How do you implement AI governance in a small business?

The three-step SME AI governance starting point

For a small or medium Irish business, AI governance starts with three practical steps. Step one: build an AI inventory. This means listing every AI tool the business uses — ChatGPT, Copilot, AI features in accounting or CRM software, AI-powered customer service tools, anything. The inventory should capture what each tool does, what data it processes, who uses it, and whether the vendor has provided adequate terms around data use. Most SMEs are surprised by how many AI tools they are already using when they do this exercise properly. Step two: write an AI use policy. For an SME, this does not need to be complex — a clear, readable document that tells employees what AI use is permitted, what data can and cannot go into AI tools, and what verification is required before acting on AI outputs. Step three: check for EU AI Act high-risk exposure. If any AI the business uses falls into the Act's high-risk categories — employment, credit, healthcare — additional obligations apply regardless of company size.

EU AI Act obligations for small businesses

The EU AI Act applies to small businesses as deployers of AI systems, not just large organisations. The Act does include some proportionality provisions — certain requirements are scaled for SMEs, and the European AI Office publishes guidance to help smaller organisations comply. But proportionality does not mean exemption. A small business using AI in employment decisions, credit processes, or healthcare contexts has the same high-risk AI obligations as a large organisation using the same system. The practical implication for Irish SMEs is that the starting point — inventory, policy, risk check — is not just good practice but a legal baseline. The good news is that most Irish SMEs do not have high-risk AI exposure, and their compliance obligations are therefore manageable with appropriate support.