Practitioner Recipes

Curation Governance for SMB AI

The one-page rubric pattern — the written artifact that turns context-engineering discipline into something a team can actually adopt.

← Back to Reference Hub
If the rubric doesn’t fit on one page, the team won’t follow it.

1. What it is

A curation governance rubric is the one-page written document that says — for a specific AI deployment — what gets into the retrieval index, who decides, how supersession is recorded, what triggers removal, and when the rubric itself gets revisited.

It is the artifact that turns context engineering from a practice into a procedure. Without it, the four practitioner moves (curation, metadata, governance, audit) live in the heads of the people who happened to be in the room when the AI rolled out. With it, the discipline survives staff turnover, vendor changes, project pauses, and onboarding.

The rubric is not a project plan. It is not a strategy document. It is not an enterprise governance framework. It is a single page — short enough to read in two minutes, specific enough to settle an argument.

2. Why one page

Enterprise organizations write multi-page governance documents because they have multiple stakeholders, multiple business units, and committees that need to be visible in the artifact. None of those constraints apply to a 25–200 person organization. SMBs that adopt enterprise governance templates produce documents nobody reads, owned by nobody, updated never.

The one-page rubric is sized for the SMB reality:

  • Short enough to actually be read by every person on the team that uses the AI — not skimmed, not filed, read.
  • Short enough to be argued over in a single meeting — when a question arises about whether a document should be in the index, the rubric resolves it in the room.
  • Short enough to be owned by one person — not a committee, not a working group. One name on the document.
  • Short enough to be revised quarterly without becoming a ceremony.

A rubric that grows past one page is an early warning that the discipline is becoming a process. SMBs that resist that drift hold their advantage; SMBs that don't end up paying for enterprise governance overhead without enterprise governance benefits.

3. The five fields a rubric must answer

Every governance rubric — regardless of domain — answers five questions. If a rubric is missing one of these, the discipline has a gap.

Index eligibility. What kinds of documents enter the index, and what kinds don't. Not a list of every document; a rule that anyone on the team can apply to a new document and reach the same answer.

Authority. Who decides edge cases. Single name, not a role, not a committee. This is the person whose call settles arguments and whose answer gets written down when a precedent is set.

Supersession. How the rubric records that a newer version of a document replaces an older one. The mechanism: a metadata flag, a separate index, a removal-and-re-add. Make it explicit so the team doesn't rely on memory.

Removal. What triggers pulling a document from the index. Not just supersession — also: regulatory change, client request, sensitivity reclassification, bad-quality content discovered in audit. The rubric names the triggers and the response time.

Cadence. When the rubric itself gets revisited and re-approved. Quarterly is the SMB default; faster for high-velocity content categories. Calendar-driven, but with trigger criteria for off-cycle review (vendor change, regulatory update, compliance incident).

The rubric is not the answer to every question. It is the artifact that names the place to look and the person to ask when a question arises.

4. Worked example: accounting firm

The case material is from the Picking a Data Foundation decision exercise. An 80-person regional accounting firm has stood up Agentic RAG over its engagement files. After a curation pass, the operations director writes the governance rubric below.

AI Engagement-File Index — Governance Rubric

Document owner: Maria Chen (Operations Director). Last reviewed: 2026-04-15.

What enters the index:

  • Engagement files from the last 36 months across tax, audit, and advisory practice areas.
  • Firm-canonical tax memos, valuation models, audit workpapers, and advisory notes that have been published internally and not subsequently superseded.
  • Reference materials (IRS publications, FASB updates, state regulatory references) — flagged as external authority in metadata.

What does not enter:

  • Engagement files older than 36 months without explicit re-curation.
  • Draft documents, working notes, internal memos, or client communications.
  • Any document marked attorney-client privileged, under litigation hold, or contains client PII the firm is contractually prohibited from retaining in third-party systems.

Authority for edge cases: Maria Chen. Decisions are recorded in governance-decisions.md and shared with the partners.

Supersession: When a memo or advisory note is updated, the prior version's metadata flag current flips to superseded and the new version's flag is set to current. Both versions remain queryable; only current documents are surfaced by default.

Removal triggers: (1) regulatory change that invalidates a memo, response within 5 business days; (2) client request to remove their engagement files, response within 2 business days; (3) sensitivity reclassification by partner review, response within 1 business day; (4) audit finding of bad-quality content, response within 10 business days.

Cadence: Rubric reviewed quarterly with the partners. Re-audit triggered off-cycle by: vendor change, regulatory update affecting more than ten documents, or any compliance incident.

That is the entire rubric. One page, one owner, five fields, two practice areas of detail. It can be read by every accountant at the firm in under three minutes and it settles every question that came up during the rollout.

