AI Governance, Sized for a Normal Company

TL;DR: AI governance has a reputation problem: the phrase suggests committees, frameworks, and binders. In practice, for a company that isn’t a bank or a hospital, it’s five working artifacts and one named owner, an acceptable-use policy, data rules, a security-review checklist for new tools, a repeatable risk assessment for new use cases, and a maintained approved-tools list. This pillar gives you each one, plus a plain-language read of the EU AI Act for smaller companies. General guidance, not legal advice.


Why governance, and why now

Most companies discover they need AI governance the same way: something already happened. An employee pasted a client contract into a free chatbot. An AI notetaker joined a call nobody cleared it for. A sales rep sent AI-drafted claims that weren’t true. None of these require malice, they require only the absence of defaults.

Three forces make this worth an afternoon of your time now rather than after the incident:

  1. Usage precedes permission. Survey after survey finds a majority of knowledge workers already use AI tools at work, often without telling anyone. Whatever your official position, your real AI policy is currently whatever your least careful employee believes it is.
  2. The data path is invisible. When someone pastes text into a consumer AI tool, there’s no attachment log, no DLP alert, no forwarded email to find later. The exposure happens in a browser tab and leaves no trace on your side. Rules have to exist before the paste.
  3. Regulation arrived. The EU AI Act is in force and phasing in obligations; existing law (GDPR, sector rules, employment law) already applies to AI use. “We didn’t have a policy” has stopped being a neutral fact.

The goal is not zero risk, it’s known risk, with someone accountable for the trade-offs. Companies that govern well don’t use less AI than companies that don’t. They use more, because employees know what’s allowed and stop improvising in the dark.

The five artifacts

Governance at this scale is a small set of documents that people actually use. Each has a dedicated page in this pillar.

ArtifactWhat it answersStart here
Acceptable-use policyWhich tools, what data, when to disclose, who reviewsThe playbook, with a full template
Data-privacy rulesWhat must never be pasted, enterprise vs consumer terms, training on your dataAI and data privacy at work
Security-review checklistHow to vet an AI tool before anyone connects it to company dataThe AI security review
Use-case risk assessmentHow risky is this specific use, and what controls does it needThe AI risk assessment method
Approved-tools listThe living register of what’s cleared, for what data, on what tierBuilding an approved-tools list

Two more pages round out the pillar:

If you only read one thing today, read the acceptable-use policy playbook. It’s the keystone: every other artifact either feeds it (the approved-tools list is its Section 2) or extends it (the risk assessment handles the cases the policy can’t pre-decide).

The operating model: one owner, two speeds

Skip the committee. Name one owner, usually whoever runs IT, security, or ops, with the authority to approve tools, grant exceptions, and update the documents. Legal and leadership get pulled in for specific calls, not standing meetings.

Then run two speeds:

  • Fast path (days): an employee wants a new tool or a new use of an approved tool. The owner runs the security review and a quick risk score, updates the approved-tools list, done. If this path is slow, people stop asking, and you’re back to shadow use.
  • Slow path (twice a year): review the policy, re-check vendor terms (they change), retire unused tools, and check regulatory movement, the EU AI Act’s obligations phase in over several years, so a standing six-month review catches each wave.

A useful mental model from the glossary: governance is the organizational layer of guardrails, the technical term for constraints that keep an AI system inside intended behavior. Same idea, different altitude. (For the vocabulary of the field generally, see the AI governance glossary entry.)

What governance is not

Worth stating, because scope creep kills these programs:

  • Not a ban. Bans move usage to personal phones and remove your visibility while keeping your risk. Every page in this pillar assumes the “channel, don’t ban” posture argued in the acceptable-use playbook.
  • Not model auditing. You are (almost certainly) a user of AI systems, not a builder of foundation models. Your job is vetting vendors and governing use, not auditing training data. The EU AI Act page explains why that distinction, provider vs deployer, decides most of your legal exposure.
  • Not a one-time project. Tools, vendor terms, and law all move. Governance that isn’t reviewed on a calendar is documentation, and stale documentation is worse than none because people assume it still applies.
  • Not legal advice. These pages describe mechanisms and give working defaults. For anything with real compliance stakes, regulated data, EU-facing AI systems, decisions about people, have a qualified professional check the specifics. Teams already using AI in legal workflows should also see the legal guides.

Where to go next

Rough triage by situation:

  1. No policy at all yetacceptable-use policy playbook, then data privacy.
  2. Policy exists, tools are ad hocapproved-tools list and the security review.
  3. AI touching customers or HR decisionsrisk assessment and responsible AI.
  4. Selling into or operating in the EUEU AI Act for SMBs.

FAQ

What is AI governance?

The rules, reviews, and responsibilities that determine how a company adopts and uses AI: approved tools, data boundaries, output review, risk assessment, and regulatory compliance. At SMB scale it’s a handful of short living documents owned by one named person, not a framework, not a committee.

Does a small company really need AI governance?

A small version, yes. If employees touch AI tools at all, the risks governance addresses already exist: sensitive data entering consumer tools, unvetted vendors connected to company systems, unreviewed AI output reaching customers. The five artifacts in this pillar cover the bulk of it for roughly an afternoon of work each.

Where should we start with AI governance?

The acceptable-use policy, because it answers the questions employees actually ask: which tools, what data, what needs human review, when to disclose. Then the approved-tools list and security review, which make the policy’s “approved tools” section real. Risk assessment and EU AI Act mapping come next, once AI use touches customers or decisions about people.

Who should own AI governance in a small or mid-sized company?

One named person with authority to approve tools and grant exceptions, typically the head of IT, security, or operations. Escalate specific calls to legal or leadership as needed. Committees add latency that pushes employees back into shadow use.

No. This pillar is general guidance for building sensible defaults. Regulations have jurisdiction-specific, changing specifics, deadlines, thresholds, penalty structures, that you should verify with a qualified professional before relying on them, especially for regulated data or EU-facing AI systems.


Not sure where your company stands on governance, or anything else? Take the free AI-Readiness Assessment: 10 minutes, scored across strategy, data, people, and governance, with your highest-leverage next step.

Governance guides