The five AI governance documents every small business needs

Last updated: governance-documents · shadow-ai · data-classification

A program is not a feeling that you are being careful with AI. The foundation of AI governance rests on a small set of documents that turn judgment into something repeatable and reviewable. Five make up the foundation. None is long, and you do not need all five before you start. But each one closes a specific gap, and together they let you tell a regulator, an insurer, or a client that your AI use is deliberate rather than accidental.

Here is what each document does, why it matters, and the order we usually build them in.

1. The tool inventory and approved-use registry

This is the living record of every AI tool in use: the tool name, who uses it, at what tier (free, business, or enterprise plan), and for what. It is the document to build first, because you cannot govern what you cannot see.

Build it honestly, which means including the personal accounts people are quietly using, not just the tools the business pays for. Most owners are surprised how long the real list is. The inventory is also where you record the decision attached to each tool: approved for this use, not approved for that one, under review. That is why it is a registry, not just a list. It is the spine the other four documents hang from.

2. The acceptable use policy

This is plain language on what is allowed, what is not, and what may never go into which tool. The test of a good one is simple: a new hire can read it in ten minutes and know what to do on their first day.

Keep it concrete. Abstract principles do not survive contact with a deadline. A useful acceptable use policy names real situations: which tools are approved for which kinds of work, what has to stay out of free and personal-account tools, and who to ask when the answer is not obvious.

3. The data classification quick reference

This is a short guide that tells people which kinds of information are fine to use with AI, which need a protected tool, and which must never go near one.

It is the document that prevents the most common and most damaging mistakes, because most AI accidents are really data-handling accidents. Someone does not set out to expose protected information. They paste a document into a convenient tool without thinking about what is in it. A one-page reference that maps your categories of information to where they are allowed removes most of that risk. In a regulated business, this is the document that most directly connects AI use to the rules you already live under.

4. The AI risk assessment

This is a structured look at where AI use could go wrong in your specific business, what the consequence would be, and what control reduces it.

Done well, it is not a generic checklist. It reflects your actual workflows and your actual obligations, and it maps to the standards a regulator or insurer will ask about — for example, the NIST AI risk framework, published by the US standards agency — if you ever need it to. The risk assessment is what turns a pile of sensible rules into something defensible, because it shows you thought about the failure modes on purpose and put controls against them rather than hoping for the best.

5. The onboarding and offboarding procedure

This covers how a person gets access to AI tools when they arrive, and how that access is fully removed when they leave.

The offboarding half is the one most often forgotten, and it is the one that creates exposure. Accounts linger. Access that should have ended on someone’s last day quietly persists for months. Writing the procedure down, and tying it to the tool inventory, is what keeps access matched to who actually works for you. This is also where AI governance meets identity security — keeping the logins and accounts in your business locked down — which is why we treat them as one program rather than two.

Why finished documents beat a binder of best practices

You can find templates for all five of these online. The gap is not the templates, it is the difference between a generic document you downloaded and a finished one calibrated to your tools, your data, and your obligations — one your people actually use, and that someone keeps current.

That calibration is most of the work, and it is what our AI Program Assessment produces: the five documents, finished and externally reviewed, plus the measurement framework that tells you whether the program is working. If your AI lead would rather build the first drafts themselves with guidance, that is what the Governance Workshop is for. Both paths get you to the same place, a foundation you can stand on.

The point is the set, not the paperwork. Five short documents, kept current, owned by one person, turn AI from something happening to your business into something your business runs on purpose.

Frequently asked questions

What are the five AI governance documents?

A tool inventory and approved-use registry, an acceptable use policy, a data classification quick reference, an AI risk assessment, and an onboarding and offboarding procedure. They are the minimum foundation for a small business AI program.

Which AI governance document should we write first?

The tool inventory. You cannot govern what you cannot see, and building an honest inventory, including the personal accounts people quietly use, usually reveals the risks the other documents need to address.

Do these documents need to be long?

No. None of them is long. A good acceptable use policy can be read by a new hire in ten minutes. The value is in having the documents, keeping them current, and operating from them, not in their length.

What is a data classification quick reference?

A short guide that tells staff which kinds of information are fine to use with AI, which require a protected tool, and which must never go near one. It prevents the most common AI mistakes, because most AI accidents are really data-handling accidents.

What is the most commonly skipped AI governance step?

Offboarding. Businesses set up AI access when someone arrives and forget to fully remove it when they leave. That lingering access is a frequent source of exposure, which is why it belongs in a written procedure.

Want help putting this into practice?

A free consultation is the right place to start. We'll figure out where you stand and whether GuardXID is the right fit. No pitch.

Book a free consultation