Browse the bible
Foundations
Getting started
Capabilities
Security & governance
Workflows
Prompt library
Rollout playbook
Troubleshooting
Reference
Security & governance

Claude Cowork rollout governance — how it's run, not just deployed

What "good governance" looks like for a mid-market Claude Cowork rollout. Four governance objects, monthly cadence, RACI, and the failure modes to avoid.

Updated 2026-04-25Read 6 min

TL;DR. Mid-market governance for Cowork is four objects (acceptable-use policy, workspace inventory, connector inventory, skills inventory), four cadences (weekly during pilot, monthly steady-state, quarterly review, annual re-evaluation), and one forum at scale. Lightweight tooling — Notion or Confluence pages plus an Excel inventory — is enough up to 500 seats. Skip none of it.

The four governance objects#

What you actually maintain:

  • Acceptable-use policy. Who can use Cowork on what data.
  • Workspace inventory. Active workspaces, owners, scope of data.
  • Connector inventory. Active MCP connectors, OAuth scopes, owners.
  • Skills inventory. Active skills, what they do, who maintains them.

Each object has an owner, a review cadence, and a place to live. A single Notion or Confluence page is fine. The point is that the document exists and is updated, not that it is sophisticated.

Cadences#

  • Weekly during a pilot — owner-plus-sponsor stand-up; usage, blockers, decisions.
  • Monthly at steady state — review usage, prompt regressions, new candidate workflows.
  • Quarterly governance review — security, access, opt-out posture, connector inventory, skills audit.
  • Annual — full re-evaluation against business goals.

The discipline matters more than the format. Even a 15-minute monthly check-in is enough if it actually happens.

The governance forum#

For deployments past 50 active seats:

  • A Cowork governance forum, 30 minutes monthly, attended by IT, security, the function sponsors, and Tinkso (if engaged).
  • Standing agenda: usage, incidents, new connector requests, new skill requests, training-opt-out posture, retention posture.
  • The forum approves new connectors and high-risk workflows. Nothing controversial; just a record.

The forum's biggest value is visibility. When ten people from different functions see the connector list every month, drift is impossible to hide.

RACI for a typical mid-market rollout#

ActivitySponsorPilot ownerITSecurityTinkso (if engaged)
Workspace creationARCIC
Connector approvalACRCC
Skill developmentACIIR
Incident responseICARC
Quarterly reviewACCRC

R = responsible, A = accountable, C = consulted, I = informed. Adapt to your org chart; the principle is that every activity has exactly one A.

Documentation standards#

  • Every workspace has a CLAUDE.md.
  • Every workspace lists active scheduled tasks in a scheduled-tasks.md.
  • Every connector is in the connector inventory with OAuth scopes.
  • Every skill has a SKILL.md describing intended use, inputs, outputs, owner.

These are small files. The discipline is to create them on day one, not retrofit them in month six. Retrofit governance is harder than initial governance, and almost always less complete.

Common governance failures#

  • No owner for the connector inventory → connectors accumulate, scopes drift, and the next security review opens a 40-item conversation.
  • No skill owner → skills break silently after a Cowork model update; the team learns about it via "why isn't the close pack working?"
  • Memory hygiene drift → sensitive data accumulates without anyone noticing.
  • Pilot governance never graduates to steady-state governance. The forum stops meeting; the pattern erodes; six months later the rollout is back to ad-hoc.

The fix for all four: ownership and cadence in writing, on the wall, on someone's calendar.

Light-weight tooling#

  • Notion or Confluence page per object — fine for 50–500 seats.
  • A simple Excel inventory — fine for 50–200 seats.
  • Anthropic's admin console handles SSO, plan management, and account-level governance natively.
  • Tinkso adds a quarterly governance scorecard for clients on retainer.

Resist the urge to buy a governance product before you have hit 500 active seats. The product will not produce the discipline; the discipline produces the need for the product.

Tinkso's take#

Mid-market governance fails not because anyone disagrees about what "good" looks like, but because nobody has four hours to write the policy. We bring the templates, the inventory, and the cadence; the client adopts them with edits, not from scratch. Governance debt compounds the way any other debt does — pay it down monthly.

The other observation from many engagements: pilots that name a governance owner at week one (separate from the pilot owner who is doing the work) survive past month six. Pilots that defer the question quietly stall.

Try this#

Spend 30 minutes writing the smallest version of each of the four governance objects: acceptable use, workspaces, connectors, skills. They will be incomplete. Publish them anyway. Update monthly. The first version is always wrong; the seventh version is always good enough.

Related

Read next

Also useful

← PreviousPrompt injection in Claude Cowork — what it is and how to defendNext →Workflows — by function, not by file type

Need help applying this?

Book a 30-minute call. We'll ask where you are, what your team needs, and which systems Cowork should touch.

Book a 30-min callcowork@tinkso.com
Last reviewed: 25 April 2026 · The Cowork Bible · Tinkso