What "good governance" looks like for a mid-market Claude Cowork rollout. Four governance objects, monthly cadence, RACI, and the failure modes to avoid.
TL;DR. Mid-market governance for Cowork is four objects (acceptable-use policy, workspace inventory, connector inventory, skills inventory), four cadences (weekly during pilot, monthly steady-state, quarterly review, annual re-evaluation), and one forum at scale. Lightweight tooling — Notion or Confluence pages plus an Excel inventory — is enough up to 500 seats. Skip none of it.
What you actually maintain:
Each object has an owner, a review cadence, and a place to live. A single Notion or Confluence page is fine. The point is that the document exists and is updated, not that it is sophisticated.
The discipline matters more than the format. Even a 15-minute monthly check-in is enough if it actually happens.
For deployments past 50 active seats:
The forum's biggest value is visibility. When ten people from different functions see the connector list every month, drift is impossible to hide.
| Activity | Sponsor | Pilot owner | IT | Security | Tinkso (if engaged) |
|---|---|---|---|---|---|
| Workspace creation | A | R | C | I | C |
| Connector approval | A | C | R | C | C |
| Skill development | A | C | I | I | R |
| Incident response | I | C | A | R | C |
| Quarterly review | A | C | C | R | C |
R = responsible, A = accountable, C = consulted, I = informed. Adapt to your org chart; the principle is that every activity has exactly one A.
CLAUDE.md.scheduled-tasks.md.SKILL.md describing intended use, inputs, outputs, owner.These are small files. The discipline is to create them on day one, not retrofit them in month six. Retrofit governance is harder than initial governance, and almost always less complete.
The fix for all four: ownership and cadence in writing, on the wall, on someone's calendar.
Resist the urge to buy a governance product before you have hit 500 active seats. The product will not produce the discipline; the discipline produces the need for the product.
Mid-market governance fails not because anyone disagrees about what "good" looks like, but because nobody has four hours to write the policy. We bring the templates, the inventory, and the cadence; the client adopts them with edits, not from scratch. Governance debt compounds the way any other debt does — pay it down monthly.
The other observation from many engagements: pilots that name a governance owner at week one (separate from the pilot owner who is doing the work) survive past month six. Pilots that defer the question quietly stall.
Spend 30 minutes writing the smallest version of each of the four governance objects: acceptable use, workspaces, connectors, skills. They will be incomplete. Publish them anyway. Update monthly. The first version is always wrong; the seventh version is always good enough.
Book a 30-minute call. We'll ask where you are, what your team needs, and which systems Cowork should touch.