Ask a leadership team who is accountable if, tomorrow, an AI model rejects a loan application on a bias nobody audited, or a salesperson pastes the customer list into a public chatbot to draft an email faster. In most mid-market companies you get the same reaction: crossed glances and an awkward silence. Nobody knows. That silence, and not the absence of one more tool, is the biggest governance risk the company carries today.

Large corporations have already answered in their own way, by creating titles. Chief Data Officer, Chief AI Officer, heads of AI governance. Forrester expects dedicated AI-governance roles to appear through 2026, and firms like VASS put data governance for AI at the centre of the year's trends. For an SMB with no CIO carrying weight at the table, that path is closed on budget alone. The good news is that it isn't needed: something cheaper and more honest does the job, a minimum-viable governance model.

Nobody owns the data or the AI

The most common governance failure in the mid-market has nothing to do with technology and everything to do with ownership. When something is everyone's responsibility, in practice it is nobody's, and data and AI live in exactly that no-man's-land between the business, systems and legal. The CFO assumes the data-protection adviser has it covered, the adviser thinks security sits with the IT provider, and the IT provider understands that usage decisions belong to the business. So the file circulates without an owner until an incident stops it cold.

The analysts setting the 2026 agenda agree on the diagnosis even when they use different acronyms. IT User frames data strategy and data governance as the foundation any serious attempt to scale AI has to stand on. SEIDOR talks about consolidating adaptive risk-governance models, the so-called AI TRiSM, so that companies use AI with confidence without losing control. Different doors, one corridor: with no clear owner, AI doesn't scale, it scatters into pilots that never reach production or that reach it with nobody watching what they do with the data.

And what happens while the board decides it will look into this later? Adoption keeps moving from the bottom up. Teams already use copilots and assistants, with permission or without it, so every week without governance is a week of accumulated exposure that is far more expensive to tidy up afterwards.

What an SMB actually governs

Before handing out responsibilities it helps to fence the field, because "data and AI governance" sounds like an infinite project and it is not. For a mid-size company, governing well means having an answer to four concrete questions, and none of them is legal.

First: what data do you hold and which of it is sensitive. Second: who can reach it, and with what tools. Third: which AI systems are in use and what decisions they shape. Fourth: what you do, and how fast, when something breaks. Can you answer those four right now, with evidence and without phoning anyone? If the honest answer is no, you already know where the work begins, because a leader who answers them with facts governs better than many companies armed with a two-hundred-page manual nobody has opened.

Everything else, regulation included, orders itself from there. Frameworks like NIS2, GDPR and the EU AI Act demand precisely that traceability, and we already unpacked how a board without a CIO should read them in our guide to NIS2, Zero Trust and AI TRiSM. The focus here is different: who holds that regulation up inside your organisation when you have no department to lean on.

Five mandates you cannot leave vacant

The heart of the minimum-viable model is a simple idea: there are five governance functions that no company exposed to data and AI can leave without an owner. This is not about five hires or five departments. It is about five mandates, each with a name attached to it, even if one person carries two of them at the start.

1. The executive sponsor. A member of the board, usually the CEO or CFO, who answers to the board for data and AI governance. It is the one radically non-delegable mandate, because NIS2 already makes management accountable and because without an owner at the decision table the rest stays as good intentions. The job is purely one of governance: put the topic on the agenda, assign budget and hold people to account.

2. The data-protection function. Whoever ensures GDPR compliance, decides what may be processed and how, and maintains the record of processing activities. In many mid-size companies this figure already exists as an external DPO, and it works well that way. What does not work is a DPO who exists in the contract but not in day-to-day operations.

3. The information-security function. The equivalent of a CISO, accountable for technical risk, identity, incident response and the relationship with technology vendors. It is the function most naturally covered part-time, with a fractional CISO who brings judgment and method without the cost of a full-time executive.

4. The AI-governance function. Whoever keeps the inventory of AI systems in use, defines which tools are approved and with which data, and makes sure high-impact decisions carry human oversight. It is the newest mandate and the one most companies leave orphaned, precisely when adoption is moving fastest.

