 9.1) or confirm D0–D3 works for you
  • [ ] Incident reporting channel + owner (Section 13)
  • [ ] Effective date + policy owner

2. Define your approved tools

| Tool | Approved for | Not approved for | |---|---|---| | [e.g., Microsoft 365 Copilot] | D0–D2 data, internal use | D3 data, external automation | | [e.g., GitHub Copilot Enterprise] | Code assistance on internal repos | Secrets, public repos |

3. Set up governance

  • [ ] Identify Risk Committee members
  • [ ] Schedule first governance review (Day 7)
  • [ ] Assign Use‑Case Card owners for top 3 use‑cases

Hour 8–24: Rollout prep

4. Customize the 1‑pager

Edit 02-approved-prohibited-usecases.md:

  • Add your org name
  • Confirm approved tools list matches Section 5 above
  • Remove/add examples relevant to your business

5. Classify top use‑cases

Use 02a-ai-use-case-matrix.md to classify your top 3–5 use‑cases: | Use‑case | Data (D) | Exposure (O) | Criticality (C) | Status | |---|---|---|---|---| | Meeting notes | D1 | O0 | C0 | Approved | | Support drafts | D2 | O1 | C1 | Conditional | | HR screening | D3 | O0 | C2 | Prohibited |

Create Use‑Case Cards (07-use-case-card-template.md) for Conditional uses.

6. Configure controls

Minimum for Conditional use‑cases:

  • [ ] Access controls (SSO/MFA) — IT task
  • [ ] Logging enabled — IT/Security task
  • [ ] Human review workflow — Business owner task
  • [ ] Incident reporting channel — Security task

Hour 24–48: Communication + training

7. Announce the policy

Use template from 13-communication-templates.md (or draft your own):

  • Executive announcement (why this matters)
  • Manager briefing (how to answer team questions)
  • All‑hands/Slack announcement (what changed)

8. Schedule training

  • [ ] Book 60–90 min session (within 7 days)
  • [ ] Assign mandatory attendance by role
  • [ ] Prepare quiz (from 06-training-deck-outline.md slide 15)

9. Validate reporting

Test the incident reporting channel:

  • [ ] Send test "near‑miss" report
  • [ ] Confirm triage owner receives it
  • [ ] Document response time

Week 1 validation checklist

By Day 7, confirm:

  • [ ] Policy published + acknowledged
  • [ ] Approved tools list distributed
  • [ ] Top 3 use‑cases classified + cards created
  • [ ] Incident channel tested
  • [ ] Training scheduled/completed for critical roles
  • [ ] First governance review held

What to skip (for now)

You can defer these to Week 2–4:

  • Full risk register population (start with top 3 risks)
  • Complete vendor due diligence (do top 2 tools first)
  • Full 30‑day checklist (do Week 1 items first)
  • Role‑specific training modules (do baseline first)

Escalation triggers

Escalate immediately if:

  • Incident reported: D3 data in unapproved tool → immediate assessment
  • Pushback on prohibitions: HR/leadership wants exception → EDR process
  • Tool access issues: IT cannot implement controls → Conditional use delayed

Success criteria (48 hours)

  • [ ] Interim directive sent
  • [ ] Incident channel active
  • [ ] Policy draft ready for review
  • [ ] Top 3 use‑cases classified
  • [ ] Training scheduled

Next: Proceed to 05-30-day-implementation-checklist.md for full deployment.

P

PeopleSafetyLab

Independent AI safety research for organisations and families in Saudi Arabia and the GCC. All research is editorially independent. PeopleSafetyLab has no consulting clients and does not conduct paid audits.

Share this article: