What is AI governance, in plain terms? It is the set of rules, checks, and records a firm puts around its use of AI so that someone is accountable for what the tools decide. Not a document that sits in a drawer. A working answer to three questions: what are we using AI for, who is responsible when it goes wrong, and can we prove how it behaved.
For a regulated or professional-services firm, that is the difference between a tool you can defend to a regulator and one you cannot. This note is the short version of our governance report.
What it actually covers
Governance starts with an inventory. You cannot govern what you have not written down, and most firms underestimate how many AI tools are already in use once you count the ones individual staff signed up for. The first real step is a list of where AI touches the business.
From there it covers ownership (a named person accountable for each use), data handling (what the tool processes, where it goes, whether it trains a model), and a record of decisions the tool influenced so you can reconstruct what happened if asked.
It also covers the human-in-the-loop question. For any decision that affects a client or an employee, governance defines where a person must review before the output is acted on. The point is not to slow everything down. It is to put the checks where the consequences are.
Why it is not optional for regulated firms
If your firm is itself subject to audit or professional regulation, your use of AI is in scope whether you have thought about it or not. A regulator asking how you handle client data does not accept "the vendor takes care of it" as an answer. The accountability stays with you.
The EU AI Act and the data-protection regimes across Europe have moved this from good practice to expected practice. The specifics vary by sector, but the direction is settled: firms are expected to know what their AI is doing and to be able to show it. A firm with no governance is not neutral, it is exposed.
The reassuring part is that proportionate governance for a small firm is not a heavy programme. It is an inventory, a few named owners, a vendor-checking habit, and a light record. The report behind this note shows what that looks like at small-firm scale.
Where to start if you have nothing
List every AI tool in use, including the ones staff adopted on their own. Assign an owner to each. For each one, answer the data question (what it processes and whether it leaves your control) and the accountability question (who signs off when it influences a decision that matters).
That is enough to be meaningfully ahead of most firms your size. The frameworks and certifications are useful later, but they are scaffolding on top of those basics, not a substitute for them. Our governance report turns this into a checklist a firm can work through in an afternoon.