If your business uses AI in any form, from a chatbot on your website to an internal tool that screens job applicants, you now sit inside a regulatory landscape that did not exist three years ago. The question is no longer whether AI governance applies to you. It is which frameworks apply, whether they are mandatory or voluntary, and how much exposure you are carrying without realising it.
AI governance is the set of policies, controls, and accountability structures that keep your AI systems safe, lawful, and under meaningful human control.A governance framework is the published standard or regulation that defines what "good" looks like. Some of these frameworks are now law, with fines reaching tens of millions of euros. Others are voluntary, but adopting them is fast becoming the price of doing business with larger customers. This post explains the difference, walks through what applies in each major region, and sets out where a small or mid-sized business should actually start.
The single most important distinction is mandatory versus voluntary
Before you look at any specific framework, you need to know which category it falls into, because that determines whether non-compliance is a legal risk or a commercial one.
Mandatory frameworks are laws.If they apply to you and you ignore them, you face fines, enforcement action, and in some jurisdictions personal liability for directors. The EU AI Act, GDPR, and a growing list of US state laws all sit in this category.
Voluntary frameworks are standards and best-practice guidance.No regulator will fine you for skipping them. But they are increasingly written into supplier contracts, B2B due-diligence questionnaires, and procurement requirements. NIST AI RMF, ISO/IEC 42001, and the OECD AI Principles are the ones you will hear about most.
The trap most businesses fall into is treating all of it as optional because "the AI rules aren't really enforced yet." That was true in 2023. It is not true now. The EU AI Act's prohibited-use provisions have been in force since February 2025, and its general-purpose AI rules since August 2025.
Which rules apply to you depends on geography, not industry
There is no single global AI law, and there will not be one for years. Instead, your obligations are determined by three things: where you deploy AI, where your users are located, and where your data is processed. A ten-person company in Manchester selling software to French customers is inside the EU AI Act's scope. A US firm with no European presence is not, but may be caught by its home state's laws instead.
The European Union: the most far-reaching regime
The EU AI Act is the world's first comprehensive AI law. It entered into force in August 2024 and becomes fully applicable on 2 August 2026. It sorts every AI system into four risk tiers.Unacceptable-risk uses, such as social scoring and workplace emotion recognition, are banned outright.High-risk systems, which include CV-sorting software, credit scoring, and tools used in education or critical infrastructure, must meet strict requirements: risk management, high-quality data, activity logging, human oversight, and documented accuracy. Limited-risk systems such as chatbots carry transparency duties, meaning you must tell people they are interacting with AI. Minimal-risk uses like spam filters are unregulated.
The penalties are what make this matter. Prohibited practices attract fines of up to €35 million or 7% of global annual turnover, whichever is higher. High-risk breaches can reach €15 million or 3%. Crucially, the Act applies to any company that sells or uses qualifying AI systems in the EU market, regardless of where the company itself is based.
The United States: a patchwork that is filling in fast
The US has no federal AI law yet, so the action is at state level, and it is accelerating. The Colorado AI Act, effective 1 February 2026, is the first comprehensive state law. It targets algorithmic discrimination in high-risk areas such as hiring, healthcare, housing, and education, and it imposes duties on both developers and deployers, including annual impact assessments and consumer notification. New York City already mandates bias audits for automated hiring tools under Local Law 144. California's AI safety legislation adds dataset-disclosure and whistleblower protections. Texas, Utah, and Illinois have their own rules. If you operate across US states, you are dealing with several overlapping regimes at once.
The rest of the world: converging, but not aligned
The UK has taken a deliberately lighter approach, with a non-statutory framework built on five principles, fairness, transparency, accountability, safety, and contestability, enforced through existing regulators rather than a single AI law. South Korea's Basic AI Act, taking effect in 2026, is Asia's first comprehensive regime and applies extraterritorially. China runs a centralised model with strict synthetic-content labelling. Singapore, Canada, and Australia all have voluntary frameworks that are widely adopted but not yet binding. The direction of travel is the same everywhere; the detail and the timing are not.
