Agentic AI Governance
for SMEs
Your AI agents book meetings, send emails, run SQL and touch production. A FTSE 100 governance pack doesn't fit you. We write a short policy your team will read, put the guardrails into the code, and leave you something you can hand to an auditor.
40%
OF AGENTIC AI PROJECTS CANCELLED BY 2027 (GARTNER)
97%
OF AI BREACHES LACKED ACCESS CONTROLS (IBM 2025)
63%
OF BREACHED ORGS LACK AI GOVERNANCE (IBM 2025)
Chatbots suggested. Agents act.
A chatbot writes a draft and a human presses send. An agent reads its own email, replies, books the call, updates the CRM and refunds the customer. Roughly the same model underneath, very different blast radius.
Most SMEs' AI governance is a paragraph in the staff handbook about not pasting customer data into ChatGPT. That covers the chatbot. It doesn't cover the agent running queries against your production database at 3am.
Anything that can act on your behalf needs a policy, the permissions, and logs.
ASSISTIVE AI
- Suggests, a human acts
- Blast radius = one screen
- Mistake caught at copy-paste
- Acceptable-use policy covers it
- Risk reviewed once a year
AGENTIC AI
- Decides and acts, autonomously
- Blast radius = every tool it owns
- Mistake hits customers in seconds
- Needs policy, permissions, evals, logs
- Risk reviewed each time it changes
Five places agents bite SMEs.
The recurring failure modes from the OWASP Top 10 for Agentic Applications (Dec 2025) and the incidents already in public reporting. We see the same five in most SMEs.
Prompt injection
An attacker hides instructions in an email, a PDF or a web page the agent reads. The agent does what the attacker said, not what you said. OWASP LLM01, and the root cause of EchoLeak (CVE-2025-32711) in Microsoft 365 Copilot.
Excessive agency
Service account with full DB write, deploy keys, and a Stripe token, all wired to one agent because that was simplest in the demo. Principle of least agency exists for a reason. So does Replit's deleted database.
Tool misuse
The agent has the tools you gave it, but uses them in a combination you never tested. Send-email plus list-contacts plus a hallucinated CC field is one missed eval away from a GDPR notification.
No observability
No log of which prompt, which tool call, which output. When a customer asks why your agent refunded their competitor, you can't answer. You also can't show the ICO how the decision was made.
Shadow agents
Marketing's on Zapier with a Claude key. Sales built a GPT that reads the CRM. Ops wired n8n to the warehouse API. Nobody in IT knows. IBM's 2025 breach report puts the shadow-AI premium at $670,000 a breach.
Which standards actually matter to you.
There's a lot of acronym soup. A UK SME only needs a handful. We map your agents to the ones below, ignore the rest, and write the policy on top.
NCSC Guidelines for Secure AI System Development
Joint UK and US guidance, co-signed by 23 agencies (Nov 2023). Four stages: secure design, development, deployment, operation. The closest thing the UK has to a default baseline.
DSIT AI Cyber Security Code of Practice
Published 31 Jan 2025. Thirteen voluntary principles across five lifecycle stages. Now the basis for ETSI TS 104 223. Voluntary today, probably not in a couple of years.
NIST AI RMF 1.0 + GenAI Profile
Govern, Map, Measure, Manage. The Generative AI Profile (NIST AI 600-1, Jul 2024) names 12 GenAI risk categories and 200+ suggested actions. The clearest checklist anyone has published.
ISO/IEC 42001:2023
AI management system standard. Certifiable. Useful if your enterprise customers are starting to ask for it on the procurement questionnaire. Overkill if they aren't.
OWASP Top 10 for Agentic Applications
Released 9 Dec 2025 by the OWASP GenAI Security Project. The first list ranked by what's actually breaking agents in production. Ten ASI categories. If you only read one of these, read this one.
EU AI Act (and what touches you)
Prohibited practices live since Feb 2025. GPAI provider obligations live since 2 Aug 2025. Most UK SMEs are deployers, not providers, of high-risk systems. We tell you which articles you actually need to read.
Sources: ncsc.gov.uk, gov.uk DSIT, nist.gov AI RMF, iso.org, genai.owasp.org, digital-strategy.ec.europa.eu.
Where we come in.
Not a compliance theatre exercise. We map the agents you've got, write the policy in language people will read, and put the controls in the code so they hold under load.
