What AI Governance Actually Means for a 12-Person Company
When people hear "AI governance" they picture a 40-page policy document, a steering committee, and a risk management framework borrowed from a Fortune 500 company. That picture is not wrong for the organizations it was built for. It is completely wrong for a 12-person professional services firm trying to figure out whether it is okay that three of their employees are using ChatGPT to draft client deliverables.
The governance problem is operational, not abstract
Someone on your team is using an AI tool you did not approve. That tool is seeing client data you did not intend to share. The output is being used in ways that create liability you did not anticipate. This is not a hypothetical — it is already happening at most businesses that have not addressed it.
The governance gap in small businesses is rarely a knowledge gap. Everyone roughly understands that you should not paste sensitive client information into a public chatbot. The gap is accountability — nobody owns the job of knowing what is in use, what data those tools see, and what position the business takes on each one.
Four concrete things governance means at small scale
Knowing what tools are in use. Not in theory — actually knowing. The most common finding when I work through this with operators is that leadership knows about two or three AI tools and the actual number in use is closer to eight or ten. Shadow adoption happens because the tools are useful and nobody has made it easy to ask permission. You cannot govern what you do not know exists.
Knowing what data those tools see. This requires looking at each tool and asking specifically: what information does a user have to provide for this tool to be useful? For a writing assistant, that might be the content of communications, which may include client names, proprietary information, or sensitive business data. For a code assistant, it might be your entire codebase. For a meeting transcription tool, it might be every conversation your team has had this quarter.
Having a clear position on each tool. Not a policy in the legal sense — a position your team understands. "This tool is approved for drafting internal documents. Client deliverables require human review before delivery." That is governance. It does not require a committee. It requires someone to write it down and tell the team.
Reviewing your position when tools change. AI tools update constantly, and their data practices change with them. The tool you approved six months ago may have added a feature that trains on your data by default. Someone needs to own the job of reviewing this — even if that someone is the founder checking release notes once a quarter.
What good governance does not look like
It does not look like waiting until you have hired a chief technology officer. It does not look like copying an enterprise AI policy and removing the sections that mention your nonexistent legal department. It does not look like banning all AI tools and pretending your team will comply — they will not, they will just stop telling you.
Good governance at small scale looks like a two-page internal document, a named owner, and a quarterly check-in where you ask: what new tools showed up, what data are they seeing, and does our position still make sense?
Where to start this week
Run an inventory. Ask every person on your team what AI tools they used in the last 30 days — including the ones they assume are too small to mention. You will find surprises.
Then work through the AI Readiness Workflow at /home/workflows/ai-readiness. It produces a structured readout you can share with your team — not a score, not a maturity badge, but a documented starting point for the conversations governance actually requires.
None of this is complex. All of it requires someone to actually do it. That is the real governance gap in most small businesses — not sophistication, but accountability.