AI Governance Checklist for UK SMEs: 12 Steps to Get Started

The 12 steps to get AI governance started as a UK SME: (1) appoint an AI governance owner, (2) run an AI tools audit, (3) classify your data, (4) write an acceptable use policy, (5) review OAuth app permissions, (6) check for credential exposures, (7) brief all staff, (8) establish an approval process for new tools, (9) document your AI use cases, (10) review supplier agreements, (11) set a review cadence, and (12) record everything. Most businesses can complete steps 1–7 within a month without external consultants.

The 12-step checklist

Work through these in order. The first seven steps are foundational — do not skip to the later ones before you have the basics in place. Each step is achievable without specialist expertise or expensive tooling.

Step 1: Appoint an AI governance owner

Someone in your business needs to own this. Without a named individual, governance becomes everyone's vague responsibility and no one's actual job. The owner does not need to be technical — they need to be organised, have management authority, and have time to spend two to four hours per month on it. In most SMEs, this is the IT Manager, Operations Director, or a senior manager with a data protection remit. Write the role into their objectives.

Step 2: Run an AI tools audit

Before you can govern AI use, you need to know what is actually in use. This is harder than it sounds — most businesses discover tools they did not know about. Audit three sources: your IT asset inventory, OAuth grants in Google Workspace or Microsoft 365 (which reveal apps that have been granted access to company accounts), and a direct employee survey. Combine all three to get an accurate picture.

Step 3: Classify your data

Establish a simple three-tier data classification that maps onto your AI policy: Public (shareable with any tool), Internal (shareable only via tools with enterprise agreements and DPAs in place), and Confidential (never shareable with AI tools without specific sign-off). Apply these labels to the data types your business handles: client records, financial data, HR records, legal documents, and so on.

Step 4: Write an acceptable use policy

Using your audit results and data classification, write a policy that names approved tools, defines permitted and prohibited uses, and sets out accountability. Keep it to one page. See our AI acceptable use policy guide for a section-by-section template.

Step 5: Review OAuth app permissions

OAuth grants are how AI tools get access to your Google or Microsoft environment. Employees routinely authorise apps without understanding what access they are granting — and those grants persist after the employee stops using the tool, and after they leave the company. Audit your active OAuth grants in the admin console and revoke anything you do not recognise or no longer need.

Step 6: Check for credential exposures

Run your company email domains against breach databases to identify any employee credentials that have been exposed in historical data breaches. Exposed credentials are a direct pathway for attackers — and AI tools that have been granted OAuth access to compromised accounts multiply the blast radius. Prioritise password resets and MFA enforcement for any exposed accounts.

Step 7: Brief all staff

Send the acceptable use policy to all employees with a plain-English covering note. Hold a short session (15–30 minutes) to explain the rules, give examples of common mistakes, and answer questions. Require written acknowledgement. Repeat this for new starters as part of onboarding.

Step 8: Establish an approval process for new tools

Define how employees request new AI tools, who reviews the request, what criteria are used (data handling terms, DPA availability, security certifications), and what the expected turnaround time is. A simple Notion form or email template is sufficient. The goal is to create a lightweight process that is faster than shadow IT, so employees use it instead of going around it.

Step 9: Document your AI use cases

Keep a register of how your business uses AI tools and for what purpose. This does not need to be exhaustive at first — start with the highest-volume uses. The register serves two purposes: it helps you identify where your data classification rules need tightening, and it forms the basis of any future compliance documentation if regulations tighten.

Step 10: Review supplier and client agreements

Check whether your existing client contracts or supplier agreements contain clauses relevant to AI use — for example, confidentiality obligations that may be breached by sharing client data with an AI tool, or requirements to notify clients if AI is used in the delivery of services. This is increasingly common in professional services contracts.

Step 11: Set a review cadence

Put quarterly and annual reviews in your governance owner's calendar before you finish this process. Quarterly: review the approved tools list for new additions and revoked grants. Annually: full policy review and staff re-acknowledgement. Without a scheduled review, governance drifts — the policy becomes stale and the tool list stops reflecting reality.

Step 12: Record everything

Maintain a simple log of: tools audited (with date), policy versions (with approval date), staff acknowledgements, new tool approvals and rejections, and any incidents or near-misses. This record is your evidence of due diligence if you ever need to demonstrate to a client, insurer, or regulator that your business governs AI use responsibly.

What Governably automates

Steps 2, 5, and 6 — the audit, OAuth review, and credential exposure check — are the most time-consuming parts of this process to do manually. Governably runs all three automatically by connecting to your Google Workspace or Microsoft 365 environment, then surfaces findings as prioritised remediation tasks. The governance owner gets a clear to-do list rather than raw data to interpret.

Frequently asked questions

What is AI governance and why does it matter for SMEs?

AI governance is the set of policies, processes, and controls that determine how your business uses AI tools safely and responsibly. It matters for SMEs because employees are already using AI — with or without IT approval — and without governance, you have no visibility into what data is being shared, what tools are connected to your systems, or who is accountable when something goes wrong.

How long does it take to implement basic AI governance?

A basic governance framework — tool audit, acceptable use policy, data classification, and staff briefing — can be completed in two to four weeks for a business of under 50 people. The ongoing effort is lighter: a quarterly review of new tools and an annual policy refresh.

Do UK SMEs have a legal obligation to govern AI use?

There is currently no UK law specifically mandating AI governance for SMEs. However, UK GDPR requires that personal data is processed lawfully and securely, which includes via AI tools. If an employee shares personal data with an unsanctioned AI tool, that is a potential GDPR breach regardless of whether you have a specific AI policy.

What is the difference between an AI policy and AI governance?

An AI acceptable use policy is a document. AI governance is the ongoing process of enforcing that policy, monitoring for new tools, updating rules as the landscape changes, and maintaining accountability. A policy without governance is just a piece of paper.

Which framework should a UK SME use for AI governance?

For most UK SMEs, the UK DSIT AI Governance Framework is the most relevant starting point — it is designed for the UK regulatory context and does not require certification. ISO 42001 is worth considering if you supply enterprise clients who may require it. NIST AI RMF is useful as a reference but is US-centric.