5. The business data owners. For each critical domain, whether sales, finance or operations, someone in the business answers for the quality, classification and use of that data. This mandate really is internal and non-transferable, because no outsider knows the business well enough to decide which data matters and which is just noise.

Count the boxes: five mandates, and only two demand a payroll line. The sponsor and the data owners have to be internal. The other three take rented seniority, and that is the lever that changes the economics of governance for an SMB.

Fractional, not headcount: rented seniority

The belief that governing well requires an org chart crowded with full-time titles is an inheritance from big companies that costs the mid-market dearly and fits it badly. A senior CISO, an AI-governance lead with real experience, a privacy adviser with judgment: hiring those profiles outright can run to several hundred thousand a year, and for much of the time they would sit underused, because a company of fifty or two hundred people does not generate decisions of that weight every day.

The fractional model resolves that mismatch: you buy senior judgment and apply it to the decisions that deserve it, without carrying the fixed cost of a full-time seat. The condition for it to work is that it be real seniority, people who have governed this before rather than a junior profile with a grand-sounding title. Governance rests on accumulated judgment, and judgment cannot be improvised.

"Data and AI governance is neither bought nor delegated downward: it is assigned. A mandate well assigned to a part-time senior protects more than an org chart full of empty boxes."

This connects to something we keep arguing about where technology belongs in a company. If the CIO, when one exists, often reports to the wrong person and ends up optimising cost instead of risk and margin, then data and AI governance cannot depend on whether a perfect org chart exists. It depends on the mandates being assigned to someone with the seniority to exercise them, on payroll or not.

The minimum policy stack

With the mandates assigned, the second component of the model is a handful of policies. The temptation here is to copy a multinational's manual and end up with forty documents nobody reads. The minimum viable set is five, and they cover the bulk of the real risk.

Acceptable AI use: which tools are approved and what data may go into them. Data classification: what is public, what is internal and what is confidential or personal, so the rest of the rules have something to hold on to. Access and identity management: who reaches what, and with what safeguards. Vendor management: what you require by contract from third parties that touch your data, a point NIS2 turns into an obligation through the supply chain. And incident response: what happens, who decides and within what deadline when something breaks.

What you can ignore without guilt, at least at first, is almost everything else. You do not need a certified security-management system from day one, nor a policy for every imaginable scenario. You need five short rules, written in language an employee understands, and actually enforced. A brief policy that is followed is worth more than a treatise decorating an intranet.

Controls that actually move the risk needle

Policies describe intent; controls are what actually reduces exposure, and here it pays to be surgical rather than scattered. Four controls concentrate most of the return.

The first is a live inventory of sensitive data and AI systems in use, because you cannot govern what you cannot see, and most companies have no idea how many AI tools have already come in through the back door. The second is multi-factor identity, the control with the best ratio of cost to risk avoided, because nearly every breach starts with a stolen credential. The third is traceability of high-impact AI decisions, with human oversight in the cases that affect people, which is exactly what the EU AI Act sets out to require. The fourth is the human layer, with training and the odd drill, because technology stops part of the attacks and people's judgment decides the rest.

None of these four controls demands a big-company budget. They demand a decision and a review cadence, which is precisely what a well-assigned mandate provides and what evaporates when governance has no owner.

The board stands it up in a quarter

None of this is a two-year programme. A determined board stands the minimum-viable model up in ninety days if it attacks in the right order. The first month goes to what only the board can do: assign the five mandates, hire whatever fractional seniority is missing, and build the first inventory of data and AI systems. The second month closes multi-factor identity, approves data classification and publishes the AI-use policy. The third writes the incident-response plan, rehearses it once, and fixes a quarterly governance slot on the board's agenda.

By the end of the quarter the company does not have perfect governance, because perfect governance does not exist and chasing it is another way of never starting. It has something better: mandates with owners, five rules that are enforced and four controls that work, run from the table where decisions are actually made. That puts it on the right side of the regulation and, above all, of the risk. This is where an independent advisory that sits at that table earns its place, helping cover the mandates that demand seniority without inflating the structure. If you want to see how we approach it, start with our advisory programs.