Last updated: ·shadow-ai · governance-documents · ai-tiers
This page answers the questions regulated small businesses actually ask us about AI governance. The short answers are below, grouped roughly from “do we even need this” through “how do we start.” Each one links to a deeper guide where there is more to say.
If you read nothing else: AI is already in your business, the rules for it probably live in people’s heads, and the fix is a small set of living documents plus one person who owns them. That is governance, and it beats a ban every time.
How these answers map to help
Most of these questions resolve into the same handful of moves: take inventory, fix the tier and identity floor, write the minimum rules, keep a human accountable, and measure. If you want to see the whole arc in one place, start with the full guide to AI governance for regulated small businesses. If you would rather talk it through against your specific situation, book a free consultation and we will start there.
Frequently asked questions
What is AI governance for a small business?
It is the ongoing function of deciding where AI is allowed, under what rules, on which tools, with what human oversight, and how its value is measured. In practice it is a short set of living documents (a tool inventory, an acceptable use policy, a data classification reference, a risk assessment, and an onboarding and offboarding procedure) plus the habit of keeping them current. It is a job, not a one-time project.
Does my small business actually need an AI policy?
If anyone in your business uses AI, including personal accounts on personal devices, then yes. The choice is not whether to allow AI, it is whether the rules live in individual heads or on paper. A written policy turns invisible use into something you can see, guide, and defend.
We already banned AI. Isn't that safer?
No. A ban does not stop people from using AI, it stops them from telling you. The work still gets pasted into a chat window on a personal account with no record and no rules. Prohibition removes your visibility into the risk, not the risk. Governance beats prohibition because it brings the use into the light.
What is shadow AI?
Shadow AI is staff using AI tools the business has not approved or does not know about, usually on personal accounts. It is the predictable result of having no policy or a ban. The fix is not enforcement, it is giving people an approved way to do the thing they are already doing.
What is the single most important AI decision we make?
Usually the tier — which plan level of the tool you buy — not the tool. A free or personal account often allows your inputs to train the underlying model, meaning what you type in leaves your control. A business or enterprise tier of the same product usually does not, and gives you admin control and documentation. Choosing and configuring the right tier is most of the gap between defensible and exposed.
Does ChatGPT, Copilot, or Claude train on the data we put in?
It depends on the tier and the configuration. Free and personal-version tiers may use your inputs to improve the model — meaning what you paste in leaves your control — unless you turn that off in settings. Business and enterprise tiers of the major tools generally do not train on your data by default and give you a written commitment you can show later. Verify the setting and keep the documentation.
What are the five documents an AI program needs?
A tool inventory and approved-use registry, an acceptable use policy, a data classification quick reference, an AI risk assessment, and an onboarding and offboarding procedure. The value is in having them, keeping them current, and operating from them. AI moves fast; these documents set your pace instead of the vendors'.
Who should own AI governance in a small business?
One named person, an AI Program Lead, usually whoever already owns IT or operations decisions. Most AI programs stall because nobody owns them — no accountability, no follow-through.
Where does identity and security fit into AI governance?
Underneath everything. AI tools are reached through identity, so a program built on weak account and login security is documentation of holes. Multi-factor authentication (a second login step, like a phone code), account inventory, and checking whether your usernames and passwords have appeared in a breach are part of the AI program, not separate from it.
What does human-in-the-loop mean and why does it matter?
It means a person reviews AI output before any consequential action is taken. It matters for quality, because these tools produce confident output that is sometimes wrong, and for accountability, because the AI did it is not a defense a professional gets to make. The checkpoint is a design feature, not friction to remove.
How do we measure whether AI is actually paying off?
Establish a baseline before you change anything: how long the task takes, what it costs, the error rate. Then run an honest before-and-after comparison on a regular schedule, quarterly works well, and tie the metrics to how the business makes money rather than vanity numbers like how many questions people typed into the AI.
What does the ABA say about lawyers using AI?
ABA Formal Opinion 512, issued July 29, 2024, is the first formal ethics guidance on generative AI. It addresses competence, confidentiality, communication with the client, candor toward tribunals, supervision of lawyers and nonlawyer assistants including AI tools, and reasonable fees. It does not ban AI. It describes what responsible, documented use looks like.
Can a law firm's AI use waive privilege?
It can. In United States v. Heppner (SDNY, 2026), documents a defendant created with a public AI chatbot and later shared with counsel were ruled not privileged. The lesson is that free or personal-version tools and undocumented use create exposure, and that enterprise tiers used under a defined process are more defensible. We help build that process; we do not give legal advice.
We are a medical practice using an AI scribe. What should we govern?
Map where protected health information actually flows in the scribe workflow, confirm a business associate agreement is in place and covers AI use, choose a tier that does not train on your data, and keep a human checkpoint before anything enters the record. This is data-handling and identity work, which is exactly what an assessment covers.
We are a CPA firm. Where is AI safe and where is it risky?
Drafting, summarizing, and organizing are high-value and low-risk. Anything that puts client financial data into a free or personal-version tool is high-risk. The governance work is deciding which uses are approved, on which tier, with what checkpoint, before busy season rather than during it.
Do you read our client files or patient records?
No. We assess the container, not the contents. We examine who has access to which AI tools and what those tools can reach. We do not read your client files, patient records, or matter documents. That boundary is what makes the work appropriate for businesses bound by professional duty.
How long does it take to stand up an AI program?
The first useful version is fast. You can build an honest tool inventory and fix the worst tier and identity gaps in days. A full foundation with finished documents and a measurement framework is typically a few weeks of part-time work, or a four to six week assessment if you want it built and handed to you.
Where do we start if we have done nothing yet?
See what is actually happening through an audit (build the tool inventory, including personal accounts). Get the floor right (correct tiers, turn off training on inputs, confirm basic account and login security). Write the minimum rules (acceptable use and data classification). Then build the rest and add measurement. Automate last, with checkpoints.