How to set up an AI committee in your company (without dying in the attempt): a practical guide for SMEs and mid-sized businesses

You don’t need 50 people or a new department. You need an AI Steering Committee with clear roles, a gating system, and a policy that fits on two pages. We explain how to set it up step by step. AI is already in your company. You may not have decided it yourself, but your employees are using ChatGPT, Copilot, or Gemini to do their work faster. 76% of organizations report unauthorized AI use. And when something goes wrong—a data leak, content containing fabricated information, an automated decision without traceability—the question is always the same: who is responsible? The answer should be: the AI Steering Committee, the AI committee. The body that turns principles and risks into evidence-based decisions. But most SMEs and mid-sized businesses don’t have one because they think it’s only for large corporations. It isn’t. A minimum viable AI committee can work with four or five people, meet for 90 minutes a month, and radically change the way your company adopts AI: from chaotic to governed, from endless pilots to fast, evidence-based decisions. In this guide, we explain how to set it up step by step, what functions it should perform, who should be involved, how the gate system works, and how to draft an AI policy that is not a dead document.

Why your company needs an AI committee (even if you only have 20 employees)

Without governance, AI becomes three things: a bottleneck, a risk, and a waste. These are the specific problems an AI committee solves:

Uncontrolled Shadow AI

Your teams use AI tools on their own, without a policy, without approval, and without knowing what data they can share. The committee detects these uses, evaluates them, and decides: regularize or discontinue.

Endless pilots with no criteria for moving forward

Someone launched an AI test six months ago and no one has decided whether to continue, stop, or scale it. Without a gate system with clear criteria (GO/FIX/KILL), pilots become zombies that consume resources without generating value.

Bureaucracy that slows down innovation

When there is no clear channel for proposing and approving AI use cases, teams either bypass controls (Shadow AI) or become frustrated and give up. The committee creates a fast and safe path for innovation to flow.

Growing regulatory risk

The AI Act is in force. The GDPR already was. NIS2 comes into play. AI Act penalties can reach €35 million or 7% of global turnover. An AI committee ensures that every project is compliant from day one, turning compliance into a reputational asset instead of a cost.
Key fact: 43% of large companies lack AI risk frameworks despite widespread adoption. Among SMEs, the figure is even higher. Setting up an AI committee is not a luxury: it is an operational necessity.

What an AI committee does (and what it should never do)

The most common misconception is thinking that the AI committee designs models, programs algorithms, or executes projects. It doesn’t. The committee it decides, arbitrates and ensures traceability.. It is the governance body, not the execution team.

What it DOES do

  • Prioritizes and approves use cases: Evaluates proposals based on value, feasibility, and risk criteria. Decides GO (move forward), FIX (adjust), or KILL (discard).
  • Assigns owners: Assigns a Product Owner and a Data Owner for each approved use case.
  • Controls quality and evidence: Reviews that each project has grounding, HITL (human-in-the-loop supervision), PII protection, and documented usage limits.
  • Manages the move to production: Verifies SLAs, incident runbooks, rollback capability, and robustness assessments before giving the GO at Gate 2.
  • Monitors operations: Monitors data drift, model degradation, incidents, and the actual adoption of the deployed tools.
  • Manages exceptions and Shadow AI: Applies the regularization or discontinuation protocol, and manages urgent requests outside the normal cycle.
  • Oversees external providers: Requires due diligence (factsheet, DPA, reversibility clauses) before approving any AI provider.

What it should NOT do

  • Design AI models or write code.
  • Execute projects or manage sprints.
  • Replace the technical team in architecture decisions.
  • Become a bureaucratic approval committee that slows everything down.
Golden rule: If the committee takes more than two weeks to approve a proposal, something is wrong with the process. Governance should be an accelerator, not a brake.

Minimum viable composition: who should be on the committee

You don’t need to hire anyone new. The committee is formed with people who are already in your company by assigning clear roles. For an SME or mid-sized company, the minimum viable committee has four to six people:
  1. Executive sponsor (CEO / Managing Director): Defines the business objectives, unlocks resources, and approves the use case portfolio. This person is accountable to the board or partners. In the committee, they have the final say on investment and risk decisions.
  2. Head of AI Transformation (COO / Operations or Technology Director): Leads the operating model. Standardizes templates, coordinates initiatives, and is responsible for identifying quick wins. This person is the driving force of the committee.
  3. Data owner (Data Owner / Senior Analyst): Ensures the quality, controlled access, and sustainability of datasets. Evaluates whether the available data is sufficient for each use case
  4. Legal / Compliance: Guarantees the legal bases, the DPIA-lite, transparency, and usage limits. This does not have to be an internal role: it can be an external advisor who participates in key meetings.
  5. Business representative (Marketing, Sales, or Operations): Provides the perspective of the end user and the customer. Validates that the use cases solve real problems and measures adoption.
  6. IT / Security (optional but recommended): Evaluates technical feasibility, integration with existing systems, and security requirements.
In companies with fewer than 30 people, the same person can cover two roles (for example, the COO can also be the Head of AI Transformation). What matters is that each function is covered, not that there is one person per role.
Recommended frequency: Monthly 90-minute meeting with a fixed agenda: portfolio review, Gate status, new proposals, and exception resolution. For urgent matters, an agile channel (Slack, Teams) with a response within 48 hours.

The gate system: the committee’s common language

Gates are the control points that structure the life cycle of any AI project. They are the mechanism that prevents endless pilots and decisions without evidence. Each Gate requires minimum artifacts (documents, metrics, evaluations) and ends with a clear decision.

Gate 0: Ideation

This is the entry point. Before investing a single euro or a single hour, the team presents:
  • Use case sheet with a measurable value hypothesis.
  • Initial risk assessment and classification (minimal, limited, or high according to the AI Act).
  • Minimum available data and gap analysis.
  • Identified sponsor.
Decision: GO (move forward to the pilot) | FIX (adjust the proposal) | KILL (discard and document why).

