AboutBlogBusiness First AIFounder FreedomBook a conversation

AI Governance

Most AI governance content is written for FTSE 250 risk committees. Owner-led businesses don't have one of those. They have one person making most of the calls, and a team waiting to know what's allowed.

This section is governance you can actually run. Light-touch policies that fit a small team. Accountability without a head of compliance. Decisions about what staff can use, what data goes in, what gets logged, and who answers when something goes wrong. Built for businesses where the owner is also the risk owner, the data controller, and the final call on the AI bill.

Two people at a desk reading a short printed document together, one pointing at the page

Write an AI acceptable-use policy your team will actually follow

A sixty-page enterprise template sits unread. Here is how to write an AI acceptable-use policy that is short, default-allow, and genuinely followed.

Two colleagues at a meeting table reviewing a printed contract, one pointing to a section on the page

Who owns the AI in your agency, and what do you tell the client?

Two questions decide whether agency AI is an asset or a liability, and neither is technical.

Business owner in conversation at a boardroom table with colleagues, natural light from windows

What your board actually wants when it asks about AI

When your board raises AI, the question underneath is almost always about risk, accountability, and competitive standing. Here is how to read what they are actually asking.

Two people in conversation across a meeting table with papers and a laptop visible

What your board expects on AI before a sale

What an investor-backed board actually wants to see on AI before a sale, and how to brief the mandate to produce it.

Founder reviewing papers and a laptop in a quiet office meeting room

How to talk to investors about AI without writing a cheque you cannot cash

The room rewards AI confidence, but the regulator now scrutinises it. Here is how to make your investor update credible without overclaiming what your AI actually does.

Two colleagues reviewing printed documents at a meeting room desk

AI in recruitment: the governance gate for a screening model

Every candidate an AI screening tool touches is a data subject with specific legal rights, and every automated screen is a decision UK data-protection law treats as significant.

A professional reviewing a printed document at a desk with a pen, laptop open nearby

The professional indemnity line AI cannot cross

In law, accountancy, and regulated advisory, both the regulator and your PI insurer draw the same line on AI: a qualified human must own every client-facing output.

Person reviewing a spreadsheet on a laptop at a well-lit desk with a notepad beside them

The one-page AI risk register a 90-person business can keep

A practical guide to building the one-page AI risk register that every owner-managed business using AI tools should maintain.

Two people reviewing a laptop screen together in a bright open-plan office

Governing consumer AI tools in a DTC growth team

When your DTC growth team is generating ad copy and handling customer queries with consumer AI tools, the GDPR and marketing-claims risks are real but manageable with the right governance layer.

A senior professional reviewing a document at a desk with a laptop open nearby

Do you need a DPIA for that AI tool?

Whether your next AI deployment needs a data protection impact assessment depends on three specific triggers, and you can check them yourself.

Two people reviewing project plans at a table in a construction site office

Construction AI governance: safety, liability and IP

Construction AI governance sits at the intersection of physical safety obligations, multi-party contract liability, and IP ownership of AI-generated designs.

A professional reviewing documents at a desk in a clinical office with natural light

The clinical AI governance a delegate must get right before go-live

The four governance gates every clinical AI delegate must clear before any AI system touches patient data or informs a clinical decision.

Person reviewing a spreadsheet at a desk with a pen in hand

Build your AI register in an afternoon

A single spreadsheet, built in an afternoon, that answers every question a board, a regulator, or an acquirer will ask about your AI use.

Senior professional reviewing documents at a desk in a daylit office

AI washing: the claim that draws the regulator

The SEC has already acted against firms that overstated their AI capabilities. Here is where the line sits for financial services delegates.

Founder reviewing presentation documents at a conference table with other people visible in background

The AI strategy your board asked for, and the operating model your business needs

Your board has asked for an AI strategy. Here is why giving them exactly what they asked for might leave the real work completely undone.

a founder reviewing documents at a desk with a team member working on a laptop in the background

The delegation paradox: how AI built to sound like you can deepen founder dependency

When you delegate AI to reduce how much the business needs you, the natural result can be AI that deepens it. Here is what changes at the moment you set the mandate.

