Skip to content
Topic pillar · 16 tracked pieces

Topic · AI governance for small business

Governance, contracts, and compliance sized for an owner-operator — client-deliverable clauses, vendor due diligence, EU AI Act deployer duties.

Pillar status. Spoke articles and tracked claims below are populated automatically. Editorial framing for this pillar is queued for the next quarterly refresh.

What survives review

What has broken

Spoke articles

  • Do the new US state AI laws even apply to your small business? Mostly no, and here is the short list of what actually does

    The headlines say a wave of state AI laws hit in 2026 and your business needs a compliance programme. For a business under about 50 people, that is mostly wrong. California's law targets only the largest model developers, Colorado just gutted and delayed its own to 2027, and Texas's law is broad but mainly tells you not to use AI to do unlawful things you could not do anyway. There is no federal floor coming to add to the pile. The real list of what applies to a small operator is short, cheap, and worth doing once. Here is the 30-minute version that replaces the anxiety with a plan.

  • The EU AI Act for small businesses: the high-risk deadline moved to 2027, but your 2 August 2026 duties did not

    On 7 May 2026 the EU agreed to push the AI Act's heavy high-risk rules out to 2027 and 2028. If you run a small business, the easy read is that there is nothing to do. That read is wrong. The high-risk rules were never the part that applied to you. The parts that do apply, labelling AI-generated content and telling people when they are talking to a bot, still land on 2 August 2026, and the AI literacy duty has applied since February 2025. Here is the 30-minute readiness check using the tools you already have.

  • Colorado's AI law hits June 30: what the SB 189 replacement means for the 1-50 person operator using AI in hiring or client decisions

    Colorado's AI Act (SB 24-205) has a replacement: SB 189, passed by both chambers and signed by Governor Polis on 14 May 2026. The signed law's obligations take effect 1 Jan 2027, not the 30 Jun 2026 date this brief originally reported. The replacement scales back the original law significantly: risk management programmes, annual impact assessments, and the full algorithmic-discrimination-prevention framework are gone. What remains is a notice-and-transparency obligation. If your operation uses AI to make or materially influence a consequential decision about a Colorado resident — employment, housing, credit, insurance, education, healthcare — you have obligations under SB 189 from 1 Jan 2027. This is the operator-sized compliance brief.

  • Delivering AI work to clients: the 4-clause contract addendum every solo agency needs in 2026

    A solo agency delivering AI-assisted work to a client needs four contract clauses by Aug 2026: disclosure of AI use, IP warranty carve-out for AI-generated portions, training-data exclusion of client materials, and a liability cap tied to fee paid. Without them, the agency carries strict liability under EU AI Act Article 50 plus contract-law warranty exposure on copyright.

  • AI vendor red flags for SMBs: 2026 contract patterns to spot before signing
  • AI voor de zelfstandige Nederlandse advocaat: NOvA, Wet op de advocatuur, en wat AI mag en niet mag in 2026

    Voor de Nederlandse zelfstandige advocaat (eenmanspraktijk, klein kantoor onder 5 partners) is de AI-vraag in 2026 niet of AI helpt bij het werk — dat doet het — maar of het op een manier wordt gebruikt die de NOvA-gedragsregels, het Wet op de advocatuur Artikel 6, en de Verordening op de advocatuur niet schendt. AI mag voor onderzoek, drafting, en samenvatten. AI mag niet voor advies-generatie zonder advocaat-review. De grenzen zijn smaller dan de meeste vendors suggereren, en de tuchtrechtelijke ruimte is in 2025-2026 expliciet ingesnoerd.

  • AI tools for the solo EU developer: client-code residency, jurisdiction, and the procurement question Cursor-vs-Copilot does not answer

    The Cursor vs GitHub Copilot vs Claude Code comparison is saturated and the per-seat economics are well-covered. The procurement question that 2026 EU solo developers actually face — does my AI coding tool send my client's code to a non-EU LLM, and what does that mean under GDPR plus the client's own data-handling commitments — is undercovered. This piece walks the EU client-code residency surface for the three dominant AI coding tools, the procurement questions clients are now asking, and the workflow that satisfies a regulated client without forcing the developer to abandon AI tooling.

  • KI im Mittelstand: the BetrVG and DSGVO posture before deployment

    German Mittelstand owners deploying AI assistants in 2026 hit two compliance surfaces most US-headquartered AI vendors do not handle. BetrVG §87 triggers at the first works-council-eligible employee headcount; DSGVO Article 22 + 35 trigger on the first AI-mediated decision affecting employees. The defensible early-engagement posture.

  • AI for local SEO and Google Business Profile: what compounds, what gets you suspended

    Local SMB owners using AI on Google Business Profile and local-SEO content split into two cohorts in 2026: those whose visibility compounds, and those whose listings get suspended. The line is specific. The March 2024 spam policy update plus 2025-2026 enforcement pattern explain which side of it most operators are on.

  • AI hiring at small business scale: what EU AI Act Annex III actually means at four employees

    Most SMB owners using ChatGPT or a hiring tool to screen CVs do not know they have just deployed a high-risk AI system under EU AI Act Annex III. The threshold does not scale with company size. Here is what holds up at the regulator audit and what does not.

  • When NOT to use AI for your small business: the five categories where substitution costs more than it saves

    Most SMB AI writing covers where to start. Almost none covers where to stop. Five categories where substitution costs the small business more in trust and liability than it saves in productivity, with cited cases from courts, regulators, and licensing boards.

  • Platform algorithm penalties on AI-generated content: where SMB marketing breaks in 2026

    SMB owners using AI to produce marketing content are hitting platform algorithmic penalties at increasing rates in 2026. Google's Helpful Content classifier, LinkedIn's AI-detection-based feed deprioritisation, and Etsy's AI-generated-listing rule changes have published enforcement updates that most SMB AI tooling does not warn about.

  • The CAO/Tarifvertrag AI-VA trap: collective agreements at four employees

    SMB AI-VA deployments displacing admin work in collective-agreement-covered sectors trigger CAO or Tarifvertrag provisions even at sub-10-employee scale in 2026. Most SMB owners are unaware until the first union audit. The audit has been increasing in frequency since 2025.

  • AI-drafted contracts and the notary requirement: where the SMB malpractice line sits

    AI-drafted contracts in EU notary-required jurisdictions are producing a class of legal-malpractice incidents in 2026 where the SMB owner treats an AI draft as the final binding document, missing the notarisation requirement. NL and DE are where the pattern is most visible.

  • The 1-page AI policy for a small business: copy, customise, sign

    The reason an SMB needs an AI policy in 2026 is not compliance. It is that without one, every employee silently decides which data goes into ChatGPT, when AI output can be sent to a client, and whether AI-drafted contracts can skip review. Eight clauses on one page, copy-paste ready.

  • AI vendor due diligence in one Saturday: a 5-question framework for SMBs

    An SMB AI vendor evaluation that's defensible to your insurer takes 90 minutes if you walk through five questions in order: model provenance, data residency, sub-processor list, breach history, and termination clause. The pattern is simpler than enterprise frameworks suggest because the SMB stakes are smaller.

What we're watching next

Forthcoming content and open questions for this pillar will appear here on the next quarterly refresh.

Primary sources we trust for this topic

A curated list of primary research, regulator guidance, and vendor documentation for ai governance for small business. Populated on the quarterly refresh — not a link dump, not competitors.


This pillar page is refreshed quarterly. Last refresh: 19 Apr 2026. Next refresh: 18 Jul 2026.

Vigil · 09 reviewed