AI Governance Checklist: 10 Steps for a Team Without a Compliance Department
AI governance sounds like a programme that needs a department. For a small or mid-sized team it is really a checklist you can work through in a day and then maintain in an hour a quarter. This is that checklist: ten practical steps that, done in order, take you from no governance to a defensible position you can show a customer, an auditor, or a regulator. Each step maps to a real obligation under the EU AI Act, GDPR, ISO 42001, or SOC 2.
Steps 1 to 3: see what you actually use
Step 1: inventory your AI tools, including the ones bought by individuals and the AI features inside other software. Step 2: for each, note what data flows into it. Step 3: classify by sensitivity (public, internal, personal, regulated). This is the MAP function of the NIST AI RMF and the system inventory ISO 42001 expects. Shadow AI is usually most of what you find, so ask every team, not just IT.
Steps 4 to 6: vet and decide
Step 4: for each tool touching sensitive data, check whether it trains on your inputs, its retention, and whether it offers a DPA or BAA. Step 5: decide a status for each tool: approved, restricted, or prohibited, and at which tier. Step 6: record those decisions in a tool register. ModelCharter's AI Tool Risk Directory does step 4 for popular tools, with a source link per fact, so this is minutes rather than hours per tool.
Steps 7 to 9: write it down and get sign-off
Step 7: write a short AI usage policy capturing the data rules, the approved-tools list, a human-review requirement, and a named owner. Step 8: circulate it and collect attestation, a timestamped record that each person read and accepted it, which is what evidences the EU AI Act's Article 4 AI-literacy duty. Step 9: set a review cadence, at least annual re-attestation and a re-check whenever a tool's terms change or you add a tool.
Step 10: keep it current
Step 10: keep the underlying facts fresh. Vendors change their terms; a tool that was safe on a given tier may not stay that way. Re-check the directory periodically and update your register. ModelCharter covers steps 4 through 9 directly: the directory, the policy generator, the tool register and attestation. Work the list once and you are ahead of most companies your size; maintain it and you stay there.