AboutBlogBusiness First AIFounder FreedomBook a conversation

An AI risk register example for a small business

May 18, 2026
A person working through a spreadsheet on a laptop at a tidy desk, coffee cup to one side
TL;DR

An AI risk register is a simple structured log of your AI tools, the risks they create, likelihood and impact scores, and the controls you have in place. For a small UK services firm, building one takes a few hours, satisfies ICO expectations under UK GDPR, and gives enterprise clients and insurers something concrete to look at. You do not need a consultant to start.

Key takeaways

- An AI risk register lists every AI tool in your business, the risks it creates, likelihood and impact scores, named controls, and a review date, typically 10 to 30 rows in a spreadsheet. - UK GDPR Article 25 requires data protection by design and by default, which applies whenever you send personal data to an AI tool, even for routine drafting or summarisation. - AI risks for small services firms fall into four practical categories: data and confidentiality, bias in decisions about individuals, cyber and fraud, and hidden behavioural risks such as over-reliance and shadow AI. - A formal AI risk register becomes necessary once AI is touching client data, influencing decisions about individuals, or embedded in a core process; very limited low-risk use can sit in your existing operational risk log. - Free starting points include the GOV.UK Hidden Risk Register Excel template, the ICO AI and data protection risk toolkit, and the LexisNexis AI risk register precedent for professional-grade formatting.

You take on a new client, a professional services firm with some sensitive data. A month later, you realise that three people in your team have been using ChatGPT to draft their client emails. None of them used client names. Probably. You think.

That moment of “probably” is what an AI risk register is designed to close. A simple record of what AI tools you are using, what risks they carry, and what you have done about each one. For a 5 to 50 person services firm, building one takes a few hours. Ignoring it is increasingly hard to justify as AI use spreads through your business and your clients start asking questions.

What is an AI risk register?

An AI risk register is a structured log, usually a spreadsheet or Notion table, that lists every AI tool in your business alongside the risks it creates, a likelihood and impact score, the controls you have in place, a named owner, and a review date. The ICO describes risk-based documentation as central to compliant AI; LexisNexis’s legal precedent template uses exactly these fields as its starting point.

For a small firm, you are typically looking at 10 to 30 rows across the whole business. A single row might read: use of ChatGPT to draft client emails; risk of personal data export and confidential information loss; likelihood 2; impact 3; risk rating 6; control is a policy banning client-identifiable information in public tools plus an enterprise version with a data processing agreement; owner is the operations manager; quarterly review. That is the whole format.

HighTable’s risk register guidance for SMEs illustrates a 1 to 9 scoring model where likelihood runs from 1 (low) to 3 (high) and impact does the same, so the product reaches a maximum of 9 for the most severe risks. A score of 6 or above flags a risk that warrants action. A shared spreadsheet with those columns works for a firm at this scale.

Why does it matter for a small services firm?

UK GDPR Article 25 requires data protection by design and by default whenever you process personal data. The ICO is explicit that sending personal data to a third-party AI API for summarisation or drafting counts as data processing. That means you need a lawful basis, appropriate contracts, and demonstrable risk management. A risk register is the clearest evidence that you have done that work.

The ICO can request evidence of your risk management approach, and so can an enterprise client’s procurement team. Having a register ready cuts that conversation short. Law firm Osborne Clarke notes that employees pasting sensitive information into public AI tools creates confidentiality and trade secret risks, and that businesses need to document how they are managing these exposures.

The Cabinet Office’s 2024 Mitigating Hidden AI Risks Toolkit found that poorly managed AI introductions can lead to over-reliance on AI outputs, staff deskilling, and erosion of trust, even when the technology itself performs well. A risk register that captures all four categories of AI risk, technical and organisational alike, is what helps you catch these problems before they become habits.

Where do AI risks actually show up in a small firm?

The practical risk categories for a small UK services firm break into four areas. Data and confidentiality is the most immediate. Bias and decision-making is less obvious but relevant if AI influences hiring, credit, or customer triage. Cyber and fraud risks are rising fast. Hidden behavioural risks, over-reliance, shadow AI, and inadequate training, round out the picture and are often the last to get documented.