Gate 1: Pilot with real data

The team has built an MVP and tested it with real users. It presents:
  • DPIA-lite (pilot-version data protection impact assessment).
  • FRIA (fundamental rights impact assessment), if applicable.
  • Grounding controls and model versioning.
  • Quality metrics against the original hypothesis.
  • Factsheet / Model Card of the model used.
Decision: GO (scale to production) | FIX (iterate the pilot) | KILL (withdraw with documented learnings).

Gate 2: Production and scaling

The model is ready to operate in production. The following is required:
  • Complete technical file (mandatory for high-risk systems under the AI Act).
  • Incident runbook with escalation protocol.
  • Verified rollback / Kill Switch test (MTTR < 15 minutes).
  • Operational SLAs and continuous monitoring plan.
  • Training and change management plan.
Decision: GO (operate with HITL and continuous improvement) | FIX (correct before scaling) | KILL (withdraw the model).

“Gates and evidence are the common language of AI governance. Without them, there is no traceability, no possible audit, and no regulatory compliance.”

The traffic light system: how to make quick decisions

Once a model is in production, the committee cannot review every decision manually. That is what the traffic light system, which automates the decision logic:
  • Green (GO): All KPIs within limits. Normal operation. The committee only receives a monthly report.
  • Amber (FIX/HOLD): Soft threshold exceeded. Moderate deviation. Action is required from the Product Owner and the technical lead. The committee is informed and may intervene.
  • Red (STOP): Hard threshold exceeded. Serious risk. Immediate shutdown, rollback, or Kill Switch activation. The committee intervenes directly.
This system allows management to intervene only when there is real risk, without becoming an operational bottleneck.

Lite AI Policy: the document that supports everything

The committee needs a written reference framework: the AI Policy Lite. It is not a 200-page manual. It is a clear and brief document that sets out:
  • What can be done with AI and under what conditions.
  • Who decides in case of uncertainty.
  • What evidence is required at each Gate.
  • The five operating principles: risk proportionality, single accountability and traceability, source grounding, continuous observability, and reversibility (Kill Switch).
  • Approved AI tools and data that must never be shared.
  • Shadow AI regularization protocol.
The policy should fit on two pages and be understandable to any employee. If you need more than ten minutes to explain it, it is too complex.

The seven most common mistakes when setting up an AI committee

  1. Creating a committee without an executive sponsor. Without someone with decision-making power and budget, the committee becomes a discussion forum with no ability to act.
  2. Overloading the committee with too many members. More than eight people and meetings turn into assemblies. Four to six is the optimal number for making quick decisions.
  3. Not defining what counts as an “AI system.” If you don’t clarify what falls under the committee’s scope (chatbots, automations, predictive models, AI-powered extensions), you will have governance gaps.
  4. Meeting without an agenda or artifacts. Every meeting should have a fixed agenda, and every proposal should arrive with its completed use case sheet. Without artifacts, there is no decision.
  5. Approving everything without risk criteria. A committee that says GO to everything is just as useless as one that blocks everything. The AI Act’s risk criteria (minimal, limited, high) provide the necessary structure.
  6. Ignoring change management. Approving a project does not mean it will be adopted. Without training, procedures, and usage metrics (TAF > 30% in four weeks), the technology is deployed but no one uses it.
  7. Not measuring the impact of the committee itself. The committee must be accountable: number of use cases evaluated, average approval time, cases in production, incidents managed, and value generated by the portfolio.

Template to start tomorrow: your first AI committee in five steps

  1. Day 1: Define the charter. A one-page document with the committee’s mission, who the members are, meeting frequency, and scope (what is considered an “AI system” in your company).
  2. Day 2–3: Draft the Lite AI Policy. Two pages with the five principles, the approved tools, prohibited data, and the Shadow AI protocol.
  3. Day 4–5: Prepare the use case sheets. Create the standard template for proposing a use case (value hypothesis, minimum data, risk, sponsor). Distribute it to the teams.
  4. Day 7: First committee meeting. Review the current AI inventory (including detected Shadow AI). Prioritize the first two or three use cases with the Impact-Effort matrix. Decide GO, FIX, or KILL for each one.
  5. Day 30: First review. Evaluate the progress of the approved use cases. Review the metrics. Adjust the policy if necessary. Repeat the cycle.
Practical tip: Start by publishing the Gates document internally (who approves which AI projects). That artifact alone already accelerates adoption and provides clarity to the entire organization.

The conclusion: governing AI does not mean slowing it down, it means scaling it

The AI Steering Committee is not an obstacle to innovation. It is exactly the opposite: it is the mechanism that enables fast, safe, and evidence-based innovation. It turns ethical and regulatory principles into traceable operational decisions. You don’t need a new department. You don’t need a million-euro budget. You need four to six committed people, a Gate system, a Lite AI Policy, and the discipline to meet once a month with artifacts on the table. The companies that win in the age of AI will not be the ones that adopt the most tools, but the ones that govern their decisions better.

Do you want to set up your AI committee but don’t know where to start? At Impulsa3, we support you in designing the AI Steering Committee, the policy, and the Gate system tailored to your company.

Sources and references

  • European Postgraduate Institute — Master’s in AI Transformation Documentation: Governance and Operating Model
  • Partnership on AI — Enterprise AI Steering Committee Framework
  • Gartner — AI Governance Predictions (2026–2030)
  • Deloitte — AI Board Governance Roadmap
  • OneTrust — Establishing an AI Governance Committee
  • AI Act (European Artificial Intelligence Regulation)
  • NIST AI Risk Management Framework (AI 100-1)