AI Governance for SMBs

Your employees are using AI with your customer data.
Do you know which tools? Do you have a policy?

Most owner-operators between 5 and 200 employees have AI tools touching their business that they have never formally reviewed. This is not a technology problem. It is an accountability gap — and it is fixable.

Start with a Signal Session See what's included
12–20
AI tools the average SMB has touching their business — most owners can name three
14
Days to a written AI policy, full tool inventory, and 90-day action plan
4
US state AI laws now in effect — Utah, Texas, Illinois, Colorado
The Problem

AI governance is not an enterprise problem. It became yours the day your team started using AI tools.

Your CRM has AI features. Your accounting software does too. Your team is using ChatGPT, Copilot, and tools you have not approved — with client data, with contract terms, with information that belongs to your customers.

There is no malice in this. There is also no policy, no accountability structure, and no plan for what happens when something goes wrong.

That is the gap. It is common. And it is the kind of gap that costs more to clean up after an incident than to close before one.

  • Vendor exposure you don't know about Some vendors explicitly reserve the right to use your data to train their models. Most business owners have never read those clauses.
  • No one owns the AI decisions When an AI tool makes a wrong call, who handles it? If the answer is unclear, you have an accountability gap that shows up badly in a client complaint or a due diligence conversation.
  • State AI laws that already apply to you Utah's AI Policy Act has been in effect since May 2024. Texas and Illinois went live January 2026. Colorado follows June 2026. If you operate in or serve clients in those states, compliance is not optional.
  • Client due diligence is asking now Enterprise clients and procurement teams are adding AI governance questions to vendor questionnaires. If you cannot answer "what is your AI policy," you lose deals to competitors who can.
What You Get

A written policy your team can use the day they receive it.

Not a template. Not a compliance checklist. A governance program built around your actual tool stack, your actual data, and the laws that actually apply to your business.

Full AI Tool Inventory

Every AI tool touching your business — including the ones embedded in software you already use. Named, categorized by risk level, with an accountable owner assigned to each.

Written Acceptable Use Policy

A policy your employees can actually follow. Plain language rules for what they can and cannot do with AI. No jargon. Specific to your industry and jurisdiction.

Vendor Risk Summary

What your key AI vendors' contracts actually say about your data. Which tools carry the most risk. Where to push back on renewal.

90-Day Action Plan

Sequenced steps your team can execute without hiring anyone. What to close first, what to monitor, what to review quarterly. The plan is self-implementing.

Who This Is For

Built for owner-operators who do not have a full-time AI officer.

Most SMBs cannot afford a dedicated AI Risk Officer or compliance team. This is the fractional version of that role — scoped, fixed-fee, and designed for organizations that need governance without overhead.

Professional services firms

Legal, accounting, consulting, architecture, HR firms handling client data with AI tools that have never been formally reviewed.

Owner-operators with 5–200 employees

Growing fast enough that AI has become embedded in operations, but without the infrastructure to govern it systematically.

Businesses serving enterprise clients

Any firm where clients or prospects are starting to ask about AI governance in due diligence — and where "we don't have a policy" is no longer an acceptable answer.

Start with a Signal Session. Find out where you actually stand.

Before any assessment, Boubacar runs a 90-minute structured diagnostic to map how AI is being used in your business and where the exposure is. You leave with a written summary of your governance maturity level and a specific recommended next step. No sales pitch inside the session.

$497
90 minutes · Written summary within 24 hours · Limited to 3 sessions per month
Book a Signal Session
Common Questions

Things owner-operators ask before booking.

"We're too small to need this."
Size determines the complexity of governance, not whether you need it. A three-person firm with one AI tool touching client data is exposed. The governance is sized to match your operation — not enterprise overhead applied to a small business.
"We already have a privacy policy."
A privacy policy covers how you handle data you collect from users. It does not cover how your employees use AI tools, what data they put into those tools, how vendors use that data, or who is accountable when something goes wrong. Those are four separate gaps a privacy policy does not touch.
"We don't really use AI that much."
Does your CRM have AI features? Your email platform? Your accounting software? AI is embedded in most business software now. The question is not whether you use AI. It is whether you know how it is using your data.
"We'll deal with this when regulations require it."
Utah SB 149 has been in effect since May 2024. Texas TRAIGA went live January 1, 2026. Illinois HB 3773 followed the same day. Colorado's Act takes effect June 30, 2026. If you have employees or clients in those states, it is already required.
"Is this legal advice?"
No. Catalyst Works produces operational governance documentation — tool inventories, acceptable use policies, risk summaries, and action plans. Any policy affecting employee rights, client data, or regulatory compliance should be reviewed by qualified legal counsel before implementation. This is the infrastructure that makes your lawyer's job easier and your vendor conversations sharper.

The question is not whether you have AI exposure.
The question is whether you know what it is.

Start with a Signal Session. 90 minutes. One clear picture of where you stand and what to do next.

Book a Signal Session — $497