Most SMBs adopting AI right now are choosing tools before they have a policy. That is backwards. By 90 days into a tool deployment, you should have a policy, an inventory, an approval framework, an audit cadence, and a quarterly review process. If you do not, the tool will accumulate uncontrolled use cases and you will spend year two cleaning up what year one let happen.
This post is a 90-day governance plan that works whether you pick Claude for Small Business, Microsoft Copilot, Google Gemini for Workspace, ChatGPT Business, or any combination. It is vendor-agnostic on purpose because the governance is the same regardless of which logo is on the tool. For series context, see our launch coverage, the Financial Services SMB deployment read, and the Healthcare SMB read.
Twelve weeks of structure, followed by a quarterly cadence. Realistic for an SMB without a dedicated security team. Sized to land in operations, not in a binder no one reads.
Why Governance Matters More Than Tool Choice
Three things I see at SMBs that did not put governance in place early.
First, shadow AI. Employees experiment with consumer AI on company data because there is no sanctioned alternative. That is the worst of both worlds: you carry the risk without capturing the value.
Second, uncontrolled scope creep. The team gets enthusiastic, the use cases multiply, and three months in you discover the AI is touching contract management, financial reporting, and client communications all at once with no central record.
Third, audit panic. The first time a customer asks whether an AI sees their data, or an insurance carrier asks the same on a renewal questionnaire, or a regulator opens a routine exam, the SMB scrambles to produce a coherent answer. Our Cyber-Insurance Alignment for Financial Firms checklist shows what carriers are asking about AI specifically.
The fix for all three is governance set up in the first 90 days. Specifically, the framework below.
Days 1 to 30: Inventory and Access
Goal: know what is happening today, and who can touch what.
Week 1: Tool Inventory
Survey every team member: what AI tools are you using for work, including personal accounts on consumer products?
Pull SSO logs to see what AI services have been logged into in the last 90 days.
Review browser-extension installations across managed devices.
Document everything in a single AI tool registry. Vendor, plan tier, who uses it, what data it touches.
Week 2: Access Mapping
For each tool in the registry, document the actual access pattern. Which systems does it integrate with? What permissions does it inherit?
Identify any tool using a service account with broader access than individual users.
Flag any tool where data classification is unclear (PHI, NPI, intellectual property, others).
Week 3: Risk Classification
Assign a risk tier to each tool: low (no sensitive data), medium (some sensitive data with safeguards), high (regulated data or critical operations).
For high-tier tools, document the specific regulatory framework that applies (HIPAA, GLBA, SOC 2 customer commitments, others). For HIPAA in particular, the 18 technical safeguards in the Security Rule are the audit-floor reference.
Week 4: Decision and Consolidation
Decide which tools stay, which go, and which consolidate. Most SMBs find redundancy here.
Communicate the decision to the team with a rationale.
Cancel unused subscriptions. Often pays for the governance work itself.
Days 31 to 60: Policy and Training
Goal: write down the rules, then train the team on them.
Week 5: Policy Drafting
Your AI usage policy does not need to be 30 pages. It needs to answer five questions clearly.
What AI tools are approved for company use, and at what data classification?
What types of data are never permitted in any AI tool? (PHI without BAA, attorney-client privileged content without protective measures, board materials before disclosure, others.)
What approval is required before deploying a new AI workflow? (Tool registry update, manager approval, security review for high-tier data.)
What is the incident reporting expectation when something goes wrong? (Who to notify, within what time window, what gets escalated.)
How often is the policy reviewed? (Quarterly minimum, given how fast the landscape changes.)
Week 6: Approval Matrix
Build a simple matrix showing who has authority to approve which decisions. Three columns are enough: data tier, action, approver.
Example rows: low-tier data, deploying new tool, manager approval. Medium-tier data, new workflow, operations lead approval. High-tier data, anything, compliance or security lead approval, documented.
Week 7: Team Training
Run a 60-minute internal training using the Anthropic AI Fluency for Small Business course as the foundation. Add 15 minutes of company-specific policy review at the end.
Require acknowledgment of the policy in writing. Standard HR practice.
Identify one AI champion per department. Their job is not approval. Their job is to be the first line of triage on whether an idea is worth piloting.
Week 8: Pilot Launch
Pick two workflows from your approved list. Launch them officially with documentation and metrics.
Standard pilot disciplines: success criteria written down before launch, weekly check-ins for the first 30 days, formal review at day 60.
Days 61 to 90: Audit and Review
Goal: prove what happened, course-correct, and set a sustainable cadence.
Week 9: Audit Log Review
Export 30 days of audit logs from every active AI tool.
Review for anomalies: unusual access patterns, data exfiltration risk signals, off-policy usage.
If your tools cannot produce useful audit logs at this stage, that is a finding. Document it and budget for a replacement or a layer that provides logging.
Week 10: Pilot Review
Measure the two pilot workflows against their success criteria. Hours saved? Quality improved? Errors reduced?
Decide: scale, iterate, or retire. Be willing to retire a pilot that did not perform.
Week 11: Policy Refinement
Update the AI policy based on what you learned. Common updates after 90 days: clarifying which workflows count as high data tier, tightening or loosening approval rules, adding tools that did not exist at policy drafting time.
Week 12: Quarterly Cadence Handoff
Schedule the next quarterly review.
Document the four artifacts (registry, policy, approval matrix, audit log review notes) in a shared location with version control.
Communicate to the team what is next.
The Four Artifacts Every SMB Should Produce
By day 90, an SMB doing this right has four artifacts. None of them need to be elaborate. All of them need to exist and be current.
Tool registry. One page per AI tool. Vendor, plan, owner, data classification, last reviewed date.
Approval matrix. One page total. Data tier rows, action columns, approver cells.
AI usage policy. Two to four pages. The five questions above answered concretely.
Audit log review notes. A short memo summarizing what was reviewed each quarter and what was found.
Total documentation: roughly 10 to 20 pages. Reviewable in 30 minutes by anyone who needs to see it.
What Most SMBs Skip
Five things I see SMBs skip most often, in rough order of how often it bites them.
The tool inventory itself. Owners think they know what is being used. They are usually wrong by a factor of two or three.
The approval matrix. The policy gets written but the practical decision-rights piece does not, so every decision routes to the owner and the system bogs down.
The audit log review. Logs accumulate. Nobody reads them. By the time something goes wrong, six months of relevant log data has rolled off retention.
The quarterly review cadence. Set up once, then drifts. The landscape changes every 90 days at minimum. The review has to keep up.
The retire decision. Pilots get launched and never wound down. Tools accumulate. Costs and risks accumulate with them.
Closing Thought
AI adoption at an SMB is not a technology problem. It is an operations and governance problem with a technology component. The companies that get this right in 2026 will not be the ones with the slickest AI tools. They will be the ones who built the discipline to deploy, measure, and govern those tools at the same pace their teams adopted them.
This is the last post in the launch-window series. I will keep writing on AI for SMBs through the rest of the year. If there is a specific question about Claude for Small Business, a vertical I did not cover, or a governance issue you are wrestling with, I will write about it.
If you want help operationalizing this 90-day plan, our Managed AI and Compliance Readiness services were built for it. Schedule a consultation.
Disclosure: Techvera is an MSP serving small and medium businesses across North Texas (Denton headquarters) and New York. Our internal operations are powered in part by Anthropic’s Claude. Nothing in this post constitutes legal, compliance, or security advice. Adapt the framework above to your specific industry, regulatory profile, and risk tolerance. When in doubt, consult counsel.
About the Author
Todd Mitchell
Chief Operating Officer
Todd Mitchell is the COO of Techvera, bringing operational expertise and strategic vision to help businesses transform their IT infrastructure.