22 April 2026
AI Governance Checklist for UK SMEs
A practical checklist for small and mid-sized businesses to get AI governance right — without enterprise complexity.
Sam Hawkins
Syntra Automate
AI governance is not just for large enterprises with dedicated compliance teams and six-figure budgets. If your business uses AI — and in 2026, almost every business does — you have governance obligations. The EU AI Act, the UK GDPR, and sector-specific regulators do not offer an exemption for being small.
But here is the good news: governance for an SME does not need to look like governance for a FTSE 100 company. It needs to be proportionate. Proportionate means matching your governance effort to your size, your risk exposure, and the AI systems you actually use. It does not mean doing nothing.
This checklist gives you ten practical steps. Each one is achievable for a small or mid-sized business without enterprise-grade overhead.
Why SMEs need AI governance
Three reasons this matters for your business, even if you only have 20 employees.
You use AI. If your team uses any AI-powered tool — ChatGPT, Microsoft Copilot, AI features in your CRM, automated email marketing, AI-assisted recruitment — you are an AI deployer. That comes with responsibilities.
You have GDPR obligations. The UK GDPR applies to every organisation that processes personal data. If AI tools are processing personal data — customer details, employee information, candidate CVs — your data protection obligations extend to those tools.
You may serve EU customers. The EU AI Act (Regulation (EU) 2024/1689) has extraterritorial reach. If any of your AI systems produce outputs used in the EU, you may be in scope — regardless of your size. High-risk obligations apply from 2 August 2026, with fines up to EUR 35 million or 7% of worldwide annual turnover.
Being small does not make you invisible to regulators. It makes proportionate governance all the more important — because the impact of a fine or enforcement action is proportionally greater for an SME.
The 10-point AI governance checklist
1. Build an AI inventory
List every AI tool your organisation uses. Include the obvious ones (ChatGPT, Copilot, Gemini) and the less obvious (AI features embedded in your CRM, accounting software, marketing platforms, or recruitment tools). Note who uses each tool, what data it processes, and what decisions it influences. You cannot govern what you cannot see.
2. Create an AI usage policy
Write a clear, short policy that sets out the rules for AI use in your organisation. Cover what tools are permitted, what data can and cannot be entered into AI systems, when human review is required, and how outputs must be verified. Keep the language plain. A two-page document that people actually read is worth more than a 30-page policy gathering dust.
3. Conduct a risk assessment
For each AI system on your inventory, assess the risk it presents. Consider: what data does it process? Does it influence decisions about people (customers, employees, candidates)? Could it produce biased or inaccurate outputs? Map each system against the EU AI Act risk tiers — particularly the high-risk categories in Annex III. Focus your governance effort on the highest-risk systems first.
4. Complete a Data Protection Impact Assessment where required
Under the UK GDPR, a Data Protection Impact Assessment (DPIA) is required when processing is likely to result in a high risk to individuals' rights and freedoms. AI systems that profile individuals, make automated decisions, or process sensitive personal data will typically trigger this requirement. If you do not have a Data Protection Officer, consider external support for this step.
5. Survey for shadow AI
Ask your team — honestly and without blame — what AI tools they are using that have not been formally approved. Shadow AI is the use of AI tools without organisational knowledge or oversight. It is widespread: the UK Cyber Security Breaches Survey 2025 found that only 24% of businesses using or considering AI reported having processes in place to manage AI risks. A simple anonymous survey can reveal tools you did not know were in use and data you did not know was leaving your organisation.
6. Establish an approved tools list
Based on your inventory, risk assessment, and shadow AI survey, create a list of AI tools that are approved for use in your organisation. For each tool, specify what it can be used for, what data is permitted, and any conditions (such as not entering personal data or client-confidential information). Make this list easy to find and easy to follow.
7. Define an output verification process
AI tools can produce inaccurate, misleading, or fabricated outputs. Establish a clear rule: AI-generated outputs used in business decisions, client communications, or regulatory submissions must be reviewed and verified by a competent person before use. This is especially critical for any AI system that influences decisions about individuals — recruitment, lending, customer service outcomes.
8. Create an AI incident plan
What happens if an AI system produces a biased output that affects a customer? What if personal data is leaked through an AI tool? What if an AI-generated document contains fabricated information that causes harm? Define a simple incident response process: who to notify, how to investigate, what to document, and when to escalate. Link this to your existing data breach notification procedures under the UK GDPR.
9. Establish leadership reporting
AI governance should not sit in a drawer. Someone in your leadership team — a director, the managing director, or a designated governance lead — should receive regular updates on AI usage, risks, and compliance status. For an SME, this does not need to be a formal quarterly board report. It could be a standing agenda item at monthly leadership meetings. The point is visibility and accountability.
10. Review your AI suppliers
Most SMEs do not build their own AI. They buy it — through SaaS platforms, embedded features, and third-party tools. For each AI tool you use, check: where does data go? Is it used for model training? What security certifications does the supplier hold? What are the contractual protections? Your governance is only as strong as your weakest supplier.
Proportionality: governance that fits your size
The EU AI Act explicitly recognises proportionality. Recital 81 acknowledges that measures should be proportionate to the size and resources of the provider or deployer. The UK's approach to regulation similarly emphasises proportionality.
For an SME, proportionate governance means:
A two-page AI policy rather than a 40-page framework document.
A spreadsheet-based AI inventory and risk register rather than enterprise governance software.
A quarterly review by the managing director rather than a dedicated AI governance committee.
Focused DPIAs for high-risk systems rather than assessments for every tool.
Practical staff guidance rather than a formal training programme with certification.
The goal is not bureaucracy. The goal is knowing what AI you use, understanding the risks, and having sensible controls in place.
Common excuses — and why they do not hold
"We're too small to worry about this." Size does not determine regulatory exposure. A 15-person recruitment agency using AI screening tools that process EU candidates' data is deploying a high-risk AI system under the EU AI Act. The obligations are the same.
"We only use free tools." Free tools still process data. ChatGPT's free tier, for example, may use your inputs for model training unless you opt out. The regulatory obligations relate to what the tool does with data and decisions — not what you paid for it.
"Our IT person handles this." AI governance is a business risk issue, not a technology issue. It requires input from leadership, HR, operations, and anyone who touches customer data. One person can coordinate it, but it cannot live solely in IT.
"We'll deal with it when we have to." The EU AI Act high-risk deadline is 2 August 2026. Building governance takes time — even proportionate governance. Starting now means you are ready. Starting later means you are scrambling.
The bottom line
AI governance for SMEs is about common sense, not complexity. Know what AI you use. Set clear rules. Assess the risks. Check your suppliers. Keep your leadership informed.
Ten steps. A few hours of focused effort to get started. The result: a business that is compliant, protected, and able to use AI with confidence.