What Does an AI Risk Assessment Actually Cover?
The term is broad. In practice, a proportionate AI risk assessment for a UK SME covers four areas, in order.
Inventory: what AI are you using?
A complete list of every AI tool and system in use across the business: the sanctioned ones on your IT stack and the unsanctioned ones staff have brought in themselves. Most organisations discover the list is longer than they expected. You cannot assess risk you cannot see.
Risk classification: what harm could it cause?
Each AI system is classified by its potential for harm: to individuals (discrimination, privacy breach, safety), to the business (inaccurate output relied on in decisions, data leakage), and to third parties. The classification drives what controls are proportionate. A chatbot answering FAQ carries different risk to an AI that shortlists job applications.
Gap analysis: which rules apply and where do you fall short?
Mapping the inventory and risk classifications against the legal and regulatory obligations that actually bind your business: UK GDPR, the Data (Use and Access) Act 2025, the Equality Act 2010, and any sector-specific rules. The gap analysis shows you where you are exposed and by how much.
Action plan: what do you do about it?
A prioritised list of what to fix, in what order, with effort estimates. Not everything needs fixing at once: a good risk assessment tells you what the high-priority items are, what is lower risk, and what is best practice rather than a legal requirement.
The frameworks we work to: ISO/IEC 42001 (the AI management system standard), the NIST AI Risk Management Framework, and ICO guidance on AI and data protection. Our assessments cover all ten governance dimensions: accountability, fairness, transparency, human oversight, data governance, privacy, security, safety and robustness, third-party communication, and continual improvement.
The Rules That Already Apply to UK SMEs Using AI
There is no single "AI law" in the UK. What exists is a set of obligations under legislation already in force. Understanding which ones apply to your specific use of AI is a core part of any risk assessment.
Data protection and AI
If your AI processes personal data, UK GDPR applies. High-risk processing (profiling, automated decision-making, large-scale processing of sensitive data) requires a Data Protection Impact Assessment. A DPIA is effectively a risk assessment: identifying risks to individuals and demonstrating how they are managed.
Automated decisions about people
The reformed Article 22 rules under the Data (Use and Access) Act 2025 govern significantly automated decisions that have legal or similarly significant effects on individuals: hiring, credit, insurance, tenancy assessments. If your AI contributes to those decisions, you need documented safeguards and a human review route.
Discrimination liability
The Equality Act applies to the outcome of decisions, not just the process. If your AI produces a biased result that discriminates against someone with a protected characteristic, the exposure is yours regardless of whether a person made the final call. A risk assessment includes checking for bias in how AI-driven decisions are made.
Regulated sectors have additional duties
Businesses in financial services, healthcare, legal services and other regulated sectors face additional AI-related obligations from sector regulators: the FCA, CQC, and SRA all have existing expectations that extend to AI use. A risk assessment must account for the regulatory context of your specific industry, not just the cross-sector baseline.
For a full picture of which rules apply to your business, see our AI compliance consulting page, or start with the AI policy starter checklist.
How to Run an AI Risk Assessment as a Small Business
You do not need a dedicated compliance team or a large budget. A proportionate assessment follows a clear sequence.
List every AI tool in use.
Talk to each team. Ask what tools they use daily, not just what is on your approved list. Include AI features embedded in platforms you already pay for (Microsoft Copilot, Salesforce Einstein, HR platforms with automated scoring).
For each tool: what does it do and what data does it touch?
Document the purpose of each system, who uses it, what decisions it informs or makes, and what personal or confidential data it processes. This is the foundation of both the risk classification and any DPIA you need to write.
Classify each by risk level.
Use a simple three-tier classification: high risk (affects people in significant ways, processes sensitive data), medium risk (supports decisions, uses personal data), lower risk (internal tools, no personal data, human always in the loop). High-risk systems need more rigorous controls and documentation.
Check which legal duties apply.
Cross-reference your inventory and classifications against UK GDPR (is a DPIA required?), the Data (Use and Access) Act 2025 (are you making significantly automated decisions about people?), and the Equality Act (could any AI output be discriminatory?). Sector-specific duties layer on top of these.
Build a prioritised action plan.
List what needs fixing, in what order. High-risk systems with clear legal duties come first. Assign ownership. Set realistic timelines. The plan does not need to be finished on day one: it is a living document that improves as your governance matures.
Document and review regularly.
Write it down. A risk assessment is only useful as evidence if it is recorded. Review it when you adopt a new AI tool, when a tool changes significantly, or at least annually. The ICO and sector regulators expect documented evidence of your approach, not just good intentions.
