AI Controls for SMEs: A Practical Checklist That Does Not Require a Risk Team

A proportionate approach to AI controls for SMEs

The word "controls" can sound intimidating — evoking images of enterprise risk functions, audit committees, and complex documentation. For most SMEs, the appropriate AI controls approach is much simpler: clear, documented practices that prevent the most significant AI risks from materialising. Here is a practical framework that does not require a specialist risk team to implement.

Step 1: Build your AI tool register (30 minutes)

List every AI tool your organisation uses commercially. For each tool, record: what the tool does; what data you put into it (customer data, employee data, confidential business data, or none); whether the vendor's terms allow them to train AI on your data; and whether you have a Data Processing Agreement in place (required for EU/UK GDPR compliance for tools processing personal data). This register is your starting point — you cannot control what you have not identified.

Step 2: Classify your AI tools by risk level

Not all AI tools carry the same risk. Classify each tool on your register into one of three categories. Low risk: AI productivity tools that do not process personal data and do not influence significant decisions (grammar checkers, scheduling assistants, code completion tools). Medium risk: AI tools that process personal data or influence business decisions (AI email analysis, AI-assisted customer communications, AI content generation for marketing). High risk: AI tools that make or significantly influence decisions about people (AI hiring screening, AI customer credit assessment, AI pricing tools, AI that affects access to your products or services).

High-risk tools need more controls. Low-risk tools need basic awareness and vendor data practice checks.

The SME AI control checklist

For every AI tool (all risk levels): Is it on the register? Have you checked whether your data trains their AI model? Is there a Data Processing Agreement for tools processing personal data? Have you checked whether your privacy notice covers this AI use? Is there a contact person who is responsible for this tool?

For medium-risk tools (additional): Is personal data minimised — are you only sending the data actually needed for the task? Are there limits on what data employees can input into the tool? Has the tool been discussed with HR if it affects employees?

For high-risk tools (additional): Is there a human review of AI outputs before they affect significant decisions? Can you explain to affected individuals why the AI reached its conclusion? Do you have a process for individuals to challenge AI-influenced decisions? Have you considered whether the AI tool might produce different outcomes for different demographic groups? Is the legal basis for using personal data in this AI documented?

Making controls stick

Controls only work if people follow them. For SMEs, the most effective approach is building AI controls into existing processes rather than creating parallel AI governance infrastructure. Add an AI tool check to your vendor onboarding process. Add an AI review question to your annual data protection review. Brief staff annually on what they can and cannot put into AI tools. These simple integrations make controls sustainable without significant overhead.