Franco T.,
Too Long; Didn't Read
More than half of AI users in companies use tools that are not officially approved. Why AI governance is not a bureaucratic monster, but an enabler.
Imagine this: Your sales team uses ChatGPT to generate proposal text with customer data. Your HR department lets an AI tool pre-screen applications. And your marketing team creates content with Copilot that nobody checks for hallucinations.
Do you know about it? Have you allowed it? Are there any rules for it?
If you hesitate on at least one of these questions, you are not alone. We see this at practically every Swiss SME we advise. AI tools are there. Employees are using them. But the governance? It is missing.
Shadow AI: The Invisible Risk
"Shadow AI" is the little sibling of Shadow IT, only with greater potential for damage. Employees use AI tools on their own initiative because they want to be more productive. Understandable. But the consequences are real.
According to a Salesforce study (2024), more than 50% of corporate AI users use tools that are not officially approved. And in 2024, Cyberhaven analyzed that around 11% of the data pasted into ChatGPT is confidential. Customer data, financial figures, strategy papers, everything ends up with a third party.
This is not a theoretical risk. In 2023, Samsung banned ChatGPT internally after engineers had pasted proprietary source code and internal meeting notes into the chatbot. And in 2023, a New York legal team was sanctioned because it cited AI-generated, nonexistent court rulings in a case.
(We do not know of any Swiss SME that deliberately sends customer data to OpenAI. But we know many where it happens anyway, simply because there is no rule against it.)
Why now? The regulatory pressure is increasing
Two developments are turning AI governance from a "nice to have" into a "must-have right now":
The EU AI Act is a reality. The world’s first comprehensive AI law entered into force in August 2024. The implementation deadlines are staggered: banned practices since February 2025, rules for general-purpose AI from August 2025, and full application for high-risk systems from August 2026. The penalties? Up to 35 million euros or 7% of global annual revenue.
"This does not affect us as a Swiss company" is something we hear often. But that is not true. The EU AI Act has extraterritorial effect. If your AI system is used in the EU market or its output is used in the EU, you are affected. And almost every Swiss company with EU customers falls into this category.
The nFADP requires transparency. The new Swiss Data Protection Act (in force since September 2023) requires transparency regarding automated decision-making processes and gives data subjects the right to human review. If your HR tool uses AI to pre-screen applications and you do not disclose that, it is a problem.
Taken together: the regulatory landscape has shifted. AI without governance is not only risky; it is becoming increasingly unlawful.
What an AI governance framework includes (without the bureaucracy monster)
Here is the good news: AI governance for an SME does not have to be a 200-page rulebook. We work with a three-pillar model that is pragmatic enough to be set up in four weeks and robust enough to cover the key risks.
Pillar 1: AI usage guidelines
The foundation. A clear, easy-to-understand policy that defines:
Which AI tools are allowed? Define an "Approved List" of approved tools. Everything else is off-limits until it has been reviewed.
Which data may be entered? Clear categorization: public data, yes. Internal data, only with approved enterprise versions. Customer data and confidential information, never in third-party tools without a data processing agreement.
How is output checked? Any AI-generated output that feeds into decisions, communication, or documents requires human review. The four-eyes principle for anything that goes outside the company.
Who is responsible? Define an AI owner (it does not have to be a full-time role) and clear escalation paths.
Sounds manageable? It is. Most companies have this in place within a week if someone gives the impulse.
Pillar 2: AI risk assessment
Not every AI tool carries the same level of risk. A text generator for marketing copy is different from an AI-supported system that assists with credit decisions. The risk assessment sorts your AI applications by risk category:
Low risk: Internal productivity tools without sensitive data (e.g. meeting summaries, draft texts without customer references)
Medium risk: Tools with internal data or customer contact (e.g. chatbots, proposal assistants, analytics tools)
High risk: Systems that feed into decisions about people (e.g. HR screening, credit checks, security monitoring)
For each category, you define appropriate controls. Not everything needs the same effort, and that is exactly what makes the approach pragmatic.
Pillar 3: Monitoring and control
Governance without monitoring is like a seat belt without a buckle. You need:
An AI inventory: Which AI tools are being used in the company? (You will be surprised by how many there are.)
Regular reviews: Quarterly checks to see whether the policies are being followed and whether new tools have appeared
Incident process: What happens if confidential data still ends up in an unauthorized tool? A clear process prevents panic responses
Training and awareness: The best policies are useless if nobody knows them. Short, regular training sessions (not an annual 3-hour compliance training that everyone clicks through)
To an AI governance framework in 4 weeks
Sounds ambitious? It is doable. Here is the roadmap we use with our clients:
Week 1: Inventory. Inventory all AI tools currently in use. Ask actively, not just the IT department, but all teams. (A tip: do not ask "Do you use AI?" ask "Which AI tools do you use?" The answers are more revealing.)
Week 2: Draft policies. Create an AI usage policy based on the inventory. Define approved tools, data categories, and review processes. Keep it to 3-5 pages; nobody reads more.
Week 3: Conduct the risk assessment. Categorize the identified tools by risk level. Define controls for each category. Prioritize: high-risk applications first.
Week 4: Set up monitoring and communicate. Establish the review process, define the incident workflow, and, most importantly, communicate the governance to all employees. Short onboarding, clear expectations.
This is not a perfect framework. But it is a functioning one. And a functioning framework in four weeks beats a perfect one in twelve months.
Governance is not a brake; it is an enabler
Here is the point many overlook: companies that take AI governance seriously innovate faster, not slower.
Why? Because clear rules remove uncertainty. When employees know which tools they may use and which data is allowed, they use AI more productively. Without guidelines, either uncontrolled growth takes over (risky) or people hold back out of fear (missed opportunities). Both cost money.
We have seen with our clients that a clear AI policy increases productive AI use by a factor of two to three, simply because the barrier drops when the framework is clear.
The next step
You do not need to have a perfect AI governance framework tomorrow. But you should start with one step tomorrow:
Find out which AI tools are being used in your company. Ask your team. The answers will surprise you and show you where the most urgent need for action lies.
(We help Swiss companies build AI governance pragmatically and vendor-neutrally, not as a compliance exercise, but as the foundation for secure innovation.)
