AI governance · 7 min read · July 12, 2026

AI governance checklist for small businesses

Small businesses do not need an enterprise bureaucracy. They need visibility into which AI tools are used, clear data rules, accountable review, and a schedule for checking that controls still work.

Why this is now an operating issue

AI adoption and AI governance are moving at different speeds. The US Federal Reserve reported firm-level adoption at roughly 18% by the end of 2025, while individual work use was substantially higher. That gap can indicate employee use that is not fully visible in company systems.

For cybersecurity, NIST has published small-business guidance based on the Cybersecurity Framework 2.0. The practical lesson is useful here: identify risk, assign responsibility, protect important information, detect problems, respond, and recover.

The seven-control checklist

01

Create an AI tool register

Record each tool, business purpose, owner, data categories, users, contract, and next review date.

02

Define approved and prohibited data

State whether customer records, source code, credentials, financial data, health data, or confidential documents may enter each tool.

03

Assign accountable owners

Every approved tool and high-impact workflow needs a named business owner, technical owner, and escalation path.

04

Require human review

A person remains accountable before AI output reaches customers or affects hiring, finance, legal, safety, or security decisions.

05

Evaluate output quality

Test accuracy, unsupported claims, bias, prompt injection exposure, and failure handling against representative tasks.

06

Train staff

Explain approved tools, prohibited data, verification duties, incident reporting, and the limits of generated output.

07

Review every month

Tools, terms, models, integrations, and employee workflows change. Governance must be a recurring operating process.

What a risk score can and cannot do

A score can prioritise missing controls and show whether risk is moving up or down. It cannot certify legal compliance, prove that a tool is safe, or replace contractual, privacy, cybersecurity, and sector-specific review.

Sources and further reading