AI Governance Framework for SMEs: 6 Building Blocks

1. AI policy (top-level)

A management statement on AI use covering values, principles, prohibited use cases, accountabilities, and exception process. One to three pages, signed by the managing director, communicated to all employees. Reference Art. 4 EU AI Act and the company's risk appetite.

2. AI inventory with risk classification

List every AI tool in use with risk classification (prohibited / high / limited / minimal under EU AI Act). Include Provider/Deployer role, data types processed, business owner, and Annex III mapping. Update quarterly.

3. AI assessment process

Before any procurement: risk assessment, data-protection check, bias check, AUP compatibility. Use a one-page intake form with sign-off by IT, DPO, and the business owner. Block deployments that fail prohibited-practice screening.

4. AI literacy training

Art. 4 EU AI Act compliant curriculum (since Feb 2, 2025). 8-module structure: AI basics, EU AI Act overview, prohibited practices, day-to-day use, high-risk awareness, transparency Art. 50, GPAI tools, knowledge quiz with certificate. Refresher annually.

5. AI monitoring and incident plan

Output quality control (sample 10% of high-impact outputs), bias re-tests for HR and credit AI, incident escalation path. Define what counts as a "serious incident" under Art. 73 EU AI Act and how to report it within 15 days.

6. Annual AI audit

Internal audit covering all five preceding building blocks. Sign-off by managing director. Optional: certify the AI management system to ISO/IEC 42001 to satisfy enterprise procurement requirements.

Summary

An SME-grade AI governance framework can be implemented in 5-10 person-days and covers Art. 4, Art. 26, and FRIA preparation in one consistent structure. ISO/IEC 42001 alignment future-proofs against enterprise procurement demands and serves as compliance presumption for many EU AI Act controls.

View EU AI Act Kit →