logo

Interactive Quick Implementation Manual

as a part of the "AI Governance Toolkit for SMEs" project of HUX AI Research Team.

Executive Summary

Artificial Intelligence (AI) is transforming how SMEs work and serve customers. But limited resources and know‑how can make responsible adoption hard. This kit gives you a simple, step‑by‑step way to adopt AI transparently, safely, and effectively.

What you’ll do here: start with a quick readiness test, assess risk (Template 2), set your data responsibilities (Template 1), and make your transparency and accountability practical (Template 3). Then use the 10‑day plan to assign owners, track status, and attach evidence. Export a printable report when you’re done.

This toolkit includes:
  • Optional readiness self‑assessment to see where you stand.
  • Template 2 — Risk: score level and required actions.
  • Template 1 — Data: policy, legal roles, and compliance basics.
  • Template 3 — Transparency: customer comms, accountability, incidents, monitoring.
  • Plan & Tasks: a 10‑day checklist with owners, status, and evidence.
  • Export: print/save a PDF with your decisions and proof.

Check the full report here

AI Readiness Test (20 Questions)

It is necessary to understand regulatory requirements on the company in order to ensure a smooth governance process. As data are core elements of AI systems, companies must fulfil regulatory obligations under data protection laws and AI regulations.

What are these regulations?
  • GDPR (General Data Protection Regulation): EU law that sets rules for processing personal data (lawful basis, transparency, data minimisation, rights, security, accountability). If you handle personal data about people in the EU/UK, GDPR principles usually apply.
  • Data Act: EU law that governs access to and sharing of data produced by connected products and related services (e.g., IoT devices), clarifying rights and obligations for making such data available.
  • EU AI Act: EU regulation that classifies AI systems by risk and sets obligations (transparency for limited‑risk; extensive governance for high‑risk; bans certain unacceptable uses). Provider/Deployer roles determine which duties apply.
Very Low Readiness
Score: 0 / 40
Each question: 0=No, 1=Partially, 2=Yes
Strategy & Purpose
Is there a written statement describing the company’s purpose for using AI?
Strategy & Purpose
Are AI objectives explicitly aligned with the company’s overall business strategy?
AI Inventory
Does the company maintain an up-to-date inventory of all AI systems and tools in use?
AI Inventory
Are the business processes where AI is applied clearly documented and communicated?
Data Management
Are all data sources used for AI registered and documented (including third-party datasets)?
Data Management
Have minimum standards been defined for data quality, privacy, and GDPR compliance?
Transparency & Fairness
Are customers informed when AI is used in products, services, or decision-making?
Transparency & Fairness
Are employees made aware of the boundaries and limitations of AI-driven decisions (e.g., bias, reliability, explainability)?
Human Oversight
Are critical AI-assisted decisions subject to human approval before implementation?
Human Oversight
Is there a clear list of roles and responsibilities (who operates, who supervises, who approves AI use)?
Policies & Procedures
Has the company published a simple internal “AI Use Policy” or guideline?
Policies & Procedures
Is there a defined escalation channel (person or department) for reporting AI misuse or incidents?
Security & Access Control
Is access to AI systems restricted to authorized personnel only (role-based access)?
Security & Access Control
Are safeguards in place to prevent data leaks or prompt injection attacks?
Legal & Regulatory Compliance
Has a compliance checklist been prepared covering GDPR, the AI Act, or other relevant regulations?
Legal & Regulatory Compliance
Are additional safeguards considered for “high-risk” AI applications (e.g., HR, finance, safety-critical processes)?
Monitoring & Recordkeeping
Are AI errors, incidents, and user complaints systematically logged and reviewed?
Monitoring & Recordkeeping
Are model updates, retraining sessions, or major prompt changes documented for auditability?
Training & Awareness
Have employees received at least a short AI awareness or responsible use training?
Training & Awareness
Is employee awareness of AI risks and responsibilities measured through a survey, quiz, or test?

Getting Started

10-day plan auto-dates from here.
Start with Template 2 (Risk). Use its color to prioritise Templates 1 and 3.

Update Cadence

Recommended cadence: Weekly, Monthly (scores/logs); Quarterly (policies/training); Annual (strategy/roadmap).
Weekly (ops huddles / checks)
Monthly (scores / logs review)
Quarterly (policies / training)
Annual (strategy / roadmap)