The governance gap most businesses do not know they have
Ask most SME leaders whether their business uses AI and the answer is typically cautious. "We are looking at it." "We have not decided yet." "We are waiting to see how things develop."
Ask their staff the same question and the answer is very different. ChatGPT to draft client emails. Copilot summarising meeting notes that include confidential information. Grammarly processing contracts. AI features embedded in project management tools, CRM platforms and communication software, often enabled by default and never reviewed.
The absence of a formal decision about AI adoption does not mean AI is not being used. It means it is being used without governance. Without understanding of what data is being processed. Without policies that define what is and is not acceptable. Without any mechanism for identifying when something has gone wrong.
For most UK SMEs, this is the current position. And it creates real, immediate risk that does not require a dramatic incident to materialise. A client discovers their confidential information was processed through a public AI tool. An insurer finds out that personal data was handled in a way that breaches the policy terms. A contract is lost because the business cannot demonstrate adequate data governance. These are not hypothetical outcomes. They are happening now.
The 72-hour clock may already be ticking
If personal data belonging to clients, employees or other individuals has been processed through a public AI tool without adequate safeguards, a reportable data breach under UK GDPR may already have occurred. The ICO reporting obligation begins when you become aware that a breach may have taken place, not when it is confirmed. Northstar can help you assess your current exposure and understand whether and how to address it.
The specific risks of ungoverned AI use
-
GDPR and data protection breach
Public AI tools process the data you input through their systems. If that data includes personal information about clients, employees or other individuals, you are transferring personal data to a third-party processor. In most cases, there is no Data Processing Agreement in place and no assessment of whether the tool's data handling practices are compatible with your GDPR obligations. This is a breach regardless of whether any harm results.
-
Client confidentiality breach
Professionals in legal, financial, healthcare and advisory roles have strict confidentiality obligations. Inputting client information into a public AI tool to assist with work tasks may breach those obligations, regardless of the tool's terms of service. In some regulated sectors, this carries specific professional conduct consequences.
-
Cyber insurance invalidation
Cyber insurance policies increasingly include conditions relating to data handling and security controls. If an insured event occurs and investigation reveals that personal or sensitive data was being routinely processed through ungoverned AI tools, insurers may have grounds to decline or reduce the claim. This is a risk most businesses have not assessed.
-
Accuracy and reputational risk
AI tools generate plausible-sounding output that is sometimes factually incorrect. AI-generated content used in client communications, reports or public-facing materials without adequate review creates reputational and potentially legal risk. The person who published it, and the business they represent, is accountable for its accuracy.
-
Intellectual property exposure
The intellectual property status of AI-generated content is not fully settled in UK law. Businesses that rely heavily on AI-generated work product without understanding their IP position are taking on an uncertain risk. Additionally, inputting proprietary business information into public AI tools may compromise the confidentiality of that information.
"The goal of an AI policy is not to stop staff using useful tools. It is to ensure that use is intentional, governed and consistent with the business's obligations."
What a proportionate AI governance framework covers
For most UK SMEs, getting AI governance right does not require a lengthy policy document or an expensive compliance programme. It requires clarity on six key areas.
Approved tools
A defined list of AI tools that are approved for business use, based on an assessment of their data handling practices, terms of service and compatibility with the organisation's legal and contractual obligations.
Data classification
Clear guidance on what categories of information can and cannot be processed through AI tools. Personal data, client information, legally privileged material and commercially sensitive content should all be addressed explicitly.
Output review standards
The level of human review required before AI-generated content is used externally. The principle should be that AI output is a starting point, and the person using it takes responsibility for its accuracy and appropriateness.
Disclosure obligations
Where there are professional, contractual or regulatory obligations to disclose the use of AI in producing work product, staff need to understand and comply with them. This varies significantly by sector and client type.
Acceptable use boundaries
General guidance on what AI tools should and should not be used for within the business, consistent with the organisation's values, professional obligations and client commitments.
Review and update cadence
AI tools and the regulatory environment around them are evolving rapidly. The policy needs a defined review cadence, with clear ownership of who is responsible for keeping it current.
How Northstar helps you get governance in place
-
1
Current usage assessment
Understanding what AI tools your staff are currently using, for what purposes, and with what data. This is the essential starting point. You cannot govern what you do not know about, and the findings are almost always more extensive than leadership expects.
-
2
Risk exposure assessment
An honest evaluation of the GDPR, confidentiality, insurance and reputational risks created by current AI usage. Prioritised by commercial significance so you understand what needs to be addressed urgently and what can be managed over a longer timeframe.
-
3
Tool approval framework
Assessing the AI tools currently in use, and any under consideration, against a clear set of criteria covering data handling, terms of service, security practices and contractual compatibility. Producing a clear approved list with the rationale documented.
-
4
Policy development and communication
Writing the AI policy in plain English, designed to be understood and followed by the people it applies to rather than filed and forgotten. Supported by a brief, practical communication to staff that explains the rationale and the expectations clearly.
-
5
Ongoing governance oversight
AI governance is not a one-time exercise. New tools emerge constantly. Staff find workarounds. The regulatory environment evolves. Northstar's fractional IT director service provides the ongoing oversight that keeps your AI governance current and effective.
Getting governance in place without creating unnecessary friction
The most common concern from leaders when we raise AI governance is that a policy will be seen as restrictive and will create friction with staff who have found genuinely useful ways to work with AI tools.
This is a legitimate concern and it shapes how Northstar approaches policy development. The goal is not to ban AI use. It is to make it intentional. A well-designed AI policy enables confident, effective use of the right tools for the right purposes. It removes the uncertainty that currently sits underneath much AI use in ungoverned environments. And it protects the business and its people from risks they may not even be aware of.
Start the conversation