A professional reviewing a document at a desk with papers and a laptop in a daylit office.

How to write an AI governance framework your business will actually use

Why enterprise AI governance templates fail in owner-managed businesses, and what a right-sized framework actually looks like.

A professional reading a document at a desk with a laptop open alongside them

Govern the AI your team already uses

Shadow AI doesn't stop when you discover it, so here's how to govern the tools your team is already using without driving that use underground.

Person at a laptop in an open office, colleagues working in the background

Find the shadow AI already running in your business

Over 90% of employees already use personal AI tools for work without approval. Here is how to surface your real AI footprint before you build on top of it blind.

A person sitting at a desk under a lamp in the evening, reading a printed document with a thoughtful expression

Director liability and AI washing: the board-risk side of your mandate

When a board paper or an investor update claims AI is delivering, someone has to be able to prove it. Here is the personal-exposure side of carrying the AI mandate, and the small discipline that protects you.

A person sitting at a desk reviewing printed documents with a pen in hand

A simple AI risk register template for owner-operators

A practical twelve-field AI risk register template for owner-managed businesses, with the right build sequence, when to trigger a DPIA, and where it fits your broader governance picture.

A business owner reviewing data on a laptop at a desk in a small office

Choosing AI bias audit tools: a practical governance guide

A practical decision guide for owner-managed businesses: when to use DIY bias testing tools, when to commission an external auditor, and what the wrong call costs.

Two professionals reviewing a printed compliance checklist at an office desk

How to automate risk assessment in your firm without losing human oversight

A practical guide for UK services firms on which parts of risk assessment AI can handle safely, and where human judgement must stay in the loop.

A healthcare professional reviewing printed notes at a desk with a laptop open beside them

AI acceptable use rules for clinics and healthcare teams

The practical guide to AI acceptable use rules for UK clinics and healthcare teams, covering patient data, clinical decisions, and the regulatory obligations that apply.

Two people reviewing a printed document together at an office desk with natural light

What's the difference between an AI policy and an AI procedure?

Owner-managed businesses need both an AI policy and AI procedures, and confusing the two is why governance documents often don't hold up when it matters.

A founder at a desk with a printed contract in one hand and a pen in the other, a laptop open beside them

Copyright risk when AI is trained on protected material

AI copyright risk works on two levels: the training data and the output. Here is what those levels mean for a UK owner-managed business, and which one you should actually be watching.

A person reviewing printed documents at a desk in a daylit office

What training data lawsuits mean for AI governance

The lawsuits challenging how AI firms trained their models are drawing a regulatory line that reaches owner-managed businesses. Here is what UK owners need to know.

Person at a desk reviewing a printed contract document with a pen in hand

What the Lords' licensing-first stance means for UK AI training

The Lords want AI developers to clear rights before training on content, and that shift has real consequences for owner-managed businesses buying AI tools.

A business owner sitting at a desk, reviewing printed documents with a laptop open beside them

What UK AI regulation means for smaller businesses

No single UK AI Act exists yet, but three regulatory layers already apply to owner-managed businesses. Here's what actually matters and what to do first.

A business owner reviewing risk and compliance data on a laptop at a tidy office desk

Using AI agents to support risk review and controls

AI agents can run routine risk checks and control tests continuously, giving owner-managed businesses evidence on demand rather than a once-a-year snapshot.

a person sitting at a desk reviewing documents on a laptop with natural light from a window to the side

The core requirements businesses should set for AI use

Before your team goes further with AI tools, five requirements will protect your data, your clients, and your business from the risks most governance guides never explain at the right scale.

Two people reviewing documents at a conference table in a bright office

How UK government AI copyright policy affects SMEs

After 11,000 consultation responses, the UK government's March 2026 AI copyright report kept the law unchanged, and that matters for every owner-managed business using AI tools.

A business owner reviewing documents at a desk with a laptop open beside them

Copyright claims over AI training data: what the lawsuits mean for your business

The legal battles over AI training data are live in UK and US courts. This plain-English guide explains exactly where the risk lands for an owner-managed business.

