“AI governance” sounds like something only big companies need — but for UK SMEs, a little of it prevents the most common (and costly) AI mistakes. Here’s a proportionate 2026 guide, cited to official sources. (dgm implements osFoundry as an independent partner. General information, not legal advice.)
What AI governance actually means
Strip away the jargon and AI governance is simply knowing and controlling how AI is used in your business:
- where AI is used;
- who’s accountable for it;
- what data it touches;
- how outputs are checked; and
- how you stay compliant.
For an SME, that should be proportionate — not a heavyweight committee, but enough to avoid foreseeable harm.
A light framework that fits an SME
A practical minimum:
- An AI use policy — what tools are allowed, what data may (and may not) be entered. (See our AI use policy guide.)
- A simple use/risk register — a list of where AI is used and the main risks.
- Named accountability — one person responsible for AI.
- Human review of significant or customer-facing outputs.
- DPIAs where personal data is involved.
- Basic vendor/data checks — where does the data go?
Scale it up only as your AI use grows. Start with the policy and the review step.
The rules it must satisfy
Even proportionate governance must satisfy:
- UK GDPR — lawful basis, DPIAs, transparency, and automated decision-making safeguards under the Data (Use and Access) Act 2025;
- your sector regulator’s expectations (FCA, etc.); and
- the EU AI Act if you sell into the EU.
Remember: the UK has no single AI Act, so obligations come from existing law.
The risks light governance prevents
The most common, costly SME AI mistakes are mundane:
- staff pasting confidential or personal data into consumer AI tools;
- unverified AI outputs reaching customers (errors, “hallucinations”);
- no one accountable when something goes wrong.
A one-page policy and a review step prevent most of these — cheaply.
Where osFoundry and dgm fit
dgm builds AI with governance designed in, proportionate to an SME: audit logging (you can see what the AI did), transparent configuration (osStudio makes prompts and routing explicit), human-in-the-loop review for significant outputs, and data control (self-host or an EU region, bring-your-own-key) so sensitive data isn’t exposed to consumer tools. On osFoundry, governance isn’t a bolt-on — it’s part of how the system is built.
dgm is an independent integration partner with zero integrations so far, and not a law firm. Your policy and accountability stay with you. To scope a governed, proportionate AI project, book a consultation with dgm.