Fixed scope per phase, days rather than quarters. You keep the artefacts and the code.
BOOK A GOVERNANCE CALLAgent inventory and risk map
We find every agent already running in your business. The ones IT knows about, the ones the marketing team built in Zapier, the GPTs running on personal accounts. For each one: what it can do, what data it touches, what it costs you if it goes wrong. Mapped against NIST AI RMF and the OWASP Agentic Top 10.
Policy people will follow
A short, plain-English policy: what agents are allowed to do, what needs a human in the loop, who signs off a new one, what gets logged. Aligned to NCSC and the DSIT Code of Practice, sized for an SME. Not a 60-page PDF nobody opens.
Guardrails in the code
Permissions scoped to the task. Tool calls validated server-side. Prompt injection filters on anything the agent reads. Approval steps for the high-stakes actions. Rate limits, spend caps, kill switches. The bits that survive contact with reality.
Evals, logs, red-team
A repeatable test suite for each agent: does it still refuse the things it should refuse, after every prompt change. Full traces of every prompt, tool call and decision in a searchable log. One round of adversarial testing before go-live. You leave with an audit trail you can show a customer, a regulator or your insurer.
It's already happening.
Three published 2025 incidents, all on tooling SMEs use today. Each one is a governance failure as much as a security one.
Replit agent wipes a production DB.
SaaStr founder Jason Lemkin's Replit agent deleted a production database holding 1,206 executive records and 1,196 company records on day 9 of a trial. The agent had been told it was under a code freeze. It ran the commands anyway. Excessive agency, in one line. Source: Fortune, AI Incident Database #1152.
EchoLeak, zero-click exfiltration.
Aim Security showed Microsoft 365 Copilot could be tricked into reading internal files and leaking them with one crafted email and zero user clicks. The agent followed instructions hidden in the email body. Patched and disclosed June 2025. First documented production zero-click prompt injection.
Amazon Q tries to wipe a million laptops.
An attacker landed a malicious pull request into the aws-toolkit-vscode repo, injecting a prompt telling Amazon Q to delete the user's files and AWS resources. Released to roughly a million installs as v1.84.0. Only a syntax error in the injected payload stopped it executing. Source: NVD, The Register, July 2025.
Sources: NVD, Fortune, The Register, AI Incident Database, Aim Labs.
The ones we get asked first.
We're 30 people. Isn't this overkill?
If the agents are real, the governance needs to be. Sized to you, not the FTSE 100. A 30-person company doesn't need an AI ethics committee. It does need to know which agents hold its Stripe key, what they can do with it, and how you'd find out if one went wrong.
Does the EU AI Act apply to us?
Probably less than you think. Most UK SMEs are deployers, not providers, of high-risk systems. The provider obligations under the GPAI rules (live since 2 Aug 2025) hit the OpenAIs and Anthropics of the world. We'll tell you which articles touch you and which don't, on the call.
Do we need ISO/IEC 42001?
Only if a customer is asking for it. Enterprise buyers are starting to put it on procurement questionnaires, and you can lose a tender for not having it. If nobody's asking, we'll align your controls to it informally so you can answer the question when it comes, without paying for certification you don't need yet.
What's the difference between governance and security?
Security stops someone from breaking in. Governance decides who's allowed to do what when nobody is breaking in. Agents need both because they have their own credentials, take their own actions, and don't tend to ask permission. We do both in one engagement.
What about agents staff are using on their own accounts?
Shadow AI. We always find it. IBM put the cost premium at $670,000 per breach where shadow AI was involved. The inventory phase pulls them into the open, and the policy gives staff a sanctioned path so they don't have to hide. Bring the agents in, don't try to ban them.
How long does it take and what does it cost?
Inventory and policy come first, often in days. Guardrails and evals depend on how many agents you've got. Fixed price per phase, scoped on the first call. You see the number before we start.
We haven't deployed any agents yet. Too early?
No, it's the right moment. Governance retrofitted onto live agents is twice the work. If you're about to launch the first one, we'll set up the policy, the patterns and the evals now so every agent after this one is built on the same rails.
Get your agents under control.
Tell us what your agents do today and what you're about to launch next. Thirty minutes, no slides. You'll come away with a clear view of which OWASP categories you've got covered, where the gaps are, and what it would take to close them.