Minimum viable AI governance for a startup selling to enterprise
- Inventory omissions — internal tools, embedded vendor AI — poison every other honest answer.
- Classify per market, and write the paragraph of reasoning; reviewers probe reasoning, not labels.
- Run four controls that produce evidence in operation, not fourteen that live in a policy PDF.
- Contemporaneous decision records beat reconstructed narratives every time.
- Two to three weeks of part-time build; a few hours a week of upkeep; clears most of what diligence checks.
Inventory: everything, including what you'd rather not list
List every AI system: the product itself, the models it builds on, internal AI tooling that touches customer data, and the AI embedded in vendors you use. Each entry carries an owner, a purpose, the data it touches, and its current state. The inventory is the foundation of every honest answer you will ever give a reviewer, and its most common failure is omission: the internal tool nobody mentioned that surfaces in a data-flow question and makes every prior answer look curated.
Classify against the markets you actually sell into
Each system gets a risk tier with one paragraph of reasoning, judged per market: if you sell into the EU, that means the EU AI Act's tiers for the buyer's intended use of your system; elsewhere, a sensible high/limited/minimal scale with the reasoning written down. The paragraph matters more than the label, because reviewers probe the reasoning, and "we classified it high-risk because it informs credit decisions, and here is what follows from that" is the sentence that ends the probing.
Controls: only what you run
Pick the controls that are real for you, typically: access control on model and data, logging of system behaviour, a defined human-oversight point wherever the system's output affects a person, and basic diligence on your own AI suppliers. Each control has an owner and produces evidence in the course of operating, not in a scramble before an audit. Four controls that demonstrably run beat fourteen that exist in a policy document, because reviewers test operation, not intention.
Record decisions when they happen
The cheapest habit with the highest audit value: when you make a governance decision, approve a model change, review a risk, accept a limitation, write it down at the moment it happens, with the date and the person. Evidence reconstructed months later from memory and email threads is the single most common gap enterprise diligence finds in startups, and it is entirely avoidable with a habit that costs minutes.
The incident path, before you need it
One page: who is told when an AI system misbehaves, what gets recorded, who decides severity, and when buyers or regulators are notified. You will be asked for this verbatim in reviews, and "we would figure it out" fails. What to skip, with confidence: ethics boards at your size, badge programmes, policy binders, and any artefact whose only function is to be pointed at. The initial build of all five items is two to three weeks of part-time work; the upkeep is a few hours a week; and the set above clears the majority of what enterprise diligence actually checks.
Key terms
- Inventory
- The complete list of AI systems — product, foundation models, internal tools, vendor-embedded — each with owner, purpose, data, and state.
- Risk tier
- The classification of a system per market of sale, judged against the intended use, with a paragraph of reasoning that anticipates reviewer probing.
- Operating control
- A control that produces its own evidence during normal operation, rather than being reconstructed for an audit window.
- Contemporaneous record
- A decision written down at the moment it is made, with date and person; the highest-value cheap habit in startup governance.
- Incident path
- The one-page process — who is told, what is recorded, who calls severity, when buyers and regulators are notified — asked for verbatim in reviews.