Book introduction
Back to Insights
AI & Strategy

AI governance for SMEs: practical policy, roles and controls

6 min lezen
AI governance for SMEs: practical policy, roles and controls — practical AI guide for SMEs

AI governance is the set of rules, roles and controls your business uses to deploy AI responsibly. Learn which roles you need, how to set up controls and use our 10-point checklist.

AI governance is the set of rules, roles and controls your business uses to deploy AI responsibly. For SMEs, this means: determining who may use which AI tools, what happens to business data, and how you monitor risks. With the EU AI Act fully in force from August 2026, a basic policy is no longer optional but a necessity.

What is AI governance? (in 2 minutes)

AI governance sounds complicated, but it's fundamentally very simple: it's the agreements you make about how AI is used in your business.

Think of it as an employee handbook — but for AI tools. In that handbook it says:

  • Which tools your employees are allowed to use (ChatGPT, Copilot, sector-specific AI)
  • What they can and cannot put in them (customer data? sensitive business information?)
  • Who is responsible if something goes wrong

Without this policy, employees use AI on their own, sometimes with customer data in public systems — a risk to your reputation and a legal problem.

Why it's urgent now: From August 2026, the EU AI Act is fully in force. Companies deploying high-risk AI without documentation risk fines up to €35 million or 7% of global turnover. Even smaller businesses can face GDPR risks if employees uncontrollably put personal data in public AI systems.

Roles: who does what in AI governance?

In an SME, you don't need to build a separate AI department. Four roles are enough:

AI Owner

This is the director or person ultimately responsible. He or she decides: which AI tools are procured, what is the overall policy, and what is absolutely not allowed?

AI Steward

Often the IT manager or operational manager. The steward ensures policy is implemented: access management, review of which tools are active, and monitoring for incidents.

Security Officer

Monitors data security: are customer data not being entered into public AI systems? Are API connections secure? In a smaller business, this can be the same person as the IT manager.

Legal/Compliance Contact

Someone who monitors EU AI Act obligations. This doesn't have to be a full-time lawyer — an external advisor or trained manager works fine.

Practical example: A transport company in the Netherlands (35 employees) has the director as AI owner, the IT manager as steward and security officer, and engages an external legal advisor for compliance. That's sufficient for most SME businesses.

Controls: approval flows, logging and data policy

AI governance revolves around three concrete controls that you can set up relatively quickly:

1. Approval flow: who may use which AI?

Create a simple approval list: which AI tools are approved (and for which department), which are on the grey list (only with permission), and which are forbidden?

Example for a retail company:

  • Approved: Microsoft Copilot (connected to your Microsoft 365 tenant)
  • ⚠️ Grey list: Free ChatGPT (only for non-sensitive tasks like checking texts)
  • Forbidden: Customer data, order numbers or invoice data entered into public AI systems

2. Logging: what is recorded?

You don't need to save every prompt, but minimally record:

  • Which AI tools are used per department or team
  • When an incident has occurred (wrong answer, data leak, unwanted AI behavior)
  • Which major decisions were made based on AI output

This helps with internal audits and with the documentation requirement under the EU AI Act.

3. Data policy: what goes in, what doesn't?

The most frequently asked question from employees: "Can I put customer data in ChatGPT?" The answer is almost always no — unless you have a business contract with the AI provider and the processor agreement is correct.

Put this in writing in two sentences:

  • Personal data, customer information and trade secrets never go into public AI tools
  • For sensitive tasks, use only approved tools with a signed processor agreement

10-point checklist AI governance for SMEs

Here is a direct checklist you can complete today:

  1. ☐ Appoint an AI owner (ultimately responsible)
  2. ☐ Assign an AI steward/manager
  3. ☐ Create a list of approved, grey and forbidden AI tools
  4. ☐ Write in 1-2 pages what employees may and may not do with AI
  5. ☐ Determine which data never goes into public AI systems
  6. ☐ Check that you have processor agreements with AI providers
  7. ☐ Set up simple incident reporting (email or form)
  8. ☐ Train employees in the basic rules (a 30-minute session is enough)
  9. ☐ Plan a half-yearly review of the policy
  10. ☐ Document which AI systems are marked as "high risk" (EU AI Act requirement)

Want a ready-made Word template with this policy? Contact us via connect@unify-ai.nl — we'll send you a free template.