How Nimble AI Runs the Assessment for You
If you want an independent, structured assessment rather than a self-service exercise, the AI Governance Health Check is the right service. It is designed for exactly this purpose.
The Health Check is an evidence-based assessment of how your organisation actually uses AI, measured against its policies, obligations and controls. It runs over one to two weeks and is scoped to your size and sector after a short introductory call.
We cover all ten governance dimensions: accountability, fairness, transparency, human oversight, data governance, privacy, security, safety and robustness, third-party management, and continual improvement. Each is scored against real evidence gathered from your systems, your documentation and your team.
You receive a maturity heatmap showing where you stand across each dimension, a prioritised action plan with effort estimates for each item, and an executive summary you can present to a board, an insurer, or an enterprise customer that asks for evidence of your AI governance posture. It is a documented starting point: one you can build from as your use of AI grows.
See the full services page for the complete service ladder, from the free Scorecard through to ISO/IEC 42001 certification readiness.
Every service is fixed-price and time-bound. No open-ended day rates, no scope creep by invoice.
We assess against real evidence: your documentation, your systems, and conversations with your team. Not a self-assessment questionnaire.
The scope is calibrated to your business. A ten-person professional services firm needs something different from a 200-person manufacturer. We design for your situation.
The executive summary is written so a board, an insurer or an enterprise buyer can read it and understand your governance position without a glossary.
What Comes After the Risk Assessment
A risk assessment tells you where you stand. The services below are where you act on what it finds.
AI Use Policy Pack
If the risk assessment surfaces a policy gap, the AI Use Policy Pack closes it: a tailored acceptable-use policy in plain English, a one-page staff quick-reference, and a focused risk note. Fixed price, approximately one week, includes a handover call.
See the AI Use Policy Pack →ISO 42001-Aligned Governance Framework
If the risk assessment shows you need a full governance infrastructure, this service builds it: AI systems register, decision audit trail design, human oversight controls, staff AI literacy materials, and a board-ready governance policy aligned to ISO/IEC 42001.
View on the Services page →Shadow AI Visibility
If the inventory step uncovers a long tail of unsanctioned tools, our shadow AI service addresses the visibility problem: discovering what your team is actually using, sanctioning the right tools, and providing training so people use them safely.
Read about Shadow AI →Frequently Asked Questions
What is an AI risk assessment for a small business?
An AI risk assessment for a small business is a structured review of the AI tools and systems your business uses, the risks they create, and the controls you need in place to manage those risks. In practice it means identifying every AI system in use, classifying each one by the harm it could cause, mapping the data it touches, and deciding what oversight, documentation and policy you need around it. It does not need to be a lengthy exercise: a proportionate assessment for most SMEs takes days, not months.
Does my small business legally need an AI risk assessment in the UK?
There is no single UK law that requires a standalone "AI risk assessment" by name. However, several existing legal duties can require you to do the equivalent. UK GDPR requires a Data Protection Impact Assessment (DPIA) for any AI processing that is likely to result in high risk to individuals. The reformed Article 22 rules under the Data (Use and Access) Act 2025 impose safeguard obligations on significantly automated decisions that affect people. The Equality Act 2010 creates liability where AI produces discriminatory outcomes. Running a risk assessment is how you demonstrate compliance with those duties.
What does an AI risk assessment cover?
A thorough AI risk assessment covers four things: an inventory of your AI systems (what tools are in use, for what purpose, and owned by whom); a risk classification for each system (what harm could it cause, who could be affected, and how likely is it); a gap analysis against the rules that apply to you (UK GDPR, DUA Act 2025, sector-specific obligations); and a prioritised action plan. For businesses using AI in hiring, pricing, credit, healthcare or customer-facing decisions, the assessment also examines the human oversight and audit trail requirements.
How long does an AI risk assessment take for an SME?
For most SMEs a structured assessment runs over one to two weeks from engagement, depending on the number of AI tools in use and the complexity of the decisions they support. Nimble AI's AI Governance Health Check is designed around this scope: it covers all ten governance dimensions, produces a maturity heatmap and a prioritised action plan, and delivers a board-ready summary. If you are not yet sure what you need, the free ten-minute AI Readiness Scorecard is the right place to start.
Can Nimble AI run the risk assessment for us?
Yes. The AI Governance Health Check is a structured, evidence-based assessment of how your organisation actually uses AI, measured against the obligations and controls that apply to you. It runs over one to two weeks and produces a maturity heatmap across ten governance dimensions, a prioritised action plan, and an executive summary you can present to a board, regulator or enterprise customer. It is fixed-price, scoped after a short call, and available to businesses across all UK sectors and sizes. Start with the free Scorecard or book a free consultation to discuss the right entry point.