She found out that two members of her team had been using a public AI tool to summarise client contracts for three months. They were not trying to circumvent policy. There was no policy to circumvent. They had found something useful, used it, and told nobody.
The summaries were accurate. The client data – names, deal terms, financial figures – had been entered into a third-party AI system whose data handling practices the organisation had never reviewed. Whether that data had been used to train the AI’s models was a question she could not answer, because the tool’s terms of service were ambiguous and her legal team had never looked at them.
This is not a story about bad employees. It is a story about the absence of governance. And it is playing out in almost every organisation that has deployed AI tools without putting a policy framework in place first.
How Many Businesses Have an AI Governance Policy?
Not enough. A 2025 AuditBoard research study found that only one in four organisations have fully operational AI governance – meaning a policy that is documented, communicated, and actually applied in daily practice. The majority have either drafted policies that are not consistently applied, or have no formal policy at all.
A separate survey found that only 29% of organisations have comprehensive AI governance plans in place. Meanwhile, the same organisations are deploying AI tools at pace – which means the gap between AI capability in use and governance frameworks to manage it is widening, not closing.
Gartner’s December 2025 survey of 197 CxOs and senior business leaders found that only 27% of executives have a comprehensive AI strategy. You cannot have effective AI governance without an AI strategy to govern against.
What Happens Without a Policy
The risks of ungoverned AI use are not hypothetical. They are already materialising in organisations that deployed AI tools ahead of their governance frameworks.
IBM’s 2025 Cost of a Data Breach Report found that 13% of organisations reporting a breach had experienced an incident involving AI models or applications – and 97% of those organisations lacked proper AI access controls. Ungoverned AI tool use is not just a compliance risk. It is a security risk with measurable financial consequences.
Beyond breaches, the operational risks of ungoverned AI include: AI outputs used in client-facing communications without review, confidential data entered into AI systems with unclear data handling terms, AI-generated content attributed to employees without disclosure, and inconsistent AI usage that produces different results for the same task depending on which tool which employee chose to use.
The Six Things an AI Governance Policy Must Cover
1. Acceptable Use
What AI tools are permitted? For what tasks? With what restrictions? Acceptable use policy is the foundation of AI governance – it defines the boundary between sanctioned and unsanctioned AI use in your organisation.
Acceptable use should cover: which specific tools are approved (not ‘AI tools generally’), which tasks each tool is approved for, and what categories of task are prohibited regardless of the tool. It should be specific enough that an employee facing an ambiguous situation can consult it and reach a clear answer.
2. Data Handling Rules
What information may not be entered into AI systems? This is the most critical and most frequently absent element of AI governance in SMBs.
At minimum, data handling rules should prohibit: personal data about customers, employees, or partners from entering third-party AI tools without a reviewed data processing agreement; confidential financial data, legal matters, or proprietary business information from entering public AI systems; and any data subject to regulatory requirements – GDPR, HIPAA, or sector-specific regulation – from entering AI tools that have not been reviewed for compliance.
The default assumption should be: if the data handling terms of an AI tool have not been reviewed, the tool is not approved for any data beyond publicly available information.
3. Output Review Requirements
Which AI outputs require human review before use – and what does that review need to cover? Not all AI outputs carry the same risk if wrong. A first draft of internal documentation carries different risk than an AI-generated client communication or a financial summary.
Define review requirements by output type and by consequence of error. Customer-facing outputs, financial content, legal content, and anything attributed to a named individual should require review before use. The review process should check for factual accuracy, appropriate tone, and – where relevant – disclosure of AI involvement.
4. Accountability
Who is accountable when an AI-related incident occurs? Accountability in AI governance has two dimensions: role accountability (which function owns the AI policy and is responsible for its enforcement) and decision accountability (who is accountable for the outcome of an AI-assisted decision).
AI does not carry accountability. The people who deploy it, oversee it, and act on its outputs do. Your AI governance policy should be explicit about this – accountability does not transfer to the AI system.
5. Incident Reporting
How does an employee report an AI error, an AI-related security concern, or a situation where AI output has caused a problem? If there is no clear reporting path, incidents go unreported – which means they go unaddressed, and the same error repeats.
Incident reporting for AI should be as simple as possible. A named contact, a clear description of what constitutes a reportable incident, and an assurance that reporting is encouraged rather than penalised. The volume of incidents your organisation does not know about is almost always larger than the volume it does.
6. Vendor Standards
What must an AI vendor demonstrate before your organisation deploys their tool? Vendor standards in your AI governance policy should specify: data handling documentation requirements (what must be disclosed before approval), security certification requirements (SOC 2 Type II as a minimum for tools handling business data), and review frequency (vendor terms change – approved tools should be reviewed annually).
The policy should also specify the approval process for new AI tools – who reviews them, what criteria they must meet, and who grants approval. Employees discovering useful AI tools and adopting them without review is the most common source of ungoverned AI use.
Making the Policy Work in Practice
A policy that exists only as a document has limited effect. The policies that actually change behaviour share three characteristics.
First, they are written in plain language. Legal precision has its place – in the contracts, not the employee-facing policy. The employee-facing version should be readable in ten minutes and unambiguous in its key requirements.
Second, they are introduced through conversation, not email. A team walkthrough – fifteen minutes per team, covering the key requirements and answering questions – produces better adoption than a document in a shared drive.
Third, they are reviewed annually and updated when AI tools or business practices change. A policy written before the organisation deployed its current AI tools is not a current policy.
FAQ: AI Governance Policy
Does a small business need an AI governance policy?
Yes – particularly if the business handles client data, operates in a regulated sector, or uses AI tools that process business information. The policy does not need to be complex. A clear one-page acceptable use policy covering the six areas above is more effective than a lengthy document that employees never read.
What is the most important element of an AI governance policy for a small business?
Data handling rules. The most common AI governance failure in SMBs is employees entering confidential client data, financial information, or regulated data into AI tools whose data handling practices have never been reviewed. A clear rule about what data may not enter AI systems – and which systems are approved for which types of data – addresses the highest-risk gap immediately.
How often should an AI governance policy be updated?
At minimum annually, and whenever a significant new AI tool is deployed or an existing tool changes its terms of service. AI governance is not a one-time exercise. The tools change, the risks change, and the policy needs to stay current with both.
Comments are closed