Each edition delivers one clear, evidence-backed idea you can use. This week: why the governance frameworks sitting in your inbox won't protect you unless you build three simple registries first.

The Gap No One Talks About

By the time your organization deployed its first AI tool, it was already ungoverned.

Jobin et al. (2019) conducted a landmark review of 84 AI ethics guidelines across 35 countries and found near-universal convergence on principles such as transparency, accountability, and fairness. Yet despite this consensus, a persistent gap exists between the governance principles organizations formally endorse and the operational processes through which those principles are enacted (Zaher, 2025). Researchers now call this the responsible AI implementation gap, and it has become one of the central practical challenges in AI deployment.

AI adoption is driven by competitive and productivity incentives that move at the speed of a SaaS subscription. Governance development moves at the speed of a policy committee review. That mismatch is where the gap lives.

Themann (2025), in a systematic literature review spanning peer-reviewed publications from 2019 to 2025, identified that many governance frameworks present high-level principles but lack concrete operationalization guidance, leaving organizations uncertain about how to manage ethical risks or ensure compliance. As Mittelstadt (2019) argued plainly: principles alone cannot guarantee ethical AI, because AI development lacks the professional norms and proven methods to translate those principles into practice.

Shadow AI is the most visible symptom — tools adopted by individual departments without central approval, and vendor-embedded models that activated the moment you renewed a SaaS contract.

Why SMBs Face a Steeper Climb

Every organization faces the implementation gap. SMBs face a harder version of it.

Research consistently shows that SMBs experience AI adoption barriers including capital constraints, limited technical expertise, and integration costs that large enterprises can more readily absorb (JP Morgan Chase Institute, 2026). These same constraints that slow adoption also directly undermine governance: building a dedicated AI oversight function, training staff on emerging frameworks, and sustaining continuous compliance monitoring all require resources that most SMBs simply do not have. A study from Texas Christian University found that small organizations face a dual challenge — developing in-house AI expertise while simultaneously managing the complexities of external AI collaborations — and that resource constraints, ethical considerations, and leadership alignment remain the most common barriers (TCU, 2024).

Zaher (2025) found through regression analysis that the single strongest organizational predictor of AI governance maturity is the presence of a dedicated responsible AI team, followed by staff training investment and senior executive sponsorship — three things SMBs are least likely to have. Themann (2025) identified that human readiness gaps and organizational integration barriers are the most persistent implementation obstacles across sectors, compounding the resource disadvantage.

Frameworks like ISO/IEC 42001 and the NIST AI Risk Management Framework provide sound structural guidance, but both were designed with organizational capacity in mind. NIST AI RMF calls for use-case-specific profiles — a rigorous approach that requires dedicated personnel to complete (NIST, 2023). For an SMB operating without a Chief AI Officer or a compliance team, this level of documentation feels out of reach before it begins.

A Practical Starting Point: Three Registries

Governance cannot operate on what it cannot see, and visibility is achievable at any organizational size.

Morley et al. (2020) argued that the path from AI principles to practice requires concrete tools — not additional ethical declarations — and that structured inventories of AI systems are among the most actionable starting points. This insight is operationalized through three interconnected registries that form the foundation of a minimum viable governance posture:

1. Use Case Registry. Document every task where AI is making or influencing a decision in your organization. Record the business function, the intended outcome, and the population affected. Risk is determined by use case, not headcount — an AI tool screening job applicants carries governance obligations that a marketing copy assistant does not. The EU AI Act codifies this logic explicitly by categorizing AI systems into risk tiers based on their use cases (European Commission, 2021).

2. System Registry. Catalog every AI system, tool, or model your organization uses — including embedded AI features in existing SaaS platforms. For each entry, record the vendor, deployment environment, data it accesses, and who approved its use. Raji et al. (2020) demonstrated that closing the AI accountability gap requires end-to-end visibility into the systems operating within an organization; without a system inventory, that visibility is structurally impossible.

3. Control Registry. For each system in your inventory, record what guardrails are actually in place — access restrictions, output review steps, human checkpoints, bias checks. Not what the vendor claims. What you have verified. This becomes your audit trail with regulators, clients, and insurers. ISO/IEC 42001 (2023) formalizes this through its Annex A control catalog and a Statement of Applicability — the same logic, scaled to your size.

These three registries do not require a governance team. They require clarity of ownership and an honest hour of documentation per system. Once populated, they create the visibility layer that every subsequent governance action — risk scoring, policy enforcement, incident response — depends on.

The Governance Gap Is Closable

Governance frameworks were designed after AI was already deployed. Most organizations assumed that adopting a framework was the same as operationalizing one. Themann (2025) found that the research gap in operationalizing AI governance "hinders the embedding of responsible principles in AI technologies" (p. 14). The principles exist. The work is building the infrastructure to enforce them.

For SMBs, the three registries are that infrastructure — not the complete solution, but the prerequisite for every solution that follows.

References

European Commission. (2021). Proposal for a regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) (COM/2021/206 final). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52021PC0206

ISO/IEC. (2023). ISO/IEC 42001:2023 — Information technology — Artificial intelligence — Management systems. International Organization for Standardization. https://www.iso.org/standard/81230.html

Jobin, A., Ienca, M., & Vayena, E. (2019). The global landscape of AI ethics guidelines. Nature Machine Intelligence, 1(9), 389–399. https://doi.org/10.1038/s42256-019-0088-2

JP Morgan Chase Institute. (2026). Understanding the use of AI among small businesses. https://www.jpmorganchase.com/institute

Mittelstadt, B. (2019). Principles alone cannot guarantee ethical AI. Nature Machine Intelligence, 1(11), 501–507. https://doi.org/10.1038/s42256-019-0114-4

Morley, J., Cowls, J., Taddeo, M., & Floridi, L. (2020). From what to how: An initial review of publicly available AI ethics tools, methods and research to translate principles into practices. AI & Society, 35(4), 1437–1456. https://doi.org/10.1007/s00146-019-00902-7

National Institute of Standards and Technology. (2023). Artificial intelligence risk management framework (AI RMF 1.0) (NIST AI 100-1). https://doi.org/10.6028/NIST.AI.100-1

Raji, I. D., Smart, A., White, R. N., Mitchell, M., Gebru, T., Hutchinson, B., Smith-Loud, J., Theron, D., & Barnes, P. (2020). Closing the AI accountability gap: Defining an end-to-end framework for internal algorithmic auditing. Proceedings of the ACM Conference on Fairness, Accountability, and Transparency, 33–44. https://doi.org/10.1145/3351095.3372873

Texas Christian University. (2024). Exploring the AI adoption challenges in small businesses [Master's thesis]. TCU Repository. https://repository.tcu.edu

Themann, S. (2025). Challenges and strategies used in implementing AI governance: A systematic literature review [Master's thesis, Stockholm University]. DiVA Portal. https://www.diva-portal.org/smash/get/diva2:1983756/FULLTEXT01.pdf

Zaher, M. A. (2025). From principles to practice: A cross-sector assessment of responsible AI governance readiness. Financial Technology and Innovation, 5(1), 10–23. https://doi.org/10.54216/FinTech-I.050102

Keep Reading