5. Worked example: marketing team

A different domain from the Grounding the Marketing Brain sketch. A 25-person B2B SaaS marketing team has stood up Agentic RAG over its content corpus to ground the AI assistant in brand voice.

Brand Voice Corpus — Governance Rubric

Document owner: Priya Adams (Senior Writer / Editorial Lead). Last reviewed: 2026-04-30.

What enters the index:

  • Published blog posts, customer-success stories, and product-page copy from the last 18 months that the editorial lead has flagged as brand-canonical.
  • Sales emails and renewal communications that the customer-success team has flagged as current voice.
  • The brand voice guide, the messaging pillar document, and the do-not-use phrase list (always indexed as canonical).

What does not enter:

  • Content older than 18 months without re-curation.
  • The 2022 "casual fun" tone experiment.
  • Founder communications, board updates, or other voices that aren't team-published copy.
  • Internal Slack messages, draft posts, or never-shipped campaigns.

Authority for edge cases: Priya Adams. Decisions are recorded in voice-decisions.md. The CEO has surfacing rights — flagged content gets reviewed in the next weekly editorial sync.

Supersession: When the brand voice guide updates, the prior version is removed (not flagged-superseded) on publication of the new guide. For published content, the original publication stays in the index; rewrites are added separately.

Removal triggers: (1) content that no longer represents current voice, response within 5 business days of editorial review; (2) content tied to a former campaign or positioning being retired, response within 1 business day; (3) sensitivity flag from legal or compliance, response same-day.

Cadence: Rubric reviewed monthly during the editorial planning meeting. Re-audit triggered off-cycle by: rebrand, voice-guide update, or new product launch with distinct positioning.

Same structure as the accounting firm. Different domain. Different cadence (monthly, not quarterly — content moves faster in marketing). One page. One owner. Five fields.

The pattern travels.

6. Common mistakes

The five mistakes that show up across SMBs writing their first governance rubric:

Multi-page rubrics nobody reads. A rubric that grew from one page to twelve because every stakeholder added their concern. The rubric becomes a document the team has to be reminded exists. Fix: amputate ruthlessly. Push concerns into linked decision logs (governance-decisions.md), not into the rubric body.

Committee ownership. The rubric is "owned by the AI committee." When a question comes up, the committee meets in two weeks. By then the team has improvised an answer that nobody wrote down. Fix: single name on the document. The committee can advise; the owner decides.

Implicit supersession. "We just remember which version is current." This holds for two months and then a partner cites a memo from before the supersession and the firm's reputation takes the hit. Fix: explicit supersession mechanism, written into the rubric.

Calendar-only re-audits. The rubric gets reviewed on the third Tuesday of every quarter and otherwise nobody touches it. A regulatory update lands in March; the rubric isn't revisited until June. Fix: calendar cadence plus trigger criteria for off-cycle review.

Rubric living in the vendor's system. The governance lives inside the Agentic RAG vendor's admin panel. When the firm switches vendors, the rubric vanishes. Fix: the rubric is a Markdown file in the firm's repository, owned by the firm, copied (not referenced) into any vendor system that needs it.

7. How to start

For a team writing its first rubric:

  1. Open a single document — a Markdown file in the team's repository, a Notion page the team already uses, a Google Doc. Don't pick a tool the team doesn't already work in.
  2. Name the owner first. Single name on the document, before anything else gets written. Without this, the rubric will grow uncontrollably.
  3. Write the five fields in order — eligibility, authority, supersession, removal, cadence. Write the simplest version that answers the question. Resist adding qualifications.
  4. Run it past the team that uses the AI. If a team member can't apply the eligibility rule to a new document and reach the same answer the owner would, the rule needs sharpening.
  5. Set the first re-audit date before the rubric ships. Calendar entry, not a vague intention.

The first version of the rubric is always too short. Ship it anyway. The rubric grows by precedent, not by speculation — every edge case that requires the owner's judgment becomes a sentence in the next quarterly revision.

8. Why this is the artifact that travels

The infrastructure changes. The vendor gets acquired or replaced. The model gets upgraded. The retrieval pipeline gets rebuilt. The team turns over.

The rubric is the thing that survives all of it. A new vendor onboarding starts by reading the rubric and configuring the system to match. A new team member joining starts by reading the rubric and learning how the firm thinks. A regulator asking how the firm governs its AI gets a copy of the rubric.

The rubric is the firm's discipline, written down. Tools come and go. The discipline persists.

Wave 1 organizations chase tooling. Wave 2 organizations write the rubric.

Last verified: 2026-05-08

Related learning surfaces

Reference

Context engineering — overview

The discipline that the rubric operationalizes. The why behind the what.

Reference

Agentic RAG patterns

The patterns the rubric governs. The infrastructure side of the discipline.

Learn

Picking a Data Foundation

Interactive decision exercise where the accounting-firm rubric above is the artifact a learner builds toward.