AI Policy Starter Checklist for SMEs
Your team is already using ChatGPT, Claude, Copilot and a dozen other AI tools. You almost certainly don't have a policy. Here's the lightweight starter that every UK SME should have in place: an AI policy checklist, and the questions your policy needs to answer. Want hands-on help turning it into one? See our AI policy help for SMEs.
Why this matters now
The pattern is the same in every SME we walk into. Marketing is using ChatGPT for first drafts. HR is letting a generative tool summarise CVs. Operations has built a chatbot. Engineering is using Copilot. Finance is asking Claude to analyse spreadsheets. Nobody has written down what's allowed, what's not, what data shouldn't go into these tools, and who's accountable if it goes wrong.
That's not a hypothetical risk. It's how customer data ends up in a third-party LLM's training set. It's how a salary spreadsheet becomes a conversation in someone else's session. It's how your law firm finds out you've quoted them text the model hallucinated.
The fix is straightforward and you can do most of it in a fortnight. Here's the checklist.
"Your team is already using ChatGPT. A policy around it is the cheapest, highest-leverage governance investment any SME can make, and the EU AI Act's Article 4 expects AI literacy from every organisation deploying AI."
1. Acceptable-use policy
A short, plain-English document that answers:
- Which AI tools are approved for which kinds of work?
- Which categories of data must never be put into a third-party AI (customer PII, employee records, commercially sensitive material, regulated data)?
- Where outputs need human review before use (especially anything customer-facing or legally relevant).
- Who to ask if you're not sure.
- What happens if the policy is breached.
Keep it under two pages. Long policies don't get read.
2. AI system inventory / register
A simple spreadsheet (yes, really) listing every AI tool or AI-enabled system in active use. For each one:
- Name and vendor of the tool.
- Business owner (who decided to use it).
- Function (what it does, in one sentence).
- Data it processes (categories, not records).
- Risk classification (low / medium / high).
- Whether any automated decisions about people are made through it (Article 22 flag).
- Whether it touches the EU market (EU AI Act flag).
- Date last reviewed.
This single document does more for your governance posture than any amount of policy writing. You can't manage what you can't see.
3. Roles and accountability
You need three named people, even in a small SME:
- An AI accountable executive: typically a director or board member who owns AI risk at the top of the house.
- An AI operational owner: someone day-to-day responsible for the inventory, the policy, and triaging questions.
- A privacy / DPO contact: because most AI questions are also data-protection questions, and you need someone who can spot when a DPIA is required.
One person can wear two of those hats in a small firm. The point is they're named, written down, and people know who to ask.
4. AI literacy training (Article 4)
The EU AI Act's Article 4 expects every organisation that deploys AI to ensure its staff have a sufficient level of AI literacy. Even for firms not in EU scope, this is becoming a baseline expectation from procurement teams and insurers.
It doesn't have to be elaborate. A 30-minute internal session covering: what generative AI actually is, the kinds of mistakes it makes, the data categories that never go into it, how to spot a hallucination, how to challenge an AI-supported decision. Run it once for everyone, repeat annually, do a focused version for high-exposure teams (HR, legal, customer support).
"You need three named people: an accountable executive, an operational owner, and a privacy contact. One person can wear two hats in a small firm. The point is they're named."
5. The high-risk handful: extra controls for the systems that matter
Most AI in your business is low-risk. A handful of systems are not, typically anything that makes a decision about a person, anything processing patient or sensitive financial data, anything customer-facing at scale. For those:
- A DPIA on file.
- A documented human oversight process, with evidence the override is used in practice.
- A user-facing transparency note ("this decision was supported by automated processing…").
- A contestability process: the named route a person uses to challenge an automated decision.
- An Equality Act review if any decisions affect protected characteristics.
If you don't know which of your systems are high-risk, that's exactly what an AIME Health Check or a Consultation would surface.
6. Incident handling
What happens when something goes wrong: a wrong customer answer, a leaked dataset, a discriminatory output? A simple internal process: how it gets reported, who triages, when it escalates, what gets logged, and what gets communicated externally. This need not be elaborate; it needs to exist.
7. A quarterly refresh
Calendar a 30-minute review every three months. Three questions: what new AI tools have we adopted? What's changed in the regulatory picture? Any incidents or near-misses to learn from? Update the register, refresh the policy if needed, move on.
How long does this take?
For a typical East Midlands SME with 20–250 staff, the full starter pack (acceptable-use policy, populated inventory, role assignments, a literacy training pack and the quarterly cadence) takes us 1–2 weeks to deliver as a fixed-price engagement (our AI Policy Starter Pack). You can absolutely do it yourselves with this checklist as a guide; we just save you the calibration and decision fatigue.
Where this leaves you
A policy isn't compliance. It's not certification. But it's the single highest-leverage hour of governance work most SMEs can do, and it tees up everything else: AIME, Article 22 audits, ISO 42001 readiness, EU AI Act preparation. Without a policy and a register, those exercises have nothing to stand on.