Earlier this year, Anthropic made a decision that stopped a lot of people in the tech world cold. The company had developed an AI model - Claude Mythos - so capable that it autonomously uncovered thousands of critical security vulnerabilities across every major operating system and web browser. Rather than release it publicly, Anthropic handed access exclusively to a consortium of tech companies, giving them time to patch those holes before similar capabilities inevitably end up in less careful hands.

It's the kind of story that sounds like science fiction until you realise it's just... Tuesday in 2025. And it raises an uncomfortable question for businesses of every size: if AI is developing this fast, does your company have any kind of plan for using it responsibly?

Why governance can't wait

Most organisations are still in the "figure it out as we go" phase when it comes to AI. That was understandable two years ago. Now it's starting to look like a liability. The gap between what AI can do and what companies have policies to handle is widening at speed - and regulators, customers, and employees are all paying closer attention.

Responsible AI governance isn't just about avoiding bad headlines, though that matters too. It's about making sure the tools you're adopting are actually working in your favour - that they're fair, secure, and aligned with what your business actually values.

The 90-day framework

According to reporting from Fast Company, the good news is that meaningful governance doesn't require a years-long overhaul. A focused 90-day push can lay the foundations that actually stick. The approach breaks down into three rough phases.

The first month is about understanding what you're working with - auditing which AI tools are already in use across your organisation (often more than leadership realises), and identifying the highest-risk areas. The second month shifts toward building: drafting clear policies, assigning accountability, and creating channels for employees to flag concerns. The final stretch is about embedding those practices so they don't quietly get abandoned when priorities shift.

The human side of the equation

One thing that gets overlooked in these conversations is culture. A governance framework is only as strong as the people following it. That means bringing employees into the process early, being transparent about why the guardrails exist, and making sure the policies feel like practical guides rather than corporate box-ticking.

The Anthropic story is a useful reminder that even the most safety-focused organisations in the world are navigating genuinely hard calls. For everyone else, the baseline is simpler: know what you're using, know who's responsible for it, and have a plan before something goes wrong rather than after.

Ninety days isn't much time. But it's enough to go from "we'll deal with that eventually" to actually having something in place.