AI governance checklist for small businesses
Small businesses do not need an enterprise bureaucracy. They need visibility into which AI tools are used, clear data rules, accountable review, and a schedule for checking that controls still work.
Why this is now an operating issue
AI adoption and AI governance are moving at different speeds. The US Federal Reserve reported firm-level adoption at roughly 18% by the end of 2025, while individual work use was substantially higher. That gap can indicate employee use that is not fully visible in company systems.
For cybersecurity, NIST has published small-business guidance based on the Cybersecurity Framework 2.0. The practical lesson is useful here: identify risk, assign responsibility, protect important information, detect problems, respond, and recover.
The seven-control checklist
Create an AI tool register
Record each tool, business purpose, owner, data categories, users, contract, and next review date.
Define approved and prohibited data
State whether customer records, source code, credentials, financial data, health data, or confidential documents may enter each tool.
Assign accountable owners
Every approved tool and high-impact workflow needs a named business owner, technical owner, and escalation path.
Require human review
A person remains accountable before AI output reaches customers or affects hiring, finance, legal, safety, or security decisions.
Evaluate output quality
Test accuracy, unsupported claims, bias, prompt injection exposure, and failure handling against representative tasks.
Train staff
Explain approved tools, prohibited data, verification duties, incident reporting, and the limits of generated output.
Review every month
Tools, terms, models, integrations, and employee workflows change. Governance must be a recurring operating process.
What a risk score can and cannot do
A score can prioritise missing controls and show whether risk is moving up or down. It cannot certify legal compliance, prove that a tool is safe, or replace contractual, privacy, cybersecurity, and sector-specific review.