Two people at a desk reviewing data on a laptop screen together

What fairness auditing checks in an AI system

Fairness auditing checks whether your AI system treats different groups of people consistently, and UK law already has expectations about when you need to show it does.

A business professional sitting at a desk reviewing documents on a laptop, with client folders stacked to one side

How to stop staff using ChatGPT with client and confidential data

Your team's ChatGPT habit is likely moving client data outside your legal control, and this post covers the UK GDPR obligations, practical policy, and safer alternatives to get ahead of it.

A business owner looking at documents on a meeting room table with a laptop open beside them

Does your business actually need formal AI governance?

A decision guide for owner-managed businesses on when formal AI governance is genuinely required and when lighter controls are adequate.

Person reviewing a printed document at a wooden desk with a pen, natural light from a window

UK AI copyright rules explained for business owners

What UK copyright law actually says about AI tools and outputs, and where owner-managed businesses carry the real risk.

Two people reviewing printed documents at an office desk with a laptop in the background

Does your small business need data classification rules?

A decision guide for UK founders: when you need a data classification scheme, when you can wait, and what it costs to get the call wrong.

Business owner reviewing documents at a desk with a laptop open beside them

Does professional indemnity cover mistakes involving AI outputs?

Most PI policies have no AI exclusion yet. Whether a claim holds depends on your conduct, not the tool you used. Here is when you are covered, when you are not, and what to confirm with your broker.

Business owner reviewing a document at a desk with natural light from a window

Picking a lightweight AI governance framework for your business

A practical decision guide on when lightweight AI governance is genuinely enough for your business, and when it isn't.

Person at a desk reviewing documents alongside a laptop screen

AI cybersecurity certifications: do they matter for your team?

Here is how owner-managed businesses can decide whether an AI cybersecurity certification is worth the investment, or whether Cyber Essentials and basic security hygiene should come first.

A business owner reviewing contract documents at a desk with a laptop open beside them

What AI compliance certification means for Indian suppliers and UK buyers

Indian AI compliance certifications signal staff competency, but they carry no legal weight with the ICO, FCA, or EU AI Act authorities, and UK buyers need to know exactly what they are weighing before they rely on them.

A business owner at a desk annotating a printed checklist beside an open laptop

Using AI to support compliance work safely

A practical guide for owner-managed UK services firms on using AI in compliance tasks safely, within ICO, FCA, and NCSC frameworks, while keeping accountability exactly where it belongs.

A woman in her forties sitting at a kitchen table reading printed notes next to an open laptop, mug of tea beside her

UK AI law basics relevant to small businesses

What the UK actually requires of small firms using AI in 2026, in plain English, with the four things to sort out this month.

A solicitor at a desk in a small law-firm office talking with a colleague, laptop and paper file on the desk, daylight through a window.

SRA AI guidance: what a UK law firm actually has to do

A plain-English read of what the SRA expects when a UK law firm uses AI, with the named precedents and the practical steps for a small practice.

A person working through a spreadsheet on a laptop at a tidy desk, coffee cup to one side

An AI risk register example for a small business

A practical guide to building a simple AI risk register for a UK small business, with key fields, a worked row example, and free templates to start from.

Business owner at a desk reviewing a document, with a colleague working at a laptop in the background

How to write a simple employee AI policy for a small business

A practical guide to writing a clear, enforceable AI acceptable-use policy for a UK owner-managed business with up to 50 staff.

Two people reviewing a printed candidate shortlist at an office desk

Using AI in recruitment without tripping over ICO rules

The ICO has made AI in recruitment a priority enforcement area. Here is what UK owner-operators need to know before using AI to screen or rank candidates.

Two people looking at a laptop screen together at a modern office desk

Security controls for AI systems: a UK SME guide

A plain-English guide to the security controls every UK SME should have in place before expanding AI use across the business.

Person at a desk carefully reading through insurance policy documents

How to compare AI insurance policies without comparing noise

UK SMEs renewing cover this year face AI-specific exclusions they may not see. Here is how to cut through the noise and compare what actually matters.

person at a desk reviewing a laptop screen with a thoughtful expression, natural light

How businesses can assess Meta's AI training data opt-out

Meta is training AI on public UK social media content without seeking consent. Here is what a UK services firm needs to assess, object to, and document.

