Your Team Is Using AI – Here Are the 3 Governance Questions You Cannot Ignore

Right now, your employees are using artificial intelligence tools to do their work. As a CEO, I think about this issue often and am confronted with how we roll out this amazing tool as it moves and evolves from month to month. We know our teams are drafting emails with it, summarising documents, writing reports, generating proposals and researching competitors. Some have been doing it for months or even years.

The questions that the founders and CEOs need to be across are:

Do you know about it? Have you approved its usage? Do you know which tools they are using, or what information they are putting into them?

In summary, have you got AI governance in place?

If the answer to any of those questions is ‘not really’, you are not alone. Recent research from the Governance Institute found that more than two-thirds of business leaders reported using AI tools in the previous six months, yet most of their organisations had no formal policy in place governing how those tools should be used. The pace of this technology is incredible and is running ahead of the rules, and in most SMEs, no one has stopped to write the rules yet, let alone continually review and refresh them.

This is a leadership and governance problem, not a IT problem and there is a solution. You do not need a dedicated AI committee, a technology strategy document covering the next 3 years or a specialist IT team. You need honest answers to three practical questions. Once you have those answers, you can make informed decisions about how AI operates in your business. This is then documented and communicated to your team.

Why This Is An Issue For SMEs

Large organisations have compliance teams, legal departments and IT security functions who monitor how this technology is being used. SMEs do not. What they have is a lean, capable team of people who are resourceful by necessity, and resourceful people find tools that help them work faster and they use them.

In a smaller business, that adoption happens quickly, informally and often invisibly. A team member discovers that a free AI writing tool can draft their weekly report in ten minutes instead of an hour. They tell a colleague. The colleague starts using it too. Within a month, three members of your team are regularly feeding business information into a platform that you have never heard of, whose data practices and security you have never reviewed, and whose terms of service no one in your business has read.

It’s human nature to use tools that make your job easier, and most AI tools are genuinely useful. The issue is that the business owner, who carries the legal and commercial responsibility for what happens inside the business, has not been part of the conversation. Here are three important questions to consider:

Question 1: What Data Is Going Into Your AI Tools?

This is the most important question and it is the one most business owners have never asked. When your employees use an AI tool, they feed it information. That information could be innocuous – a list of topics for a newsletter, a request to summarise some industry news. Or it could be considerably more sensitive.

Think about what your business handles on a typical day: client names and contact details, financial information, contracts, employment records, supplier agreements, strategic plans, pricing models. Any of this information could find its way into an AI tool if the person using it does not know that they should not put it there or that their licence does not put the data into the AI model to help it train itself to be better.

Many free AI tools use the conversations and content you provide to train and improve their models. That means information your employee types into the tool today could, in some form, influence the outputs that tool generates for other users in the future. Your client’s details. Your pricing strategy. A confidential supplier arrangement. Once that information is in the system, you have no control over how it is stored, used or retained of you do use an AI system where you have a licence protecting the use of your data.

There are also privacy obligations to consider. If your business handles personal information (almost every business does) you have obligations under Australian privacy law about how that information is stored and how it is shared. Feeding a client’s details into a third-party AI platform may well constitute a disclosure of personal information. Your employees may not have considered this and in many cases.

The practical first step here is to simply find out which AI tools your team is currently using and then look at what kind of information is being entered into them. This information will allow you to create practical guidelines for how AI is used in your business. Ascertain what AI models are being used and then ensure your sensitive data is protected by having the right licence in place.

Question 2: Who in Your Business Is Making These Decisions?

Our experience is showing that in most SMEs it is usually no one specific person who oversees AI. Individual team members are making their own choices about which tools to use and how to use them, based on personal preference, peer recommendation or what is available and discussed online.  This can create real exposure for the business.

Consider what happens when different team members use different AI tools for similar tasks. The output quality varies. The data handling practices vary. The terms of service vary. If something goes wrong  such asca data breach, a compliance issue, a client complaint about how their information was handled there may no clear record of what was decided or by whom.

The question ‘who is making these decisions?’ is really a question about accountability and governance. In a well governed business, significant decisions about how client data is handled, which third-party platforms are used and how business information is shared externally are leadership decisions. They do not need to be made by a committee or documented in a fifty-page policy. But they do need to be made consciously, by someone with the authority and the information to make them well.

For most SMEs, the starting point is simply designating someone to have the responsibility of identifying the right AI tools and communicating a clear usage and governance policy. This could be the business owner, an operations manager, or a senior team member as the person responsible for reviewing and approving the AI tools the business uses. It is not the sole responsibility of the IT department.  It doesn’t need to be complex, the key is that someone is in the loop.

Question 3: What Happens When Something Goes Wrong?

AI tools make mistakes, they hallucinate. This means they generate information that sounds authoritative and turns out to be incorrect, false and entirely fabricated. They produce content that is off-brand, legally risky, or even factually wrong. If a team member relies on that output without checking it, and it reaches a client, a regulator or a business partner, the consequences become your problem. We are seeing examples of this in Australia and it is a huge risk to reputation and brand.

Beyond output errors, there is the broader question of what happens if a data issue arises. If a client asks what happened to their information, or a privacy complaint is made, or a security incident occurs that involves an AI platform your business was using, what is your response? What records do you have?

In our view you do not need an elaborate response plan to answer this question adequately. What you do need is a basic understanding of which tools your business uses, a record of what decisions were made about their use and a clear expectation that AI-generated outputs are reviewed by a human before they go anywhere important. This is a governance framework.

Where to Start: A One-Page Approach

Effective AI governance for an SME does not require a legal team or a technology consultant. It requires a short, honest conversation with your team, followed by a few clear decisions that are documented and well communicated as well as continually reviewed and updated to reflect the pace of change AI is setting. A practical and pragmatic starting point could be:

• Simply ask your team which AI tools they are currently using and what they use them for. You may need to make it clear that you are not trying to catch anyone out, you are trying to understand what is already happening.
• Appoint a central coordinator and identify which tools are appropriate to use for which types of tasks. Client data and confidential business information should only go into platforms with enterprise grade data handling and privacy protections (usually paid AI subscriptions and premium tools). General research, drafting, and public information tasks carry far lower risk.
• Set a simple rule about reviewing all AI-generated outputs before they are used and distributed. This should not slow anyone down, it just ensures a human remains in the loop.
• Write it down. Even a single page that names the approved tools, sets out the basic rules and identifies who is responsible is enough to give your business a defensible position if something goes wrong. This is your governance framework and you can fall back on this when an issue arises.

The Businesses Getting This Right Aren’t the Biggest Ones

AI governance is not a corporate concept that filters down to small businesses eventually. The SMEs that are getting this right are doing so because their owners asked a few direct questions, made a few clear decisions, and communicated them clearly to their teams.

That is all governance is, at its core: it’s a framework that allows you to know what is happening in your business, decide what should happen and then ensure everyone understands the positions you have adopted as leaders of the business. The key is to document and communicate the policy to your entire team. Regularly. As the pace of change in AI is so fast you need to be reviewing your frameworks frequently to reflect the new ways your teams can operate with AI. Constant revision and communication is vital.

How Bentleys Australia and New Zealand Can Assist

At Bentleys, we work with SMEs and private businesses to address these practical business questions including how to approach AI governance in a way that is clear, concise and suited to the scale of your business. If you would like to talk through where your business currently stands and what a sensible next step looks like, contact our team today.