The questionnaire arrived from a new enterprise client, a standard pre-procurement document with a question that stopped a founder cold: please describe your AI governance policy and how you manage AI-related risk. She had been using ChatGPT and Copilot for proposals and client research for the best part of a year. Nothing written down. What she needed to know was whether formal governance was genuinely required for a 12-person professional services firm, or whether that level of overhead was designed for organisations far larger.
What the choice actually is
A light-touch approach to AI always needs at least a basic acceptable-use guideline, vendor checks, and awareness of IP risks. Beyond that minimum, the determining factor is whether your situation demands more: documented policies, named accountability, risk assessments, and regular oversight. That threshold depends almost entirely on what your AI tools are touching, not on how many people work in the business.
Frameworks from the Institute of Directors, GRC Solutions, and London Stock Exchange Group’s Spark advisory platform converge on the same position: no governance at all is only viable for short, low-risk experiments. Anything beyond that needs simple policies, role assignments, and regular review. The question is how much structure, not whether structure is needed.
Formal AI governance, in the sense relevant to an owner-managed business, means a short set of structures: a written AI policy, a named senior person who owns it, a register of the tools you use and what they do, risk assessments where your regulator expects them, vendor and security checks before adopting new tools, and some form of staff training and monitoring. None of this needs to be elaborate. For a firm under 50 people, a handful of documents and clear ownership is usually sufficient unless the work sits in a highly regulated area.
When formal governance is the right call
You almost certainly need a formal governance structure if any of the following apply. These are not edge cases: they cover a wide range of professional services, financial services, healthcare work, and any firm that processes client or employee data through AI tools. The regulatory exposure is real, and ‘we used a vendor’s tool’ is not a defence under UK GDPR.
The Information Commissioner’s Office explicitly expects Data Protection Impact Assessments, documented controls, and human oversight for AI processes that touch personal data at scale or automate decisions about individuals. If your staff are pasting client information, employee records, or any data tied to identifiable people into AI tools, you are already operating inside UK GDPR’s scope. Documented controls are the expected response.
If AI plays any role in decisions that materially affect people, the exposure is sharper still. Credit assessments, hiring screening, pricing that could discriminate, and professional advice that influences significant financial or personal decisions all fall under Article 22 of the UK GDPR, which restricts fully automated decisions with legal or similarly significant effects and requires human review and clear challenge mechanisms.
For firms in FCA-regulated activities, the Bank of England and FCA’s joint AI forum has been explicit: AI use should be integrated into existing governance and risk frameworks, with board-level oversight. A documented policy is the minimum visible signal that this is happening. If you serve clients in the EU in areas the EU AI Act classifies as high-risk, including credit scoring, employment tools, or education, formal documentation is required regardless of where your business is based.
When lighter controls are enough
Lighter, informal controls can be adequate if your AI use meets a specific set of conditions at the same time. The word simultaneously matters: one disqualifying factor changes the picture. If your current use genuinely fits all four criteria below, a short internal guidance note, basic vendor checks, and reasonable awareness of IP and confidentiality risks may be proportionate.
First, the use cases must be low-risk and non-personal. Generating draft blog posts, summarising general research, and brainstorming internal process ideas using non-sensitive examples are the kinds of tasks where AI serves as a drafting aid with no personal data in the workflow. The moment a real client name or employee record enters the workflow, that changes.
Second, AI should be advisory rather than determinative. Staff use it as a draft tool and a thinking aid, while humans remain clearly accountable for outputs and can realistically review them. If an AI process produces a result that the business acts on without a meaningful human check, that is determinative use, and it changes what governance is required.
Third, you should not be operating in a regulated sector or serving EU clients in high-risk AI domains. If you have FCA authorisation, or work in medical, educational, or credit-related services, this condition is already unmet.
Fourth, scale and complexity should be limited. Lighter controls suit firms where only a handful of tools are in use and no clients are being onboarded onto AI-driven platforms. As scope expands, the first three conditions become harder to satisfy.
The UK government’s AI Management Essentials tool offers a proportionate checklist for businesses at this stage, covering governance, risk, data, security, transparency, and fairness.
What it costs to get this call wrong
Getting this wrong in either direction has a real cost, though the failure modes are not symmetrical. Under-governance in situations that required formal structure carries regulatory, commercial, and reputational exposure. Over-governance on genuinely low-risk activity wastes time and slows experimentation. The pattern that causes more damage in practice is under-governance, for one straightforward reason: the regulatory exposure is not theoretical.
The ICO can issue fines up to £17.5 million or 4% of global annual turnover, whichever is higher. For an owner-managed business, even a fraction of that, plus remediation and legal costs, could be existential. The ICO’s 2022 enforcement action against Clearview AI, resulting in a £7.5 million fine for unlawful biometric data scraping, made one thing clear: the ICO will act against unlawful AI-related processing regardless of whether the firm is UK-based, and ‘we used a vendor’s system’ is not a defence where you remain the data controller.
The commercial risk is growing alongside the regulatory one. Enterprise clients and public-sector buyers increasingly include AI governance questions in procurement due diligence, a pattern reflected in a 2023 Cisco survey that found 92% of organisations feel pressure to reassure customers about their AI use. Losing a tender because you cannot demonstrate basic governance costs more in practice than writing a short policy would have.
Over-governance on low-risk activity is a genuine waste. Heavy policies and documentation for simple drafting tools slow adoption without reducing risk. The proportionate response for clearly low-risk use is a short guidance note and basic vendor hygiene.
What to ask before you decide
Five questions will tell you where you sit. Take them as a diagnostic rather than a compliance checklist. A single yes to the first three almost always indicates that formal governance is warranted. The fourth and fifth questions test for situations where the stakes are high enough that informal controls are likely to leave you exposed.
What personal data, if any, passes through your AI tools? If the answer includes client information, employee records, or any data linked to identifiable individuals, you are already inside UK GDPR’s scope. The ICO’s guidance on AI and data protection is explicit: where AI processing is likely to result in high risk to individuals, a DPIA is expected.
Do any AI-enabled processes have a material impact on a person’s livelihood, finances, or rights? Hiring, credit, eligibility for services, and professional advice all trigger stronger expectations under UK GDPR and sector rules.
Could a client, a regulator, or a court reasonably ask you to explain how an AI-influenced decision was made? If the honest answer is that you could not reconstruct the reasoning or show that a human reviewed it, you need documentation now rather than after the question arrives.
Do you serve customers in the EU, or process data relating to EU residents? If so, and if any of your AI processes could fall under high-risk categories in the EU AI Act, the governance obligation applies regardless of your UK base.
Can you answer, in writing, how you use AI if a client, an insurer, or a regulator asks today? If not, a short tools register and an acceptable-use policy are the starting point regardless of where you land on the other questions.