A person reviewing a printed document at a well-lit desk with papers spread around them

Designing AI systems with risk assessment built in from day one

A practical guide to building AI risk assessment into your systems from the outset, covering the UK regulatory baseline, the three risks that matter most, and a five-step playbook for owner-managed services firms.

A person at a desk reviewing spreadsheet data on a laptop with a notepad open beside them

A practical bias audit process for small businesses

How to check whether your AI tools are producing fair outcomes, without needing a compliance team or specialist consultants.

A person reading printed documents at a desk with a laptop open beside them

A checklist for checking AI insurance policy wording

How to check whether your cyber and professional indemnity policy wording actually covers the AI tools your firm uses.

A person seated at a desk reviewing printed documents with a laptop open beside them

How AI governance differs from data governance in practice

Data governance and AI governance sound alike but they cover different problems, and knowing which one applies to your firm right now could save you from a real compliance gap.

Two people reviewing paperwork across a desk in a well-lit office

Which insurance covers common AI business risks?

AI doesn't create a new insurance category. It lands in the policies you already hold. Here's how to work out which ones actually cover you.

A person reviewing printed documents at a desk with a laptop open beside them

When AI-generated content needs disclosure to clients

UK law has no universal AI label rule, but ICO, CMA, and ASA expectations create specific disclosure obligations for certain outputs. Here is how to decide.

Two colleagues reviewing a document together at an office meeting table

Training staff to use AI safely and compliantly

A practical, regulator-aligned guide to training staff on AI compliance for UK owner-managed services firms.

Business owner reviewing printed documents at a desk, a colleague working nearby on a laptop

Is AI governance worth it for a small firm?

A decision guide for UK SME owners on when formal AI governance pays, when lighter oversight is proportionate, and what to ask before you commit.

Person reviewing a printed document at a desk with a laptop open beside them in a small office

Simple data classes for safe use of AI tools

Classify your data before letting staff use AI tools, and you give them a clear rule for a decision they face dozens of times a week, without needing to escalate every time.

Two colleagues reviewing a document on a laptop at a small office desk

How to write a simple AI policy for your business

Writing a simple AI policy for your business is a half-day task that sets a clear floor under how your team uses AI tools.

A person sitting at a desk reviewing documents on a laptop in a quiet office with natural light

How ICO guidance may apply to agentic AI systems

The ICO has published its first thinking on agentic AI. UK GDPR already applies in full, with no exemption for small firms. Here is what that means for an owner-managed business.

A professional reviewing documents at a desk with a laptop open in front of them

What to do when an AI system goes wrong in production

A practical incident response guide for UK services firms: what to do first, who to tell, and how to stop the same failure from happening again.

Business owner reviewing a document on a laptop screen at a well-lit office desk

Preventing client data from reaching public AI tools

A practical guide for owner-managed UK services firms on stopping client data from entering public AI tools, with the controls that actually work.

Two professionals reviewing documents at an office desk

AI governance and compliance for businesses operating in India

India has no single AI Act, and the real compliance exposure for UK businesses sits in the DPDP Act, sector regulation from RBI and SEBI, and government guidelines that arrived in late 2025.

Person at a desk reviewing documents next to an open laptop in a light office

Singapore AI governance basics for SMEs operating or selling there

Singapore governs AI through frameworks and sector rules rather than a single statute. Here is what UK SMEs actually need to understand before selling there.

A person reviewing software security settings on a laptop in a bright modern office

How to secure AI agents before they touch your business data

Here is the five-step security checklist UK small firms should run before any AI agent touches live business data, grounded in NCSC and government guidance.

A business owner and broker sitting across a desk reviewing a printed insurance policy document together

How to review an AI insurance policy for SME risks

The cyber and professional indemnity policies in many SME files predate AI as a normal business tool, and the cover gaps rarely become clear until a claim arises.

