The team is using AI in real work. You do not know which outputs reach customers. You do not know who decides what AI is allowed to do.
This is not a tool problem. It is a governance problem. And it is solvable in one page.
AI governance for a small business is four rules: scope of decisions allowed, human approval thresholds, data boundary, and incident logging. Together they fit on one page. Without them, AI deployment becomes accidental policy and the founder owns mistakes the team made without permission.
Marketing is using ChatGPT for copy. Sales is using an agent for follow-up. Support is testing a triage tool. None of it went through you. None of it has a documented approval point. Then a customer asks why the response they got sounded like AI. You realise you cannot answer who decided to send it.
AI mistakes are owned by the deployer of the decision. The tool does not absorb accountability. The founder does, by default, when no policy exists.
"We need an AI policy."
"We need four rules on one page and an approval point per workflow."
Four places where AI deployment becomes structural exposure.
Team does not know which decisions AI is allowed to make and which require human sign-off.
AI outputs reach customers, partners, or financial counterparties without a human check.
Team uploads customer data, financial data, or IP into AI tools whose data policy nobody read.
When AI gets something wrong, there is no record, no review, no policy update.
| What it looks like | What it usually means | What to inspect |
|---|---|---|
| Team uses AI in customer-facing work. | No approval threshold. | Install one named approver per customer-facing workflow. |
| Customer or partner data goes into AI tools. | No data boundary. | Write a one-line data-boundary policy: what data goes in, what does not. |
| An AI output produced a problem; nobody recorded it. | No incident log. | Start an AI incident log this week. Three columns: what happened, what we changed, when we reviewed. |
| The team cannot answer 'is AI allowed to decide X.' | No scope of allowed decisions. | Write a one-line list of decisions AI is allowed to make. |
Which AI tools is the team using in customer-facing work right now?
Who approves the output before it reaches the customer?
What data are we allowed to put into AI tools? What are we not?
If AI gets something wrong, who finds out, and when?
What is the founder's exposure if a customer complains about AI output we did not approve?
AI governance for a small business is four rules on one page. The structural read names which workflows need an approval point first and which can wait. The implementation is faster than the conversation about the implementation.
Single read on this workflow. Written output. Application-gated.
Read first · BYC Before You Buy Another AI ToolFour checks before the next AI subscription. Self-help layer.
Atlas route Who Owns AI Mistakes In A BusinessThe Atlas room that holds the structural pattern under this pain.
No. Four rules on one page covers most small businesses: scope of allowed decisions, approval threshold, data boundary, incident logging. Large enterprises need more. Small businesses need clarity.
By default, the founder owns it. The team picked the tool; the founder owns the consequence. The fix is naming the workflow owner explicitly, not removing the tool.
One week. Half a day to draft. The rest of the week to walk the team through it. The follow-through is the structural change, not the document.
AI governance products are useful for enterprises with 100+ AI use cases. For a small business with 3-8 use cases, the work is one page and one approval point per workflow. The product overhead is larger than the actual policy.