Starting with data and confidentiality: the ICO’s AI guidance is clear that personal data sent to any third-party AI API is still data processing under UK GDPR. Controls here include acceptable-use policies, banning the entry of client-identifiable information into public tools, and using enterprise API versions that come with data processing agreements.

Bias and decision-making applies wherever AI plays any role in screening, scoring, or sorting individuals. If your firm uses an AI tool to filter job applications, assess credit risk, or triage customer queries, the ICO expects you to assess and document any bias or discrimination risks. KPMG’s AI Risk and Controls Matrix identifies unintended bias as a key category with potential for reputational damage and regulatory action.

Cyber and fraud risk is both external and internal. The National Cyber Security Centre reports that AI significantly increases the scale and sophistication of phishing, including AI-generated messages that closely mimic genuine communication patterns. Your brand could also be imitated. Both belong in the register with ownership shared between IT and operations.

Hidden risks cover staff over-relying on AI outputs, bypassing normal checks, and using tools that have not been approved. The Cabinet Office toolkit specifically flags these as the risks that undermine quality and trust from the inside, often long before anyone notices.

When should you build one, and when can you hold off?

A dedicated AI risk register is worth building once AI is touching client data, influencing decisions about individuals, or embedded in a core operational process. If your only AI use is a corporate-configured tool generating generic marketing copy with no personal data involved, a few rows in your existing risk log may be sufficient. The test is whether AI is creating risks for anyone other than your own team.

The ICO’s test, built into UK GDPR, is whether your AI use creates risks to individuals’ rights and freedoms. If it does, proportionate documentation is expected. The ICO does not specify a register format; it cares that you have a clear record of risks and controls and that someone owns them.

HighTable’s guidance for SMEs explicitly suggests integrating AI risks into an existing ISO 27001 style register rather than creating a separate document when the volume of AI use is low. That is a reasonable approach for a firm of fewer than ten people with limited AI exposure.

The practical check is this: if a regulator or an enterprise client asked to see evidence that you understand your AI risks and have controls in place, could you show them something credible in five minutes? If yes, you are covered. If the answer involves pulling something together, you need a register. The document you would need to create under pressure is exactly the document you should already have.

What connects to an AI risk register?

Several obligations and documents link directly to a small business AI risk register. A Data Protection Impact Assessment is required for higher-risk AI uses, including large-scale profiling and automated decisions with significant effects on individuals. Your risk register should link each high-risk AI use to its DPIA, or flag that one is needed before the use case goes live.

Shadow AI is a close neighbour. Both HighTable and the Cabinet Office toolkit recommend starting any AI governance exercise by surveying staff on the tools they actually use, not just the ones you have signed off. That survey becomes the first draft of your inventory, and uncovering shadow AI is often the most useful output of the exercise.

The EU AI Act is relevant if you deal with EU residents. It classifies AI systems by risk level, with high-risk categories including employment screening and credit scoring carrying stricter documentation obligations regardless of where your firm is based. For UK-only operations, ICO guidance is the primary reference point.

Supplier risk sits alongside these obligations. The Competition and Markets Authority’s ongoing oversight of foundation model providers means the contractual terms and pricing of key AI vendors may shift. Periodic reassessment of supplier risk belongs in the register as a standing review item.

Free starting points include the GOV.UK Hidden Risk Register Excel template, the ICO’s AI and data protection risk toolkit with downloadable worksheets, and the LexisNexis AI risk register precedent, which shows what professional-grade documentation looks like.

The aim is a document you can hand to a client, an insurer, or an ICO officer and have it read as evidence that someone in your business thought carefully about this. For a firm of 10 to 50 people, that document is rarely more than one page of a spreadsheet. The effort to build it is an afternoon. The cost of not having it tends to surface at the worst possible moment.