A person reviewing documents at a desk with a laptop open beside them

Cyber security priorities for AI-first service businesses

If your service business is running AI across its workflows, the cyber risk profile has already changed in ways most firms haven't mapped yet.

A person reviewing a printed document at a desk in a small well-lit office

Does your small firm need a named AI owner?

The practical decision guide for UK small business owners: when to appoint a named AI owner, when the founder can cover it alone, and four questions that sort your answer.

A business owner at a desk reviewing a document on a laptop with a notepad beside them

Recordkeeping for AI decisions, prompts and approvals

What UK regulators expect from owner-managed firms using AI to assist decisions, and how to build a log that stands up to scrutiny.

Two people reviewing a shared spreadsheet together at a desk in a small office

Build a practical AI risk register for small businesses

A step-by-step guide to creating an AI risk register that fits a 5 to 50 person UK services firm, covering what to include, how to build it in five steps, and when a simpler approach is enough.

Two professionals reviewing documents across a desk in a small office

Right-sizing AI governance for a 20-person firm

The practical guide to AI governance for a 20-person firm: when lightweight controls are enough and when you need something more formal.

A woman at her office desk marking up a printed policy document with a pen, laptop open beside her, mug of tea nearby.

Your AI policy a year on: what survived, what got rewritten

A year on from version one, here is what held up, what needed rewriting, and what nobody actually used.

An owner at her desk with two printed documents in front of her, a tools register and a policy, a pen resting on the page and a mug of tea nearby

The audit trail an SME actually needs, and the one it does not

Enterprise content tells SMEs to log every AI prompt and response. The proportionate audit trail for a 12-person firm is two pages of standing documentation plus a short per-incident note.

A founder and an operations lead at a meeting table with a printed two-page draft between them, two coffee mugs and a notebook, mid-conversation

Your minimum viable AI policy as a small business

Many published AI policy templates are sized for HR and legal teams. The version that fits a 5 to 50 person firm is two pages, plain language, five sections, drafted in ninety minutes. Shorter than expected, longer than the typical SME currently has written down.

A woman at her office desk in late afternoon writing in a notebook with four hand-drawn columns labelled UK, EU, US, Canada, a closed laptop and a half-drunk mug of tea to one side

Serving customers across borders, the multi-jurisdiction AI compliance picture for SMEs

Owners running across UK, EU, US and Canadian customers are managing four overlapping AI rulebooks at once, often without realising it. Here is the proportionate response, with the cases where it does not work.

An owner sitting at her office desk in late afternoon reviewing a printed Canadian privacy and AI summary, pen and notebook in hand, with a closed laptop and a mug of tea in front of her and a wall map of Canada with Quebec and Ontario circled behind

AI governance in Canada, AIDA and what is happening at provincial level

Canada's federal AI bill died in January 2025, but Quebec's Law 25 already applies extraterritorially, Ontario's framework is moving, and PIPEDA still sits underneath it all. Here is what a non-Canadian SME with Canadian customers actually has to do.

A woman at a home study desk in the evening with a printed US map beside her, several states circled in pencil, a notebook and a laptop in front of her

US AI rules for SMEs: the patchwork of federal action and state laws

The US has no comprehensive federal AI law. For a non-US SME with American customers, the live rules are a state-by-state patchwork built around where your customers actually live.

A woman at her kitchen table reading a printed regulatory document with a coffee in her hand, a marked-up notepad to one side and a closed laptop to the other

UK AI regulation right now: the pro-innovation pivot and what it means for owners

The UK deliberately did not write a single AI Act. For UK SMEs, the live rules come from existing regulators applying existing remits. Here is the practical picture for an owner.

An owner sitting at her office desk in late afternoon reading a printed EU AI Act summary, pen in hand, with a checklist, a closed laptop and a mug of tea in front of her and a wall calendar visible behind

The EU AI Act, what UK and EU SMEs actually need to do

The headline summaries of the EU AI Act are louder than the actual obligations on a typical SME. Here is the precise version, with the deadlines that matter and the five questions to answer about your own use case.

