AI governance is knowing what AI you use, agreeing the rules for using it, and being able to show your working when a customer, investor or regulator asks. For a UK SME that is the whole job. You do not need a policy suite the length of a phone book, and you do not need to hire a risk function to get there.
Most growing businesses are already using AI. The staff got there first, usually through free tools, well ahead of any rules. The adoption has happened. What you control is whether it sits inside a boundary you have set, with rules and a record behind it, or in personal accounts where you have no view of it at all.
What UK law actually requires
There is no single UK AI statute, and there may not be one for a while. Instead, regulators apply the law that already exists. The Information Commissioner’s Office treats AI use as a data protection matter, so UK GDPR obligations apply the moment you put personal data anywhere near a model. Employment law, equality law and consumer law all still bite when AI is involved.
If you have customers or users in the EU, the EU AI Act reaches you too, and its obligations scale with risk. Most SMEs using everyday tools sit in the lower tiers, but you still need to know which tier you are in.
The practical read: you are already regulated, through law you already have to follow. AI does not create a clean slate, it adds a new surface to rules that were already there.
What governance means at your scale
Three things, and only three, to start.
Know what you use. A simple register of where AI touches the business, what data it sees, and who owns each use. You cannot govern what you have not written down.
Agree the rules. One acceptable use policy that tells people what is fine, what is not, and who decides on the grey areas. Clear rules speed teams up, because nobody is guessing.
Show your working. Be able to answer, in a sentence or two, how you manage AI when the question lands in a procurement questionnaire or a due diligence pack. That question is turning up more often, and silence reads badly.
Five steps to a baseline
- List your AI use. Ask each team what they actually use, not what is sanctioned. You will be surprised.
- Write one acceptable use policy. Short, readable, and specific about data. A page or two beats a document nobody reads.
- Set a light approval route. A named person, a quick risk check, and a way to say yes fast to sensible requests.
- Check your suppliers. Ask vendors how their AI handles your data before you let it near your customers.
- Brief the board. A short, honest update so the people accountable actually know what is happening.
None of this needs a big project. A few weeks of part-time effort gets a growing business to a position it can defend.
What the first month looks like
You do not need to clear the diary. A workable first month runs in the background of the day job.
Week one is discovery. You ask every team what they actually use, not what is approved, and you write it down. Expect a longer list than you thought, and a few surprises in it.
Week two is the policy. One acceptable use document, short and specific about data, drafted from a template and adapted to how your business really works. You circulate it, take the sensible objections, and settle it.
Week three is the plumbing. A named owner for AI decisions, a light approval route for new tools, and a quick way to check the riskier uses. Nothing heavy, just enough that requests get a fast, consistent answer.
Week four is the board. A short, honest briefing so the people accountable know what is in use, what the rules are, and where the exposure sits. That briefing is often the moment governance stops being an abstract worry and becomes a managed one.
By the end of it you have a register, a policy, an owner, and a board that has seen the position. That is a defensible baseline, and it took part-time effort rather than a project.
The mistakes that cost
Banning AI outright. It does not stop the use, it just pushes it into personal accounts where you have no visibility at all.
Writing a policy and stopping there. A policy with no register and no owner is a document, not a control.
Waiting for the law to settle. The controls that protect you are the same regardless of how UK regulation lands, and retrofitting them under pressure costs far more than doing it now.
Treating it as an IT job. Governance is a leadership decision about acceptable risk. IT can implement it, but the board owns it.
Where do-it-yourself stops
A sensible baseline is well within reach on your own, and our free AI Governance Starter Kit gives you the guide and templates to do exactly that. Some situations need more depth than any template can carry. Using AI to make decisions about individuals, in hiring, credit or pricing. Building AI into a product you sell. A regulated sector. An assurance questionnaire you cannot yet answer. There, the cost of getting it wrong outweighs the cost of getting help.
That is where our AI governance advisory comes in, from a one-day gap assessment through to a full framework with the enablement to run it. Most businesses will not need that on day one. It helps to know the line is there.
Frequently asked questions
Do small businesses really need AI governance? Yes, if your staff use AI, which they almost certainly do. The obligations around data, accuracy and fairness apply regardless of size.
Is AI governance a legal requirement in the UK? There is no single AI law, but existing law, data protection in particular, already applies to AI use, and regulators expect you to manage it.
How long does it take to get a baseline in place? A few weeks of part-time effort using a structured guide and templates, without stopping the business.
Does this make us EU AI Act compliant? It gives you a general-purpose baseline, not a compliance certificate. If you have EU users or higher-risk uses, get specialist input on classification.
Who should own AI governance internally? The board or leadership team owns the decision on acceptable risk. A named person, often in IT or operations, implements and maintains it. Governance tends to drift when it is handed off as a purely technical task with nobody senior accountable.
Want a practical starting point? Download the free AI Governance Starter Kit, a plain-English guide plus five working templates. If you are past the baseline and need a hand, book a scoping call.