Skip to main content

EU SME AI Compliance: Right-Sized Governance for Small Businesses

Small businesses do not get exempted from EU AI governance just because they have fewer people. If an SME deploys AI in a regulated or sensitive workflow, the legal and operational questions still arrive. At the same time, most small businesses cannot absorb a governance program designed for a multinational bank. That is where AI compliance often stalls. Teams either postpone controls because the full enterprise playbook looks impossible, or they buy a heavy process stack that slows delivery without improving runtime behavior. Keeptrusts is useful for SMEs because it lets you start with a narrow, enforceable control boundary and grow from there.

Use this page when

  • You are an EU-based SME or a small team selling into the EU and need a proportionate AI governance approach.
  • You want to prioritize the controls that matter most for real workflows instead of building a large governance program up front.
  • You need a starting pattern for customer support, internal drafting, HR screening, or other common SME AI use cases.

Primary audience

  • Primary: Founders, technical leads, compliance owners in small businesses
  • Secondary: Operations managers, product teams, outsourced security advisers

The problem

SMEs usually face a double constraint. They have less governance capacity than larger firms, but they also have less room for error. One unsuitable provider choice, one employee workflow that leaks customer data, or one unsupported automated decision can create a problem the company has little time to unwind.

The other issue is prioritization. Small businesses often try to answer every AI compliance question at once: EU AI Act category mapping, GDPR readiness, vendor due diligence, usage policies, customer disclosures, and retention rules. That sounds responsible, but in practice it means nothing gets implemented at the technical boundary. The model route stays open while people debate the final governance framework.

For most SMEs, the better starting question is simpler: which AI routes are risky enough that they need enforced controls now? A marketing drafting assistant does not need the same treatment as a hiring-screening route or a customer-support route that touches account data. If you do not separate those routes, you end up over-controlling the harmless work and under-controlling the sensitive work.

The solution

Right-sized governance starts with a minimal route inventory and three control levels.

The first level is a baseline for nearly every production route: request-boundary protection, basic sensitive-data handling, provider restrictions, and audit visibility. The second level adds grounding or content-specific controls where outputs need to be trustworthy or sourced. The third level adds human review for routes that affect customer outcomes, regulated processing, or legally sensitive communications.

Keeptrusts maps well to that staged model. Prompt Injection Detection protects the input boundary. PII Detector reduces the risk of raw identifiers reaching the provider. Data Routing Policy lets you require zero retention and no-training declarations where needed. Audit Logger makes the route visible in the decision stream. Then you add Citation Verifier or Human Oversight only where the use case needs them.

This is a better SME pattern than trying to implement every advanced control on day one. It creates a concrete operating baseline. You can explain it to customers, investors, and auditors because it is tied to real runtime behavior, not just policy documents.

Implementation

An SME rollout usually works best when the first route is intentionally boring: internal support or customer-assistance drafting with privacy and provider controls, then stricter chains for sensitive routes later.

pack:
  name: sme-baseline-governance
  version: "1.0.0"
  enabled: true

providers:
  targets:
    - id: reviewed-provider
      provider: openai
      model: gpt-5.4-mini-mini
      secret_key_ref:
        env: OPENAI_API_KEY
      data_policy:
        zero_data_retention: true
        training_opt_out: true
        retention_days: 0

policies:
  chain:
    - prompt-injection
    - pii-detector
    - data-routing-policy
    - audit-logger

policy:
  prompt-injection:
    use_embedding: false
    detection:
      attack_patterns:
        - "ignore.*previous.*instructions"
        - "reveal.*system.*prompt"
    encoding:
      decode_base64: true
      normalize_unicode: true
      detect_homoglyphs: true
    boundaries:
      enforce_delimiters: true
      reject_fake_boundaries: true

  pii-detector:
    action: redact
    redaction:
      marker_format: label
      include_metadata: true

  data-routing-policy:
    require_zero_data_retention: true
    require_no_training: true
    max_retention_days: 0
    on_no_compliant_provider: block
    log_provider_selection: true

  audit-logger: {}

That gives a small team a concrete default. Sensitive inputs are protected. Providers are filtered. The route is auditable. If the company later adds a higher-risk route, such as hiring support or regulated customer communications, it can create a separate chain with citation-verifier or human-oversight rather than inflating the baseline for everyone.

The operating loop is also simple enough for a small team to maintain. Store the config in version control, run kt policy lint --file policy-config.yaml, and then start the gateway with kt gateway run --listen 0.0.0.0:41002 --policy-config policy-config.yaml. Those steps are small, repeatable, and much easier to keep current than a large spreadsheet-based control program.

Results and impact

The biggest gain for SMEs is not paperwork. It is control you can actually keep running. A small team can maintain one gateway config more easily than a long list of informal usage rules. Route separation also improves product decisions because teams stop arguing about AI compliance in the abstract and start asking whether a specific workflow should inherit the baseline, the grounded-output layer, or the review-only layer.

That matters commercially too. Customers increasingly ask small vendors how AI is governed. A precise answer based on actual routes and controls is stronger than a vague promise that the team is "responsible with AI." It is also easier to evolve. As new use cases arrive, you extend the route inventory instead of rebuilding the whole governance program.

Key takeaways

  • SMEs need proportionate AI governance, not no governance.
  • Start with a small number of production routes and assign control levels to each.
  • A baseline chain with boundary protection, redaction, routing, and audit visibility is usually the right first step.
  • Add grounding and human review only where the workflow justifies it.
  • Keeptrusts helps small teams turn governance from policy intent into enforceable runtime behavior.

Next steps