The SME Guide to AI Governance: Building Responsible and Compliant Systems

Most discussion of AI ethics and governance is written for enterprises with dedicated risk teams. SMEs face the same regulatory exposure — the EU AI Act, the UK's pro-innovation framework, GDPR, sector-specific rules — but without the headcount. The result is a governance gap: tools are adopted faster than controls are written, and accountability sits nowhere.

Responsible AI is the bridge. It treats governance as a small set of clear decisions rather than a thousand-page policy: who owns AI risk, which systems are in scope, what evidence you keep, and how you respond when something goes wrong.

1. Inventory. A live register of every AI system in use — built, bought, or embedded inside another vendor's product. Capture purpose, data inputs, decision impact, and owner.
2. Risk tiering. Classify each system by impact on people: minimal, limited, high, or prohibited. Tiering tells you how much process each system deserves and aligns naturally with the EU AI Act categories.
3. Accountability. Name a single AI owner (often the founder or COO at SME scale) and a reviewer for high-impact systems. Governance fails when ownership is shared.
4. Controls. Lightweight but real: data-protection impact assessments where personal data is involved, human-in-the-loop checkpoints for high-impact decisions, vendor due diligence, and logging.
5. Review. A quarterly review cycle that re-scores the inventory, captures incidents, and updates policy. Governance that isn't revisited becomes shelfware within a year.

Days 1–30 — Map. Build the inventory. Interview each team lead. Capture shadow AI use (personal ChatGPT accounts, Copilot inside Office, AI features inside SaaS tools). Publish an interim acceptable-use note so the business keeps moving.

Days 31–60 — Tier and own. Score every system against your risk tiers. Assign owners. Run DPIAs for anything touching personal data. Decide which high-tier systems need human review before launch.

Days 61–90 — Operationalise. Ship the controls: vendor questionnaire, model-change log, incident-response playbook, and a one-page AI policy that staff actually read. Book the first quarterly review.

• EU AI Act — risk-based obligations, with the strictest rules on high-risk and prohibited systems. Extraterritorial reach where outputs are used in the EU.
• UK AI regulation — sector-led, principles-based, with regulators (ICO, FCA, CMA, MHRA) issuing their own guidance. Expect convergence with EU expectations on transparency and human oversight.
• GDPR / UK GDPR — lawful basis, automated decision-making (Art. 22), DPIAs, and data-subject rights still govern most SME AI use.
• Sector rules — financial services, health, employment, and education layer in their own duties; map these against your inventory.

• Treating governance as a policy document instead of an operating routine.
• Ignoring vendor-embedded AI — the features inside your CRM, ATS, or analytics tools are often the highest exposure.
• Over-engineering for low-risk systems and under-engineering for the one tool that touches customers.
• No incident path: when a model gets something wrong, no one knows who is on the hook or how to communicate.

A lean, defensible AI governance posture for a 20–250 person business usually fits on six pages: an inventory, a risk-tier matrix, an acceptable-use policy, a vendor questionnaire, an incident playbook, and a review calendar. That is enough to satisfy most enterprise customers' due-diligence questions and to evidence good faith to a regulator.