For Startups & Founders
AI governance for founders β the honest version.
Do you need it? What applies to you? What will investors ask? Plain answers for founders building with AI β before governance becomes a problem at your Series A.
The questions every AI founder needs answered
These apply wherever you're building β jurisdiction-specific rules are in the country sections below.
Do I actually need AI governance?
Yes β but not an enterprise programme. At seed/early stage: a simple AI policy, a tool inventory, and knowing your data obligations is enough. Investors and enterprise customers will ask.
What data rules apply to my product?
It depends where your users are. EU users β GDPR applies regardless of where you're incorporated. US users β state privacy laws (CCPA if California). Australia β Privacy Act if you handle health data or hit $3M. Your lawyers need to know what AI does with user data.
Does the EU AI Act apply to me?
If your product has EU users and uses AI for hiring, credit, healthcare, law enforcement, or critical infrastructure β yes, and it matters now. General-purpose AI features have lighter obligations but disclosure requirements apply from August 2026.
What do investors ask about AI governance?
Series A and beyond: investors β especially those with LP obligations β will ask about your AI risk framework, data sourcing, privacy compliance, and whether you've addressed copyright exposure from training data. Get ahead of this.
Can I train on public data legally?
Complicated. Text-and-data mining exceptions exist in the EU and UK but have limits. The US is litigating this. Australia has no clear safe harbour. Where your training data came from and what opt-outs existed matters. Document your data sourcing.
What AI vendor contract terms matter?
Data ownership, confidentiality (does the vendor train on your data?), breach notification timelines, sub-processor lists, and what happens at termination. Most standard vendor terms heavily favour the vendor.
Guides for founders everywhere
Practical startup AI governance guidance regardless of where you're incorporated or where your users are.
Where you operate β and where your users are β changes everything
Your obligations follow your users, not your incorporation address. A US-incorporated startup with EU users is subject to GDPR. An Australian startup with UK customers faces UK GDPR.
π¦πΊ
Australian startup founders
Australia has good free resources for startups β the NAIC's AI6 Foundations, OAIC privacy guidance, and ACCC consumer law that applies from day one regardless of your revenue.