When is AI governance relevant for you?

AI governance is relevant if your business:

  • Already uses AI tools (ChatGPT, Copilot, sector-specific AI)
  • Processes customer or personal data
  • Has more than 10 employees who regularly use AI
  • Falls under the EU AI Act (mandatory for high-risk AI, but good policy helps everyone)

It's (not yet) urgent for you if you don't use AI at all and don't plan to. But in practice, almost every employee today uses AI — via their phone, browser or Office suite. The chance that your business uses zero AI is smaller than you think.

Frequently Asked Questions

What exactly is AI governance?

AI governance is the set of agreements, roles and controls that determine how your business deploys AI. It includes who is allowed to use which tools, how data is protected, and who is responsible if problems arise. Think of it as an AI version of your employee handbook.

Is AI governance mandatory for SMEs?

Not every SME business is formally required to, but the EU AI Act (fully in force from August 2026) does require companies deploying high-risk AI to document and control it. A basic policy is wise anyway — it protects your employees, customers and reputation.

How long does it take to develop an AI policy?

A basic policy document for an SME typically takes 1 to 2 working days. With a good template, you can have a working policy that fits your organization size in an afternoon.

What are the fines if I don't have an AI policy?

The EU AI Act has fines up to €35 million or 7% of global turnover for the most serious violations (high-risk AI without documentation). Uncontrolled AI deployments can also result in GDPR fines if personal data ends up in public systems.

Does my business need an AI lawyer?

No, in most cases not. A practical policy, clear roles and common sense are sufficient for most SME businesses. For specific questions about the EU AI Act, you can engage an external advisor for a few hours — affordable and effective.

Recommended for you

Related articles

Keep reading: articles that best match this topic in terms of content.

Connect Exact Online to AI: complete practical guide - Integrating Exact Online with AI unlocks automated invoice processing, cashflow forecasts and smart reporting. Here's how to do it step by step.
8 jun 20264 min
Connect Exact Online to AI: complete practical guide
Integrating Exact Online with AI unlocks automated invoice processing, cashflow forecasts and smart reporting. Here's how to do it step by step.
Read more
AI Security for SMEs: Prevent Data Leakage with ChatGPT and AI Tools - Learn how to safely use AI tools in your SME without leaking business data. Discover the 5 risks, data classification and a free policy template.
24 mei 20266 min
AI Security for SMEs: Prevent Data Leakage with ChatGPT and AI Tools
Learn how to safely use AI tools in your SME without leaking business data. Discover the 5 risks, data classification and a free policy template.
Read more
Build AI agents with n8n: practical tutorial for SMBs - With n8n you build AI agents without a developer. Step by step create a working agent that reads emails, looks them up in your CRM, and drafts a response.
15 mei 20264 min
Build AI agents with n8n: practical tutorial for SMBs
With n8n you build AI agents without a developer. Step by step create a working agent that reads emails, looks them up in your CRM, and drafts a response.
Read more
Machine Learning for SMEs: 5 Applications That Actually Work (With Numbers) - SMEs that don't use machine learning overpay an average of €47,000 per year. Discover 5 proven ML applications with concrete ROI figures and implementation costs.
16 apr 20266 min
Machine Learning for SMEs: 5 Applications That Actually Work (With Numbers)
SMEs that don't use machine learning overpay an average of €47,000 per year. Discover 5 proven ML applications with concrete ROI figures and implementation costs.
Read more

Next step

From insight to implementation

This article explains how it works — we help SMEs to actually build it and connect it to your software.

AI ConsultancyAI AgentsFree consultation

Roadmap in 2 weeks · implementation in 6–8 weeks

More from UnifyAI

Discover our services

AI ConsultancyStrategic advice and AI roadmapView AI TransformationFixed AI partner (12+ months)View AI AgentsIntelligent agents working 24/7View AI CoachingPersonal 1-on-1 guidanceView AI TrainingWorkshops and team trainingView