Glossary · Industry

AI Governance

AI governance is the policy and process layer for managing AI risk in an organization. Definition, frameworks, and what SMBs actually need.

By Kadin Nestler · May 28, 2026 · Updated May 28, 2026
On this page

What governance covers

  • Inventory — what AI systems are in use, by whom, for what purpose.
  • Risk classification — which systems are high-risk, which are routine.
  • Approval workflow — who signs off before a model is deployed.
  • Documentation — model cards, data sources, evaluation results, known limitations.
  • Monitoring — drift detection, output quality tracking, incident reporting.
  • Audit trail — every decision an AI system makes is logged and recoverable.
  • Policy — acceptable use, data handling, vendor management, employee training.

Major governance frameworks

  • NIST AI Risk Management Framework (RMF) — US voluntary standard, widely adopted.
  • EU AI Act — risk-tiered regulation; high-risk systems require conformity assessment.
  • ISO/IEC 42001 — international standard for AI management systems.
  • OECD AI Principles — international policy framework.
  • Sector-specific — FDA for medical AI, FINRA/SEC for financial advice, HIPAA for health data.

What SMBs actually need

A 20-person company does not need a 200-page AI governance program. What it does need: a documented AI acceptable-use policy, an inventory of which AI tools handle customer data, a vendor due-diligence checklist (data residency, training opt-out, DPA), and an incident response plan for when an AI tool produces a harmful output. Most of this is one or two pages, not a binder.

The EU AI Act in particular

The EU AI Act (in force August 2024, with phased compliance through 2026) classifies AI systems by risk tier and imposes obligations on providers and deployers. For SMBs serving EU customers, even consumer-facing chatbots may fall under transparency requirements (users must know they are talking to AI). The fines for non-compliance scale up to 7% of global revenue, so it is worth checking even if you assume you are out of scope.

What it means for your business

AI governance is the unsexy work that keeps you out of regulatory headlines. A two-page policy and an inventory will protect you from 95% of preventable incidents.

  • AI Safety — AI safety is the field focused on making AI systems behave as intended without harmful side effects. Definition, practical risks, and what SMBs should know.
  • AI Data Privacy — AI data privacy covers how personal data is collected, processed, retained, and shared by AI systems. Definition, key laws, and a vendor checklist.
  • AI Disclosure — AI disclosure is the legal and ethical obligation to tell users they are interacting with AI. Definition, applicable laws, and SMB practical guidance.
  • SOC 2 for AI — SOC 2 is an audit framework for vendors handling customer data, including AI services. Definition, Type 1 vs Type 2, and what SMBs should demand.
  • AI Ethics — AI ethics is the field examining what AI systems should and should not do, and who decides. Definition, principles, and practical SMB implications.
← Back to the full glossary