AI Governance

An owner at her desk with two printed documents in front of her, a tools register and a policy, a pen resting on the page and a mug of tea nearby

The audit trail an SME actually needs, and the one it does not

Enterprise content tells SMEs to log every AI prompt and response. The proportionate audit trail for a 12-person firm is two pages of standing documentation plus a short per-incident note.

A founder and an operations lead at a meeting table with a printed two-page draft between them, two coffee mugs and a notebook, mid-conversation

Your minimum viable AI policy as a small business

Many published AI policy templates are sized for HR and legal teams. The version that fits a 5 to 50 person firm is two pages, plain language, five sections, drafted in ninety minutes. Shorter than expected, longer than the typical SME currently has written down.

A woman at her office desk in late afternoon writing in a notebook with four hand-drawn columns labelled UK, EU, US, Canada, a closed laptop and a half-drunk mug of tea to one side

Serving customers across borders, the multi-jurisdiction AI compliance picture for SMEs

Owners running across UK, EU, US and Canadian customers are managing four overlapping AI rulebooks at once, often without realising it. Here is the proportionate response, with the cases where it does not work.

An owner sitting at her office desk in late afternoon reviewing a printed Canadian privacy and AI summary, pen and notebook in hand, with a closed laptop and a mug of tea in front of her and a wall map of Canada with Quebec and Ontario circled behind

AI governance in Canada, AIDA and what is happening at provincial level

Canada's federal AI bill died in January 2025, but Quebec's Law 25 already applies extraterritorially, Ontario's framework is moving, and PIPEDA still sits underneath it all. Here is what a non-Canadian SME with Canadian customers actually has to do.

A woman at a home study desk in the evening with a printed US map beside her, several states circled in pencil, a notebook and a laptop in front of her

US AI rules for SMEs: the patchwork of federal action and state laws

The US has no comprehensive federal AI law. For a non-US SME with American customers, the live rules are a state-by-state patchwork built around where your customers actually live.

A woman at her kitchen table reading a printed regulatory document with a coffee in her hand, a marked-up notepad to one side and a closed laptop to the other

UK AI regulation right now: the pro-innovation pivot and what it means for owners

The UK deliberately did not write a single AI Act. For UK SMEs, the live rules come from existing regulators applying existing remits. Here is the practical picture for an owner.

An owner sitting at her office desk in late afternoon reading a printed EU AI Act summary, pen in hand, with a checklist, a closed laptop and a mug of tea in front of her and a wall calendar visible behind

The EU AI Act, what UK and EU SMEs actually need to do

The headline summaries of the EU AI Act are louder than the actual obligations on a typical SME. Here is the precise version, with the deadlines that matter and the five questions to answer about your own use case.

A services-firm owner and her insurance broker reviewing a printed policy and a notepad of questions at a desk over tea

Insurance, liability and your real AI exposure

Many SME insurance policies were written before AI was normal in small business use. Cover for AI-related incidents is patchy, often unclear, and frequently surprises owners. The conversation with the broker is overdue and short, once you know what to ask.

An owner sitting at her kitchen table in the morning holding her phone showing a chatbot conversation, a laptop and printed customer email beside her, a notepad and mug of coffee on the table

Customer-facing AI failures and where the accountability lands

When a support chatbot quotes a refund policy that does not exist, the question of who is accountable answers itself. It is the business that put the AI in front of the customer.

A business owner and a colleague checking a printed AI-generated report at a boardroom table.

Hallucinations as a business risk, not a curiosity

AI hallucinations aren't a comedy story when they reach your clients, your board pack, or your legal correspondence. They are a measurable business risk class with proportionate mitigations.

A services-firm owner and a client talking across a small table with coffee, an engagement letter and a proposal between them

Disclosing AI use to customers, when and how to say it out loud

Disclosing AI use to clients sits in an awkward middle space. Not always required, increasingly expected, sometimes contractually mandated. Many owners get it wrong in one of two directions.

An owner at her kitchen table on a Saturday morning reading a news article on a tablet with a printed contract and a notepad with handwritten questions in front of her

Copyright, training data, and what business owners actually need to know

The AI training-data copyright debate is loud and mostly between large rights holders and large labs. Here are the narrower bits that actually apply to a 5 to 50 person firm using AI tools.

A woman at a desk holding a printed document in one hand and looking at her laptop screen, a coffee cup beside her, late-afternoon light through the window

Who owns the work when AI wrote it

AI helped draft chunks of the deliverable. The legal question of who owns it is not as settled as either optimists or pessimists claim.

An owner at her kitchen table on a Saturday morning, writing on a printed A4 sheet with a black pen, a closed laptop pushed to one side and a mug of coffee within reach

The never-paste-this list every small business should write before scaling AI use

Ninety minutes with a notepad, a one-page list of what nobody on the team ever pastes into a general AI tool, and the awkward AI data conversation has somewhere to land.

A business owner and a colleague leaning over a laptop together with a browser extensions panel visible on the screen and a notebook beside the laptop

Browser plugins, AI extensions and the data you did not realise you were sharing

A browser extension sits between your team and every web page they open. Across a small firm, the aggregate exposure is usually larger than the headline AI tools the owner thinks about.

A founder at a kitchen table comparing two laptop screens with a printed terms sheet and a notebook of handwritten figures beside her

Free versus paid AI tiers, the privacy difference owners need to understand

The price difference between free and paid AI tiers is small. The privacy difference is large. Four levers explain why.

A business owner at a desk with a printed client proposal beside her laptop and an open notebook in front of her

Where your data goes when you paste it into a chatbot

Most owners have a vague sense their AI chatbot data goes 'somewhere'. The actual answer matters, because the controls available depend on it, and they vary widely between providers and tiers.

A managing director and an operations lead at a meeting room table with a printed document and a laptop showing a spreadsheet, mid-conversation

What AI governance actually means when you do not have a compliance team

Enterprise AI governance language assumes a compliance officer, a privacy team and a board risk committee. None of those exist in a 20-person firm. Here is what the same disciplines look like compressed into the owner's actual week.

An owner-manager and an operations lead sitting at an office table with a single printed sheet of A4 between them, two mugs of tea, a closed laptop to one side, a wall calendar in the background

The proportionate AI risk register for a 5 to 50 person business

A small business does not need a 40-page enterprise risk document. Six to ten lines, a named owner per line, a quarterly review, and the rest of governance gets easier.

An owner sitting in her office chair in mid-afternoon, reading a printed page she holds in her hand, an open notepad on the desk with handwritten lines and a mug of tea beside it, a bookshelf with files behind her

AI risk and governance for owner-operated businesses

Most AI risk content is sized for FTSE 100 compliance teams. This is the proportionate version for a 5 to 50 person owner-operated business that uses AI every day.

html

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation