The AI Compliance Checklist for Small Businesses

The 8-step checklist

1. 01

   Inventory every AI tool — including Shadow AI

   Most small businesses underestimate their AI footprint by 3–5x. Survey every team: which chatbots, image tools, code assistants, meeting recorders, and AI features inside existing SaaS are they using? Personal accounts count. Browser extensions count. The goal is one spreadsheet with tool, owner, data it touches, and account type.

2. 02

   Map the AI regulatory standards that apply to you

   You don't need to read every framework, but you do need to know which ones bind you. The shortlist for most small businesses: the EU AI Act (if you serve EU users), the NIST AI Risk Management Framework (the de facto US baseline), ISO/IEC 42001 (if clients ask), state laws like the Colorado AI Act, and your sector rules — HIPAA, GLBA, FTC Section 5, and SEC marketing rules.

3. 03

   Classify each use case by risk

   Borrow the EU AI Act's four tiers as a working model: prohibited (social scoring, manipulation), high-risk (hiring, credit, biometrics), limited-risk (chatbots, content generation — needs disclosure), and minimal-risk (everyday productivity). Tag every use case in your inventory. The high-risk and prohibited rows are where you focus.

4. 04

   Lock down data inputs

   The single biggest small-business AI risk is staff pasting client data into a free ChatGPT account that trains on inputs. Mandate business-tier accounts (ChatGPT Team/Enterprise, Copilot for Business, Gemini for Workspace) that contractually exclude training. Block consumer accounts at the network or SSO layer where possible.

5. 05

   Vet every AI vendor's terms

   For each vendor, capture: signed DPA, list of sub-processors, data residency, training opt-out status, breach notification SLA, and whether they offer SOC 2 or ISO 27001. If a vendor won't sign a DPA, they're not enterprise-ready and shouldn't touch regulated data.

6. 06

   Publish a one-page employee AI use policy

   Keep it short or no one reads it. Cover: approved tools, prohibited data types, when to disclose AI use to clients, when human review is mandatory, who to ask when unsure, and consequences for violations. Have every employee sign it during onboarding and re-sign annually.

7. 07

   Require human review on high-stakes outputs

   Anything client-facing, legal, financial, hiring-related, or medical needs a named human reviewer before it leaves the building. Document the reviewer in your workflow tool. This single control closes most regulatory and malpractice exposure.

8. 08

   Log, monitor, and re-audit quarterly

   AI vendors change their terms every few months. Set a calendar reminder to re-check the top 5 tools' privacy policies quarterly. Maintain an incident log even if it's empty — auditors and clients increasingly ask to see one.

AI regulatory standards at a glance

The frameworks small businesses are most often asked about. Treat this as a triage table — not legal advice.

A one-week rollout plan

• Day 1–2: Run the Shadow AI inventory across every team.
• Day 3: Classify use cases by risk and flag the high-risk rows.
• Day 4: Move staff to business-tier AI accounts; revoke consumer ones.
• Day 5: Draft and circulate the one-page employee AI use policy.
• Day 6: Assign human reviewers to high-stakes workflows.
• Day 7: Schedule the quarterly re-audit and incident log review.