Who owns the AI decisions inside your business?

Last week I spoke with the Managing Director of a UK SME. Strong turnover in a market with tight margins. One of their staff had developed a live AI tool sitting inside the core sales workflow.

It takes customer data, runs it through an AI process, and produces a summary report, a recommended product specification and quote. It saves a lot of time, the team uses it daily and the business can see a significant improvement in quality.

That sounded like a real AI win, so I started asking more about it. What exactly was the workflow doing? Which model was it using? Where did the data go when it ran? Was it sitting inside another platform, using connectors, APIs, or something else?

The MD didn't know. That is not a criticism. I wouldn't expect that very many MDs could explain such system architecture in detail. But the thing that stood out to me was that the knowledge sat with one person inside the business, while ownership sat somewhere else. The results were visible. The accountability and understanding were less clear.

Coupled to this, two AI news snippets from the last fortnight caught my eye.

On 6 May, Computer Weekly published an investigation into hyperscale cloud and data sovereignty. The core point was straightforward. Because the major hyperscalers are US companies, they may be subject to the US CLOUD Act, which compels US companies to hand over data in their possession, custody or control regardless of where the servers physically sit, and to FISA Section 702, which can compel technical assistance with no protection for foreign citizens.

On 7 May, CNBC reported that the European Commission was preparing a Tech Sovereignty Package focused on public-sector use of cloud services for sensitive information. The discussion was not aimed at private businesses directly. But governments tend to shape procurement environments around them.

Looking back a little further, in January, UK MPs from across the political spectrum tabled an Early Day Motion calling for a UK digital sovereignty strategy. An EDM is a signal rather than legislation. But the substance was specific: that government services and critical infrastructure depend on a small number of external digital suppliers, and that concentration creates risks including service withdrawal, sanctions, and unilateral changes in service terms.

Taken individually, these are policy stories, but taken together, they point towards a shift.

A year ago, the AI question in an SME was usually: which tool should we use? The more pertinent question now is: what is the tool doing, what data is it touching, and who is accountable for its use?

The privacy conversation is heading in the same direction.

The UK Data (Use and Access) Act changed parts of the automated decision-making framework. On 31 March, the ICO published draft guidance. Its finding from over thirty employers was that many organisations did not recognise where automated decisions were already influencing outcomes. Human involvement was often present in theory but weak in practice. Signing off an AI recommendation is not necessarily meaningful oversight. The person reviewing it needs the authority, discretion and information to change the outcome.

Looking across these developments, for many SMEs looking to use AI more deeply the most useful first step is creating visibility through an audit and register.

Which AI tools are being used? By whom? On what data? Under whose account? What decisions do they support? Who owns the consequence if the output is wrong?

Such a register won't answer every legal or technical question, but it does give the management team a view of what is already happening inside the business.

The same logic applies to security. Cyber Essentials, Cyber Essentials Plus and ISO 27001 are all available routes that a typical SME may consider. They sit at different points on the security ladder, with different costs and different levels of evidence. The useful questions are rarely "which security standard sounds best?" or "which is the easiest?", but "what level of evidence will our customers expect from us in the next twelve to eighteen months?"

I've had similar conversations recently with peer advisers working with SMEs. The repeated theme is not capability. Most businesses are already experimenting with AI. The issue is visibility. Management teams often can't see the whole picture.

Many businesses I speak to are now becoming more aware of where and how they can use AI. When the conversation moves from use to ownership, data and governance, the picture is often less clear.