AI governance for SMBs: what to actually write down

Enterprise AI governance is a $50,000 consulting engagement with policy documents you do not read. For most SMBs, the right answer is a 2-page document plus three operational habits. Below is what to actually write down.

The six things on the page

1. Acceptable use

Which AI tools the team is allowed to use for work. Examples:

• "Claude.ai, ChatGPT (paid plans), GitHub Copilot for code, Gemini for research."
• "Personal/free accounts are not permitted for work tasks because we cannot guarantee data handling."
• "Any other AI tool requires written approval from [owner]."

Specific named tools. Not philosophy.

2. Data handling

What data can and cannot go into AI tools:

• Yes: public marketing copy, generic code, summarising your own meeting notes.
• No: customer personal data (PII), financial records, API keys, source code with secrets, employee records, anything under NDA from another company.
• Conditional: internal company data — only via tools with confirmed enterprise data policies (e.g. ChatGPT Enterprise, Claude Team).

3. Vendor approval

Process to introduce a new AI tool:

1. Request to [owner].
2. Vendor evaluation against the security + data-handling checklist (10-minute review for most).
3. Approval or rejection. If approved, added to the acceptable-use list.

Resist shadow AI tools — they create unknown data exposure. Make approval fast so people use the process.

4. Human-in-the-loop boundaries

Where AI output requires human review before action:

• Anything customer-facing.
• Anything financial above a threshold.
• Anything legal.
• Anything involving employee records.
• Anything with regulatory implication.

See human-in-the-loop AI.

5. Incident reporting

What to do if something goes wrong:

• Notify [owner] within 24 hours.
• Capture: what happened, what data was involved, what mitigation has been done.
• Postmortem if customer-visible. See AI failure postmortem.

6. Review cadence

Every 6 months, the owner reviews:

• Updated tool list.
• Incidents since last review + lessons learned.
• Regulatory changes.
• What in this policy is not working.

What is theatre

AI ethics committees with no enforcement

If the committee meets quarterly and produces principles that nobody operationally enforces, it is decoration. Either give the committee real authority (block tool adoptions, require changes) or skip it.

Public AI principles without internal teeth

"We use AI responsibly" on the website with no internal policy to back it up is hollow. Either you have the policy + the enforcement, or you should not make the claim.

Mandatory training that's just a slideshow

30-minute compliance training that everyone clicks through does not change behaviour. Better: ship the policy. Discuss it in one team meeting. Make the operational habits visible.

Massive policy documents

If your AI policy is 80 pages, nobody on the team has read it. 2 pages, read at onboarding, refreshed every 6 months — vastly more effective.

The three operational habits

Habit 1: weekly tool-usage review

Owner spends 30 minutes weekly looking at: what tools are being used, by whom, with what data. Flags exceptions.

Habit 2: incident postmortems

Every AI incident gets a postmortem, no matter how small. Builds the team's instinct for risk.

Habit 3: vendor sunset review

Every 6 months, look at the approved tool list. Sunset tools nobody uses. Review tools whose vendor terms have changed.

The compliance overlay (by jurisdiction)

SMBs in different regions have specific compliance to bake into the policy:

• India (DPDPA): data residency in India by default; explicit consent for AI use of personal data; grievance redressal.
• EU (GDPR + AI Act): data minimisation; lawful basis for processing; high-risk AI use cases (HR, credit, education) have specific obligations.
• US (state-by-state): California (CCPA + automated decision-making rules); New York (NYC Local Law 144 for HR); Illinois (AI Video Interview Act). Plus sector-specific (HIPAA, GLBA, FERPA).
• UK (UK GDPR + DPA): similar to EU. AI-specific rules still evolving.
• UAE (PDPL): data residency; consent; sector-specific in financial services.

For most SMBs, "we follow the laws of the jurisdictions where we operate, and our acceptable-use policy bakes in the high points" is the right level. Hire a lawyer for the specifics if you handle regulated data.

The "what to write" template

Two pages. Plain English. Sections matching the six topics above. One page summary on the wall (or in the team handbook).

Examples to include:

• "Yes, you can use Claude to draft a customer email — review before sending."
• "No, do not paste a customer's tax ID into ChatGPT."
• "For a new AI tool, message [owner]. We will approve in 24 hours or explain why not."

Specific examples beat abstract principles every time.

What this means for you

• SMB AI governance is 2 pages + 3 habits, not 80 pages + a committee.
• Six topics: acceptable use, data handling, vendor approval, HITL boundaries, incident reporting, review cadence.
• Skip the ethics theatre. Govern operationally.
• Compliance overlay matches your jurisdiction. Get a lawyer for regulated data.
• Review every 6 months. The policy + the team's habits drift faster than you think.
• Read our AI readiness checklist and production AI properties.

Need help drafting an SMB AI policy? Book a 30-minute call. We will share our template.