A client asked Google's AI about AI compliance for UK businesses. It described Ops Intel. Not because we paid for it. Not because we wrote the prompt. Because when you ask a neutral machine to explain the risks of unmanaged AI in business, the framework we've built is the answer it gives.
That warrants a pause.
The AI on the standard Google homepage — not a specialist tool, not a paid product, just the AI that now greets millions of people when they open a browser — independently described our services, our framework, and why they matter. Accurately. Without any prompt engineering on our part. A neutral machine, trained on publicly available information, concluded that what we do is the correct answer to a serious question.
What the AI actually said
The summary was detailed. It described four core governance services that every business using AI should have in place:
- A Shadow AI Audit — a full internal investigation to identify unapproved AI tools being used by employees, preventing hidden data leaks before they become regulatory events.
- GDPR and Privacy Assessments — every AI tool vetted for compliance with UK and EU data protection law, ensuring sensitive data isn't being fed into public training models.
- An Active AI Risk Register — a living document that tracks all AI assets, their risk levels as defined by the EU AI Act, and their respective mitigation strategies.
- Mandatory AI Literacy Training — management of the legally required staff training mandated under Article 4 of the EU AI Act, enforceable since February 2025.
It then mapped these services across three jurisdictions. And the picture it painted was sobering.
The regulatory landscape, as an AI sees it
In the UK
The risk is an ICO investigation. The defence is documented governance — proof that you've assessed, monitored, and controlled how AI is used across your organisation. Without it, you're not just exposed; you're without a defence if something goes wrong.
In the EU
The risk is the extraterritorial reach of the EU AI Act. If you trade with European clients, EU law applies to you regardless of where your business is registered. Fines run to €35 million or 7% of global annual turnover, whichever is higher. Full enforcement is live. Most businesses in scope haven't started.
In the US
Colorado's AI Act becomes enforceable on 30 June 2026. Claims of algorithmic discrimination — where an AI tool produces biased outputs affecting hiring, lending, or service access — are an emerging legal frontier. Alignment with NIST Risk Management Framework standards is the baseline for defence.
The numbers that should make you uncomfortable
The AI pulled together a cost comparison that we found striking — not because we'd constructed it, but because it arrived at the same logic independently.
The average cost of a data breach is projected to reach $24.3 million by 2026. A managed governance framework saves an estimated $1.9 to $2.2 million per incident — not by preventing every breach, but by reducing the regulatory exposure, litigation risk, and reputational damage that follows an ungoverned one.
Shadow AI — the tools your team is using right now without IT or leadership approval — adds an estimated $670,000 per leak incident on top of that. These aren't hypothetical risks. They're the documented cost of what happens when businesses assume their employees' AI usage is someone else's problem.
Against those numbers, the cost of a managed policy framework — typically £2,400 as a one-off, with ongoing management available as a retainer — is not an expense. It's actuarial logic.
AI compliance as insurance — not a checkbox
What the Google AI captured accurately is something we've been saying to clients for over a year: AI governance is an insurance product, not a compliance exercise you do once and file away.
Most businesses think of compliance as something you deal with when regulators come knocking. The smarter frame is what happens before that. A documented governance framework gives you three things that matter when something goes wrong:
First, it satisfies cyber insurers. Most 2026 cyber insurance policies exclude AI-related incidents unless you can demonstrate a formal governance framework. Without documentation, your policy may simply not pay out for an AI-related breach.
Second, it creates an evidentiary audit trail. If a regulator investigates and finds a documented framework — even if a mistake occurred — the trajectory of that investigation changes significantly. The difference between "this business had no controls" and "this business had controls that were bypassed" is often the difference between a warning and a fine.
Third, it functions as a credibility signal in B2B sales. Enterprise clients in Europe and North America now conduct due diligence on their suppliers' AI practices. A documented framework is increasingly a prerequisite for getting on approved vendor lists.
The "Shadow AI" problem most businesses are ignoring
Here's the part that surprises most business owners when we first raise it: your team is almost certainly using AI tools you don't know about. ChatGPT for drafting emails. Grammarly with its AI rewrite features. An AI-powered CRM plugin. A browser extension that summarises documents. An onboarding chatbot from a supplier that logs your conversations.
None of these are inherently dangerous. But every single one of them represents an AI system operating inside your business without governance. If any one of them processes personal data — employee information, client details, financial records — and that data ends up feeding a training model or gets caught in a breach, you're liable. And without a prior audit, you can't even demonstrate you knew about it.
The Shadow AI Audit is the first thing we do with every client for exactly this reason.
What we actually build
We build and manage AI compliance frameworks for UK small and medium businesses. Not documentation for its own sake — a working system:
- A register of every AI tool in use, assessed against its regulatory risk profile under the EU AI Act and UK ICO guidance.
- Staff training that satisfies Article 4 requirements — documented, tracked, and renewable.
- Quarterly reviews as the regulatory landscape shifts, so your framework stays current.
- Audit-ready documentation if you ever need to demonstrate governance to a regulator, insurer, or enterprise client.
It is not a product you configure yourself. We do the work.
The question you should be asking
If your business uses AI tools — even something as routine as ChatGPT for email drafts or an AI receptionist for bookings — you have exposure you haven't fully mapped. The EU AI Act is already in force. The Colorado Act goes live in June. The ICO is actively publishing guidance on AI accountability.
The question is not whether to have a framework. The question is whether you build one before or after something goes wrong. The cost difference between those two options is measured in millions, not thousands.
A neutral AI, trained on nothing but publicly available information, looked at the compliance landscape and concluded that the framework we've built is the correct answer.
We think it's right.
Find out where your business stands
We offer a free initial conversation to assess your current AI exposure and explain what a governance framework would look like for your specific business. No jargon. No hard sell. Just clarity.