A founder running a 12-person professional services firm signed up for an AI writing tool, added it to the team’s workflow, and thought very little more about it. Three months later, a client asked for a data processing agreement covering third-party AI tools. She didn’t have one. A new prospect’s onboarding questionnaire included two questions about AI controls. There was nothing to show.
This is how AI governance becomes relevant for a small firm. The trigger is usually a gap surfacing in a commercial conversation, not a letter from a regulator.
What choice are you actually facing?
Both paths involve some oversight. If your firm processes personal data or makes decisions that affect clients using AI tools, UK GDPR already requires a level of accountability. The choice you’re actually making is whether that accountability stays informal and vendor-dependent, or whether you document it, name an owner, and build a light cadence around it.
A 2026 Red Hat survey of UK IT decision-makers found 87% were using agentic AI, but only 25% reported having strong governance in place. Fewer than half had full visibility over where their AI-processed data is stored and processed. That gap is not a theoretical risk. It shows up when a client asks who approved your AI tool and what happens to the data you put through it.
Government-commissioned research for the Department for Science, Innovation and Technology puts AI adoption among UK SMEs at around 54% when you count any use of a single tool. Around 16% have embedded AI into core processes. Governance structures rarely keep pace. Skills gaps and confusion about compliance consistently rank as the top barriers, well ahead of cost. A clear internal framework addresses both directly, by defining which tools are approved, what data can be used, and who decides when questions arise.
When does formal AI governance pay?
A structured governance framework earns its place when AI use involves personal data, automated decisions, or outputs that reach clients. In regulated sectors, the case is even clearer. Accountancy firms, recruitment agencies, and businesses supplying EU customers all sit in territory where the ICO, FCA, or contractual due diligence will surface the gap if you cannot show documented controls.
The ICO’s guidance on AI and data protection is explicit: where AI processing is likely to result in a high risk to individuals, a data protection impact assessment is mandatory. This applies to organisations of any size. For businesses in financial services, the FCA and PRA’s model risk management principles, which took effect in 2024, require that AI and machine learning models have clear ownership, testing, and documentation. The Consumer Duty adds a further layer: firms must demonstrate that automated systems deliver fair customer outcomes, and demonstrating it requires a record of how those systems were reviewed and approved.
The EU AI Act adds a supply-chain dimension. UK firms selling software or services into the EU, or supplying larger EU clients as part of a delivery chain, are likely to face contractual requests for evidence of equivalent controls even though the Act does not apply directly to domestic UK operations. Supply-chain obligations travel with the contract.
Five UK regulators, including the FCA, ICO, and CMA, made the position clear in a joint statement in 2023: existing law already applies to AI. A documented accountability trail is expected. The question is how comprehensive that trail needs to be given your specific risk profile.
When can you keep it light?
For some firms, a one-page acceptable-use policy and careful vendor selection is genuinely proportionate. If AI use is limited to internal tasks on non-personal data, with human review at every output, the governance overhead is lower. Hartz AI describes a minimum viable framework as four elements: an acceptable-use policy, a risk checklist, basic training, and one named owner.
The clearest case for staying light is a small business using a public AI chatbot to draft generic marketing copy, where the owner reviews every output, no client data is pasted in, and the platform has a clear data processing agreement. A one-page policy and an annual sense-check is likely sufficient in this setup.
Where AI is vendor-managed, data sits in a defined location, and the firm does not combine tools with sensitive internal data in complex ways, much of the practical compliance risk is factored into the vendor relationship. Legal responsibility remains with the firm, but the hands-on governance work stays minimal.
The calculus shifts when AI use expands. A firm that starts with internal copy generation and later uses AI to analyse client communications, screen incoming applications, or handle customer-facing outputs has moved into higher-risk territory. What was proportionate at the start may not be six months later. Building a habit of reviewing your governance posture when use-cases change costs far less than retrofitting controls after something goes wrong.
What does getting this wrong actually cost?
For a small firm, the most likely costs surface commercially before they reach a regulator. A failed procurement questionnaire, a client asking for evidence of AI controls you don’t have, or a supply-chain audit you cannot pass are the practical exposure points. The ICO fined Clearview AI £7.5 million in 2022 for biometric data processing without lawful basis, but the day-to-day risk for a 10-person firm takes a different shape.
A techUK survey of 200 business leaders in 2024 found 64% acknowledged a disconnect between their AI deployment and governance maturity. Organisations with stronger governance reported better project outcomes and lower risk. The commercial framing matters: governance is about avoiding wasted effort, failed deployments, and contracts you cannot sign because the due diligence questions have no answers.
Insurance is moving in the same direction. Professional indemnity and cyber policy proposal forms increasingly include questions about AI risk management. Weak governance may translate to higher premiums or exclusions for AI-related incidents, a point noted by UK law firms and insurance brokers reviewing AI liability trends.
Operational remediation is often the most painful cost of all. When an AI deployment goes wrong without documented controls, reconstructing what happened, reviewing historical outputs, and demonstrating to a client that the issue has been resolved is slow and expensive. With basic governance in place, the investigation is faster, the audit trail exists, and the conversation with the client is shorter.
What to ask before you decide
Four questions will take you further than any framework comparison. Does your AI use touch personal data, and is that processing high risk under UK GDPR? Are you in a regulated sector, or supplying one? Do clients or prospects ask for evidence of AI controls? And is your use of AI growing in scope, or still limited to one or two stable tools?
A yes to any of the first three questions points clearly towards a documented framework. Hartz AI’s four-element minimum viable approach is a practical starting point: acceptable-use policy, risk-assessment process, basic training, and one named owner. This does not require a committee or a significant budget. A first version takes a half-day to write and a quarterly review to keep current.
If all four questions return low-risk answers, a one-page policy, careful vendor selection, and annual sense-checks may be proportionate for now. The useful discipline is revisiting the questions as AI use expands, not treating an early assessment as permanently settled.
Two free resources are worth checking before you commit either way. The Alan Turing Institute’s BridgeAI programme provides AI governance knowledge resources aimed specifically at UK SMEs. Innovate UK grant applications increasingly ask applicants to describe their AI governance approach, so the groundwork you lay now has value beyond compliance.
If this is a decision you are working through now, Book a conversation is the place to start.