For most businesses, the EU AI Act is the sensible baseline
Here is the practical shortcut. Because the EU AI Act is the most prescriptive regime in the world, building your governance to meet its high-risk requirements covers a significant share of what every other framework asks for. Risk assessment, data governance, logging, human oversight, and documentation are common threads across almost all of them.If you design your controls to satisfy the EU AI Act, you will be most of the way to compliance with the others.
This does not mean every business needs full high-risk compliance. Most SME AI use is limited or minimal risk. But adopting the EU's structure as your reference point gives you a defensible, future-proof foundation rather than a patchwork you have to keep retrofitting as new laws land.
AI Governance & Compliance
We map your regulatory exposure, classify every AI tool in use, including shadow AI, and build a practical governance framework that satisfies regulators without slowing you down. Operational governance in 14 days.
Learn more about AI Governance & ComplianceThe biggest risks usually sit closer to home than the regulators
Regulatory fines get the headlines, but for most small and mid-sized businesses the more immediate exposure comes from inside the organisation. Three risks are worth naming plainly.
Shadow AI is the most common source of governance failure.Shadow AI is any AI tool that employees use without the knowledge or approval of IT or leadership. Staff paste confidential data into free chatbots, run client information through tools no one has vetted, and make decisions with AI that no one is monitoring. You cannot govern what you cannot see, and most businesses have no inventory of what is actually in use.
Existing laws already apply, even where AI-specific rules do not.Privacy law, anti-discrimination law, consumer protection, and corporate-governance duties all bite on AI use today. GDPR already governs any AI system that processes personal data, which means a great deal of everyday AI use is regulated whether or not the EU AI Act applies to you.
Directors can be personally liable.Where AI is deployed improperly and causes harm, the responsibility does not always stop at the company. Directors can be exposed to personal liability for failures of oversight, which makes AI governance a board-level concern, not just an IT one.
You cannot govern what you cannot see. The first deliverable of any real AI governance programme is an honest inventory of what your business is actually running, including the tools no one signed off on.
Where small and mid-sized businesses should actually start
The mandatory frameworks are written for organisations operating at scale, and reading them cold is daunting. But the starting moves for an SME are straightforward, and you do not need a governance board or a six-figure budget to make them.
Do these rules apply to me if I'm not based in the EU?
Possibly, yes. The EU AI Act and GDPR both apply based on where your users and data are, not where your company is registered. If you have European customers, process the personal data of EU residents, or sell AI-enabled products into the EU market, you are likely in scope. If you are entirely domestic with no EU exposure, your starting point is your home jurisdiction's rules plus a voluntary baseline.
We only use tools like ChatGPT and Copilot. Are we still affected?
Yes. Using third-party AI tools makes you a deployer, and deployer obligations are real. You are responsible for how those tools handle personal data, what decisions they influence, and whether employees are using them safely. The fact that you did not build the model does not remove your accountability for how it is used in your business.
For a business with no EU or covered-state exposure, the right move is to adopt a voluntary framework as your baseline. TheNIST AI Risk Management Frameworkis flexible and free, organised around four functions: govern, map, measure, and manage.ISO/IEC 42001is the certifiable standard, useful if customers are starting to ask for formal assurance, and it integrates cleanly with ISO 27001 if you already hold it. Either gives you a credible structure that demonstrates diligence and prepares you for whatever becomes mandatory next.
Whatever your situation, the sequence is the same. Map your jurisdictional exposure so you know which rules apply. Build an honest inventory of every AI tool in use, shadow AI included. Classify each one by risk. Put a lightweight governance framework in place with clear ownership. Then maintain it with a short, regular review rhythm. None of this requires you to halt AI adoption; it makes that adoption defensible.
Global harmonisation of AI rules is years away. The businesses that build adaptable governance now, rather than waiting for the dust to settle, hold a structural advantage: they can adopt AI faster and with more confidence, because they can prove it is under control. If you want an honest look at where your business stands and what would move you forward, the best next step is a conversation.