A services-firm owner and her insurance broker reviewing a printed policy and a notepad of questions at a desk over tea

Insurance, liability and your real AI exposure

Many SME insurance policies were written before AI was normal in small business use. Cover for AI-related incidents is patchy, often unclear, and frequently surprises owners. The conversation with the broker is overdue and short, once you know what to ask.

An owner sitting at her kitchen table in the morning holding her phone showing a chatbot conversation, a laptop and printed customer email beside her, a notepad and mug of coffee on the table

Customer-facing AI failures and where the accountability lands

When a support chatbot quotes a refund policy that does not exist, the question of who is accountable answers itself. It is the business that put the AI in front of the customer.

A business owner and a colleague checking a printed AI-generated report at a boardroom table.

Hallucinations as a business risk, not a curiosity

AI hallucinations aren't a comedy story when they reach your clients, your board pack, or your legal correspondence. They are a measurable business risk class with proportionate mitigations.

A services-firm owner and a client talking across a small table with coffee, an engagement letter and a proposal between them

Disclosing AI use to customers, when and how to say it out loud

Disclosing AI use to clients sits in an awkward middle space. Not always required, increasingly expected, sometimes contractually mandated. Many owners get it wrong in one of two directions.

An owner at her kitchen table on a Saturday morning reading a news article on a tablet with a printed contract and a notepad with handwritten questions in front of her

Copyright, training data, and what business owners actually need to know

The AI training-data copyright debate is loud and mostly between large rights holders and large labs. Here are the narrower bits that actually apply to a 5 to 50 person firm using AI tools.

A woman at a desk holding a printed document in one hand and looking at her laptop screen, a coffee cup beside her, late-afternoon light through the window

Who owns the work when AI wrote it

AI helped draft chunks of the deliverable. The legal question of who owns it is not as settled as either optimists or pessimists claim.

An owner at her kitchen table on a Saturday morning, writing on a printed A4 sheet with a black pen, a closed laptop pushed to one side and a mug of coffee within reach

The never-paste-this list every small business should write before scaling AI use

Ninety minutes with a notepad, a one-page list of what nobody on the team ever pastes into a general AI tool, and the awkward AI data conversation has somewhere to land.

A business owner and a colleague leaning over a laptop together with a browser extensions panel visible on the screen and a notebook beside the laptop

Browser plugins, AI extensions and the data you did not realise you were sharing

A browser extension sits between your team and every web page they open. Across a small firm, the aggregate exposure is usually larger than the headline AI tools the owner thinks about.

A founder at a kitchen table comparing two laptop screens with a printed terms sheet and a notebook of handwritten figures beside her

Free versus paid AI tiers, the privacy difference owners need to understand

The price difference between free and paid AI tiers is small. The privacy difference is large. Four levers explain why.

A business owner at a desk with a printed client proposal beside her laptop and an open notebook in front of her

Where your data goes when you paste it into a chatbot

Most owners have a vague sense their AI chatbot data goes 'somewhere'. The actual answer matters, because the controls available depend on it, and they vary widely between providers and tiers.

A managing director and an operations lead at a meeting room table with a printed document and a laptop showing a spreadsheet, mid-conversation

What AI governance actually means when you do not have a compliance team

Enterprise AI governance language assumes a compliance officer, a privacy team and a board risk committee. None of those exist in a 20-person firm. Here is what the same disciplines look like compressed into the owner's actual week.

An owner-manager and an operations lead sitting at an office table with a single printed sheet of A4 between them, two mugs of tea, a closed laptop to one side, a wall calendar in the background

The proportionate AI risk register for a 5 to 50 person business

A small business does not need a 40-page enterprise risk document. Six to ten lines, a named owner per line, a quarterly review, and the rest of governance gets easier.

An owner sitting in her office chair in mid-afternoon, reading a printed page she holds in her hand, an open notepad on the desk with handwritten lines and a mug of tea beside it, a bookshelf with files behind her

AI risk and governance for owner-operated businesses

Most AI risk content is sized for FTSE 100 compliance teams. This is the proportionate version for a 5 to 50 person owner-operated business that uses AI every day.

html

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
Explore
Business First AIFounder FreedomBlog
Connect
AboutContactBook a conversation
Legal
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd