CSET

What Do AI Standards Mean for Small and Medium Enterprises?

Kyle Crichton

June 9, 2026

While AI standards and best practices provide valuable guidance to practitioners, they often are geared toward integrating AI into the structure and practices of large, well-resourced organizations. Yet small and medium enterprises (SMEs) stand to benefit greatly from AI adoption as well. This blog examines the implications of AI standards for smaller organizations and proposes several achievable initial steps that practitioners can take to further responsible AI deployment under resource constraints.

Introduction

Alongside the advancement of generative artificial intelligence (AI) and frontier models, a flurry of principles and frameworks have been produced in recent years that aim to provide organizations with guidance on AI best practices. While most of these reports claim to be broadly applicable, in providing an expansive set of recommendations, they implicitly assume that the organization implementing them has abundant resources. Recent work by CSET researchers to harmonize and operationalize the guidance across these reports has sought to address the issues of information overload, disparate sources of information, and lack of implementation details facing organizations. Yet the comprehensive approach laid out in those reports likely remains burdensome for small and medium enterprises (SMEs). These organizations may either forgo the benefits of AI adoption or pursue it without adequate safety and security measures.

Below we describe achievable first steps for resource-constrained organizations to begin approaching AI adoption. These include 1) assessing AI readiness, 2) creating guidelines for personal AI use, 3) selecting the right use case, 4) setting limitations, and 5) prioritizing protections. SMEs may not have the luxury of dedicated AI staff; however, being small offers some advantages in deploying and using AI.

Assessing Readiness for AI Adoption

The first step when considering AI adoption for organizations of any size is assessing readiness. Smaller organizations often lack key resources—finances, infrastructure, expertise—that limit their ability to adopt new technologies such as AI. Therefore, it is imperative that SMEs conduct an objective self-assessment of their capabilities to support AI technology and their constraints. Maturity models are useful tools to assess organizational capabilities and readiness to adopt new technology. While many AI maturity models are geared toward large organizations, researchers have developed maturity models and readiness assessments specifically for SMEs.

In some cases, the self-assessment may indicate that the organization is not ready for AI adoption. That result is not a sign of failure—caution in adopting AI is valuable. Initial research indicates that there are substantial second-mover advantages for small businesses in adopting AI. Furthermore, hastily deploying AI systems creates numerous risks to the confidentiality of the organization’s data, the integrity of its decision-making, the security of its systems, and the safety of its users and personnel. Taking the time to prioritize and develop the capabilities to address these issues first—rather than risk the potential legal, reputational, and financial fallout after an AI incident—is a responsible and rational decision, even if there are myriad headlines saying otherwise.

AI Use Will Occur Whether the Organization Is Ready or Not

While caution in deciding to deploy AI systems is a sign of good management—not a failure of leadership—organizations should recognize that the use of AI tools within their enterprise is likely to occur even if AI is not adopted in an official capacity. A 2024 report from Microsoft and LinkedIn found that 75 percent of employees were already using AI at work, and that 78 percent of that use was occurring without explicit clearance or guidance from their employer. This trend—referred to as bring your own AI (BYOAI) or shadow AI—is even more common among SMEs, rising to 80 percent of AI users. Although trying to clamp down on unauthorized AI use is an option, engaging with it is likely to be more productive and may lead to broader adoption opportunities. That said, providing employees with guidelines and resources for how to use AI tools responsibly within the organization is vital. First, develop an acceptable use policy that specifies what the organization expects of its employees when using AI. Second, provide resources and training aimed at improving general AI literacy within the organization. This includes instructing personnel on how to use AI effectively, understand its capabilities and limitations, and apply it to the appropriate tasks.

Selecting the Right Use Case

If the organization’s leadership determines that it is ready for broader AI adoption, the organization should work toward achieving strategic alignment between its organizational strategy and its goals for AI adoption. Early results find that upward of 75 to 95 percent of generative AI projects fail to achieve their intended goals. These adoption failures are often due to a misalignment between the organization’s expectations for AI, the intended use case that AI was applied to, and the organization’s ability to provide the needed data and infrastructure to support successful implementation. Given that the typical SME has limited data and infrastructure capabilities, selecting an appropriate use case for AI is all the more important. In determining an appropriate use case for AI, we suggest three factors to consider:

  • AI is a tool, not a solution. As such, leadership should develop a vision for how AI will further the organization’s objectives before adopting the tools. The first step should be identifying existing problems within the organization by gathering input on the current challenges facing internal and external stakeholders. Then leadership should assess whether AI is an appropriate tool for solving the identified problems and consider how alternative non-AI solutions could also address these challenges.
  • AI’s capabilities have limitations, so expectations for AI should as well. There are many AI use cases for small businesses, including automation, generating business materials, improving customer service, analyzing information streams, and writing code. However, how AI is applied is equally important as selecting the right use case. Rather than trying to automate end-to-end business processes, AI can be more effectively implemented to tackle rote and repetitive tasks. Employees could use AI to generate ideas or initial drafts of materials rather than end products. Instead of replacing customer service personnel, AI can be used to augment their capacity. While AI can provide insights from unstructured data, it should not be given sole decision-making authority or be treated as the only source of information to inform a decision. SMEs should treat AI-generated code as a rapid prototype, not production-ready software. In all of these cases, the key is setting realistic expectations for what AI can and should do within the organization.
  • AI is a supplement to, not a substitute for, people. While there have been efforts across a variety of domains to replace humans with AI—as workers, therapists, educators, or even friends—evidence indicates that we have yet to observe large-scale human displacement within the workforce. Whether that trend holds and what capabilities AI may have in the future remains uncertain; however, many of the benefits realized from AI in the workplace today are from the complement or augmentation, rather than automation, of human tasks. People are often the core asset at small organizations, so it is vital to pursue use cases in which AI can support employees’ work, expand their capacity, and augment their capabilities.

Align Limited Resources with Limited Scope

Once an organization has settled on an intended AI use case, it should take steps to limit the scope of the project and its impacts. This can be done in two primary ways: limiting in-house development and designing the system to limit access, functionality, and autonomy. At first, the organization should consider using cloud-based AI tools and offerings that use an AI-as-a-Service (AIaaS) model. This allows the organization to offload the responsibilities for model development, hosting, and maintenance—all resource-intensive efforts. In addition to saving cost, these services also reduce the risk that the organization would otherwise take on if developing or deploying models in-house. That said, there are cases in which greater control over the model and the data it uses may warrant the deployment of open models internally or the use of on-premise AI services.

Second, the organization should take steps to limit the scope of the AI project, both in how it is designed and the context in which it is deployed. The barriers to integrating AI systems into existing technology and processes is high and integration challenges can be particularly acute for SMEs. Reducing scope can help alleviate these issues. In adhering to the principles of least privilege and least functionality, organizations should design the AI application to only access systems or data that are strictly necessary and limit the range of actions that the system is allowed to perform. These steps help to reduce the attack surface of the system and the impact of potential incidents. For systems that operate with a degree of autonomy or make automated decisions, practitioners should restrict the action space that the system operates in and ensure there are controls in place for meaningful human oversight. Organizations should also use pilot programs to test and identify potential issues early on and, when deploying across the broader organization or user base, employ staged rollouts to limit the exposure of unforeseen issues.

Prioritize Protections

Existing AI guidance, including that produced by CSET, recommends a host of safety and security practices for AI adoption. However, SMEs do not have the luxury of throwing endless resources at the problem. Therefore, prioritization becomes a necessity—both in terms of what to protect and what kind of protections to implement. While the exact needs of each organization will vary, we recommend prioritizing the following, each of which correspond to a specific section of CSET’s Guide to Operationalizing AI:

  • Control your data: Examine the terms of service of external AI tools to understand how the provider will use and protect the data that the AI system accesses. Consult with your organization’s lawyers to assess whether there are any legal implications of the AI system processing specific data. In addition, work with employees and use data filters to help prevent proprietary, sensitive, or classified information from being sent to external AI tools.
  • Protect your infrastructure: Many of these protections are covered by basic SME cybersecurity practices, which organizations are hopefully already following. Extend these principles to AI by separating the environments in which the AI system is operating from other organizational resources, restricting access to the AI system, and protecting the key access points—such as application programming interfaces (APIs) or user interfaces—through which employees and users interact with the AI system.
  • Test the model: When selecting AI services, consider how the system and model were tested by the provider and what documentation is available. In addition, conduct your own testing to verify the provider’s claims. Test the model’s performance under realistic and stressed conditions. Evaluate the potential for bias, particularly if the AI system is used in any decision-making capacity within the organization. Finally, evaluate how the AI system will integrate with the organization’s existing infrastructure and business processes. Consider bringing in external expertise to assist with these assessments.

Multiple Responsibilities

Unlike large organizations that have specific roles or entire teams to implement various aspects of AI best practices, individuals at SMEs will likely have to assume multiple responsibilities. Instead of creating a dedicated leadership role to oversee AI initiatives, such as a Chief AI Officer (CAIO), this responsibility will likely fall to an existing leader within the organization. That said, clearly defining that ownership remains important. That leader will also likely have additional responsibilities—such as risk management, compliance, ethics and impact assessments—that at a larger institution may spread across different business units. Similarly, rather than standing up dedicated teams or creating specialized roles, many AI-related functions will likely be assigned to existing staff at smaller organizations. As such, providing training to personnel to enable them to properly handle additional AI-related responsibilities must be a priority. Turning to external resources and services can help bridge talent gaps and address capacity limitations that are common among small businesses. Many paid services exist to assist organizations in adopting and supporting AI tools. In addition, fostering relationships with industry and academic partners can provide valuable avenues of organizational learning, including opportunities to support training and upskilling the organization’s employees. While it is infeasible for SMEs to have independent review commissions or boards like large companies or AI developers might, contracting or working with external partners can provide some measure of independent review and oversight.

Leverage the Advantages of Being Small

Although adopting AI and implementing AI best practices can be more challenging for small businesses, operating on a smaller scale can also be advantageous. Many of the key recommendations identified in CSET’s analysis of existing AI guidance focus on engagement, monitoring, and organizational change. These can be challenging for large organizations that have a massive customer base, a sprawling set of employees, and an expansive IT infrastructure—all of which may be geographically dispersed. These factors introduce friction and create an inherent distance between the implementation of AI systems and the people that they impact. Unhindered by these burdens, SMEs can leverage the advantages of smaller scale in the following ways:

  • Direct engagement: Relationships with employees and customers in smaller organizations tend to be more personal, which can make it easier to gather input from key stakeholders. Direct engagement can be used to identify needs that AI may be able to help address, provide requirements for potential solutions, and collect feedback to evaluate the AI system during testing and operation.
  • Situational awareness: Operating at a smaller scale can give leadership greater visibility into the overall operations of the organization. That situational awareness can help to quickly identify and respond to adverse AI impacts.
  • Responsiveness: A tighter coupling between implementation and impact can help smaller organizations be more responsive to employee and customer feedback. This can lead to faster improvement cycles that facilitate experimentation and evaluation, which can play a vital role in successful AI adoption. In addition, this level of responsiveness can facilitate continuous improvement and iterative development strategies.
  • Adaptability: Being a smaller organization can also be an advantage in adapting to and implementing change. This can facilitate the use and adoption of AI tools within the organization. In addition, leaders can take a more direct role in promoting a cybersecurity-, privacy-, and safety-aware culture within the organization.

Conclusion

As SMEs begin the process of adopting AI technology, we recommend taking a cautious approach—one that objectively considers whether the organization is ready for AI, appropriately tempers the expectations for what AI can do, and identifies initial AI use cases that are limited in scope. In addition to prioritizing data protections, infrastructure security, and model testing when adopting AI, we also highlight the important role that the organization’s people play in AI adoption. Whether to address BYOAI use or to support employees performing multiple AI-related functions, developing AI literacy and talent within the organization is a necessity in today’s workplace. While SMEs operate under many constraints—human, financial, technological, or otherwise—there are advantages to having smaller size that can, and should, be leveraged to support the organization’s adoption of AI technology.

Related Content

Reports

Operationalizing AI Guidance: A Reference Guide for Translating High-Level Goals into Practical Implementation

 April 2026

Organizations face growing pressure to adopt artificial intelligence, but often lack practical guidance on how to do so effectively. This report bridges the gap between high-level principles and real-world implementation, offering actionable steps across the… Read More

Reports

Harmonizing AI Guidance: Distilling Voluntary Standards and Best Practices into a Unified Framework

 September 2025

Organizations looking to adopt artificial intelligence (AI) systems face the challenge of deciphering a myriad of voluntary standards and best practices—requiring time, resources, and expertise that many cannot afford. To address this problem, this report… Read More