At a 20-person professional services firm, someone mentions, almost in passing, that several colleagues have been using ChatGPT to draft client reports. There is no approved list, no agreed scope, and nobody quite owns the decision. The founder isn’t alarmed, but the question is forming: do they need a proper AI governance framework, or would that be overengineering it for a firm this size?
The answer is that they need something. The interesting question is exactly how much.
What choice are you actually facing?
A 20-person firm needs AI governance, and the question is how much. The practical answer depends on your use cases, your data flows, and whether regulated or customer-facing decisions are involved. Existing UK law still applies when you use AI tools; there is no fresh statute that overrides it. The ICO, FCA, CMA, and Ofcom each govern their patch as before.
The UK Government’s 2023 AI regulation approach confirmed that position explicitly. Rather than a single cross-economy AI Act, the UK opted for a sector-led model, applying five principles, safety, transparency, fairness, accountability, and contestability, through existing regulators rather than through a new statute. For a small firm, that actually simplifies the question. Ask what you are doing with AI, whether it touches personal data, customer decisions, or a regulated activity, and you can usually see what level of governance the situation calls for.
When does lightweight governance cover it?
Lightweight governance works when AI is handling genuinely low-risk work: drafting, summarising, brainstorming, or first-pass content where no personal data is involved, no confidential client information is fed in, and no decisions about customers, staff, or pricing are being shaped by the output. If that describes your use cases, a short acceptable-use policy and a named owner is a reasonable starting point.
Guidance for smaller organisations suggests that AI governance in this size band should be intentional but not complex. In practice that means: one senior person accountable for AI oversight; a one or two page acceptable-use policy covering approved tools, prohibited data types, what review is required before AI output goes anywhere, and who to contact if something goes wrong; a brief check before any new tool is adopted; and a team conversation so people understand the expectations.
This approach creates shared clarity without adding bureaucracy. The policy is low-effort to produce but has real protective value: it gives you something concrete to point to if a client asks about your controls, and it means the rules exist somewhere other than individual assumptions.
Around three out of five small businesses were using or planning to use AI within two years in one industry survey. Many will start in this lightweight tier and stay there, at least until their use cases expand into territory that requires more.
When do you need something more formal?
The trigger for tighter governance is almost always data or decisions, not firm size. Once personal data, special category data, financial records, or confidential client material is being fed into an AI tool, the ICO’s UK GDPR framework applies directly. The same applies when AI is shaping customer-facing, employment-related, pricing, or risk-scoring decisions, even if that shaping is informal or partial.
Tighter governance typically means a more structured set of controls. A formal AI register lets you account for what tools are in use and what data they touch. Data protection impact assessments are expected for higher-risk processing, particularly profiling, automated decision-making, or large-scale use of sensitive data. Vendor contracts need legal review covering data processing terms and liability. AI outputs should be tested and validated before reaching clients, and human review should sit inside any workflow where the stakes are significant.
If your firm sells into the EU or serves EU-based customers, the EU AI Act adds another layer. Its final legislative stage completed in March 2024, and the Act’s risk-based obligations apply to businesses providing AI-enabled services into EU markets regardless of where the business is based. For a 20-person firm with EU clients, that is worth a specific conversation with a legal adviser rather than an assumption that UK-only rules apply.
Regulated sectors, including financial services, legal services, healthcare, and employment, carry additional obligations through their sector regulators. If your firm operates in any of these areas, sector-specific guidance takes precedence over generic SME starting points.
What does it cost to get the call wrong?
The main failure mode in a smaller firm tends to be quiet rather than dramatic: a team member uploads client data to an unapproved tool, a hallucinated output goes to a customer unchecked, or a vendor contract offers no clarity on who is liable when something goes wrong. The risk is operational and reputational, and it surfaces only under pressure.
Under UK GDPR, if personal data was involved and controls were absent, the ICO expects demonstrable accountability. That means being able to show what tool was used, what data went in, what protections were in place, and what the outcome was. Informal adoption without a written process means you cannot reconstruct that audit trail when a data subject makes a request, a client raises a challenge, or a regulatory enquiry begins.
Italy’s data protection authority, the Garante, temporarily restricted ChatGPT in March 2023 over concerns about lawful basis, transparency, and age verification under GDPR. The UK ICO took a different path, issuing guidance on generative AI in April 2023 rather than taking enforcement action. The underlying data protection obligations for UK firms, however, are the same.
Beyond regulatory exposure, there is the operational cost of unwinding an informal rollout. Once a team has embedded a tool into its workflows, remediation means retraining, process redesign, and sometimes client disclosure. That tends to be considerably more expensive than getting a few clear rules in place at the outset.
What should you settle before you put anything in place?
Before you decide how much governance you need, a handful of questions will do much of the work. What tools is your team actually using right now? Is any personal, financial, or confidential data going into them? Is AI shaping any decision that affects a customer, a member of staff, or a regulated outcome? Do you serve EU customers? And who currently owns this?
If the honest answers are basic drafting tools, no sensitive data, no customer decisions, and no EU exposure, then a named owner, a short acceptable-use policy, and a brief team conversation are likely sufficient.
If any answer involves personal data, regulated decisions, client-facing output, or EU exposure, the tighter version is appropriate and a data protection adviser is worth speaking to before you put a framework in place.
Either way, it helps to run the question across your team before building anything formal. Shadow AI, tools adopted without any central awareness, is the most common governance blind spot in smaller firms. In many cases, the informal policy is already written in people’s habits. Making the actual rules explicit tends to be a smaller piece of work than founders expect, and it pays off sooner.