Sources

- ICO (2023). Guidance on AI and data protection. Covers lawfulness, transparency, and risk assessment requirements for organisations using AI under UK GDPR, including when third-party AI API use counts as data processing. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/ - ICO (2023). AI and data protection risk toolkit. Downloadable worksheets and checklists for identifying and mitigating AI risks to individuals' rights, including accuracy, security, and training data concerns. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/ai-and-data-protection-risk-toolkit/ - Cabinet Office / Government Communication Service (2024). Mitigating Hidden AI Risks Toolkit. Five-step framework and worked example risk register for managing hidden organisational risks from generative AI, including over-reliance and staff deskilling. https://www.gov.uk/government/publications/a-human-centred-approach-to-scaling-and-de-risking-ai-tools/the-mitigating-hidden-ai-risks-toolkit-html - Cabinet Office (2025). Hidden Risk Register template. Downloadable Excel risk register for AI projects, directly adaptable by SMEs as a starting document. https://assets.publishing.service.gov.uk/media/683ef0e502114f18921e4549/2025-05-27_Hidden_Risk_Register__1_.xlsx - NCSC (2024). The impact of AI on the cyber threat. Details how AI increases the scale and sophistication of phishing, deepfakes, and social engineering, with guidance for organisations deploying AI. https://www.ncsc.gov.uk/whitepaper/the-impact-of-ai-on-the-cyber-threat - European Parliament and Council (2024). Regulation (EU) 2024/1689, the EU AI Act. Establishes a risk-based framework for AI systems, with high-risk categories including employment screening and credit scoring. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689 - KPMG (2018). AI Risk and Controls Matrix. Identifies 17 categories of AI risk including data quality, unintended bias, accountability, and model stability, used by boards and auditors as a structured AI risk reference. https://assets.kpmg.com/content/dam/kpmgsites/uk/pdf/2018/09/ai-risk-and-controls-matrix.pdf - Osborne Clarke (2024). What risks need to be considered by a business using artificial intelligence. Legal commentary covering IP ownership, confidentiality, trade secrets, and liability when employees use public AI tools. https://www.osborneclarke.com/what-risks-need-be-considered-business-using-artificial-intelligence - LexisNexis (2024). AI risk register precedent. Legal precedent template with standard fields for risk description, inherent score, controls, residual risk, owner, and review date. https://www.lexisnexis.co.uk/legal/precedents/ai-risk-register - HighTable (2024). Risk register guidance for SMEs. Illustrates a 1 to 9 likelihood-times-impact scoring model and advises SMEs on integrating AI risks into existing information-security risk registers. https://hightable.io/risk-register/

Frequently asked questions

Do I need a separate AI risk register or can I add AI risks to my existing risk log?

If your AI use is limited and low-risk, adding a few rows to your existing operational or IT risk log is usually sufficient. Once AI is touching client personal data, influencing decisions about individuals, or embedded in core processes, a dedicated AI section or standalone register becomes more practical. The ICO expects proportionate documentation, not perfection.

What fields should an AI risk register include?

The standard fields for a small business AI risk register are: AI tool or use case, risk description, likelihood score (1 to 3), impact score (1 to 3), risk rating (likelihood multiplied by impact), existing controls and mitigations, owner, and next review date. LexisNexis's precedent template and the GOV.UK Hidden Risk Register both use this structure as their starting point.

Does the EU AI Act apply to my UK small business?

If your business deals with EU residents, the EU AI Act may apply regardless of where you are based. The Act classifies AI systems by risk level, with high-risk categories including employment screening and credit scoring carrying stricter documentation obligations. For UK-only operations with no EU customer base, UK GDPR and ICO guidance are the primary regulatory reference points.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

A business professional sitting at a desk reviewing documents on a laptop, with client folders stacked to one side

How to stop staff using ChatGPT with client and confidential data

Your team's ChatGPT habit is likely moving client data outside your legal control, and this post covers the UK GDPR obligations, practical policy, and safer alternatives to get ahead of it.

A business owner looking at documents on a meeting room table with a laptop open beside them

Does your business actually need formal AI governance?

A decision guide for owner-managed businesses on when formal AI governance is genuinely required and when lighter controls are adequate.

Person reviewing a printed document at a wooden desk with a pen, natural light from a window

UK AI copyright rules explained for business owners

What UK copyright law actually says about AI tools and outputs, and where owner-managed businesses carry the real risk.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd