Artificial intelligence now reaches deeply into everyday operations of European small and medium sized enterprises, yet most of these firms still operate without formal governance structures. The absence of clear oversight exposes them to legal, ethical, and reputational risk. During the past four years the share of companies with fewer than 250 employees experimenting with AI doubled, according to Eurostat [ 1 ], while the European Union adopted Regulation (EU) 2024/1689, the “Artificial Intelligence Act” (AIA), which places high-risk systems such as credit-scoring engines, résumé screeners, and medical-triage tools under demanding rules covering risk management, data quality, technical documentation, human oversight, transparency, robustness, cybersecurity, and post-market monitoring [ 2 ]. The regulation promises simplified forms, fee reductions, and sandbox access for smaller businesses, but the Commission’s impact assessment estimates that a 50-person enterprise would incur approximately EUR 216 000–319 000 in first-year compliance costs for a single AI system [ 3 ]. For resource-constrained teams these figures represent an existential barrier.

Voluntary standards have emerged in parallel. ISO/IEC 42001 sets out a Plan–Do–Check–Act management system that presumes enterprise-level resources [ 4 ], while the NIST AI Risk Management Framework (AI RMF) encourages an iterative Govern–Map–Measure–Manage cycle and likewise assumes dedicated compliance staf [ 5 ]. Transparency artefacts such as Model Cards [ 6 ] and Datasheets [ 7 ] enhance documentation yet address only part of the legal obligations and require multidisciplinary expertise. Consequently, SMEs confront a patchwork of ambitious frameworks without a practical roadmap, and the gap between guidance and daily engineering practice continues to widen. While some web-based compliance tools exist, they yield static reports external to development workflows and therefore ofer limited help to fast-paced SME teams.

In response, we present the Lightweight AI Governance framework, an approach tailored to Gitcentred development teams that converts every clause of Annex IV into modular checklists, Markdown templates, and automated gap analysis scripts. The framework builds on lessons from agile software engineering and aligns compliance checkpoints with familiar commit and review rituals. By grounding governance in existing developer workflows, we aim to minimise friction while maximising traceability. Our study therefore investigates whether the Act’s obligations can be divided into tasks suited to limited resources, which parts of ISO/IEC 42001 and the NIST framework remain essential, how governance artefacts can coexist with source code in the same repository and continuous integration pipeline, and whether the resulting workflow can reduce compliance overhead while preserving auditability and the core principles of trustworthy AI. Unlike standalone checklist tools, LAIG integrates compliance steps directly into DevOps practices and automates verification, which we hypothesise can reduce overhead without compromising rigour.

Scholars and standard setters agree that trustworthy AI demands both technical safeguards and organisational controls, yet their guidance difers in level of detail, which complicates implementation for smaller ifrms. The European AI Act is the most comprehensive legal instrument to date. Chapter III mandates risk management, data governance, documentation, transparency, accuracy, robustness, cybersecurity, and human oversight for every high-risk system, while Annex IV lists the technical documentation required to demonstrate conformity [ 2 ]. Voluntary frameworks follow a similar direction. The NIST AI RMF maps trustworthy AI across four lifecycle functions—Govern, Map, Measure, and Manage [ 5 ]. ISO/IEC 42001 supplies a certifiable management system that embeds ethics, risk assessment, and continuous improvement through the Plan–Do–Check–Act cycle [ 4 ]. These eforts are supported by transparency artefacts including Model Cards that summarise intended use, datasets, metrics, and limitations [ 6 ], Datasheets that document data provenance and quality [ 7 ], and AI FactSheets that adopt a supplier’s declaration approach [ 8 ]. A growing set of national and international policy initiatives is tracked by the OECD.AI Policy Observatory [ 9 ]. With respect to cybersecurity assurance, the EU adopted the EUCC certification scheme in January 2024 [ 10 ]. Regulatory approaches draw on these artefacts, although their production requires time and multidisciplinary expertise that typical SMEs do not possess [ 11 ].

Focused research on SME governance remains scarce. Analyses warn that the Act’s proportionality measures may prove illusory without practical templates, shared tools, and subsidised audits [ 3 ]. Legal analyses clarify the structure and implications of the Act for SMEs, yet practical, publicly documented workflows remain limited [ 12 ]. Moreover, surveys confirm that small firms see standards as valuable yet overwhelming and therefore postpone governance until late in development when changes cost more [ 11 ]. Recent studies on DevOps pipelines demonstrate that embedding risk management directly into CI/CD loops improves defect detection, reduces incident response times, and ensures continuous evidence generation [ 13 ]. Similarly, AI-driven test case optimisation integrated into CI/CD reduces redundant testing and accelerates compliance-relevant validation cycles [ 14 ]. No open workflow translates Annex IV obligations and leading standards into proportional, low-overhead practices suitable for lean engineering teams. LAIG stores governance artefacts in the same repository as the code and enforces coverage through continuous integration, avoiding separate platforms. The framework therefore aims to close this gap by coupling modular documentation templates with risk-tiered governance steps that integrate naturally into DevOps pipelines and deliver trustworthy AI without enterprise-level bureaucracy.

The LAIG framework rests on two intertwined investigations. A clause-by-clause reading of the Artificial Intelligence Act supplied an exhaustive inventory of legal obligations, while a matching exercise linked each obligation with the management functions defined in ISO/IEC 42001 and the NIST AI RMF [ 2, 4, 5 ]. Complementing this top-down study, we conducted semi-structured interviews with five Polish startups, each employing between ten and sixty staf. The interviews followed a short protocol with informed consent and anonymisation, and the transcripts were analysed using template-based coding. Together these strands revealed both what SMEs must do and what they can realistically sustain, and produced a practical mapping table that guided the artefacts and checks implemented in LAIG within developer workflows.

FinPay is a hypothetical fintech based in Warsaw that employs forty people and provides AI-driven credit scoring services. As creditworthiness assessment falls within Annex III of the AI Act as a high-risk use, FinPay must demonstrate comprehensive risk management, maintain technical documentation, ensure human oversight, transparency, robustness, and cybersecurity, and implement post-market monitoring. Before adopting LAIG, compliance evidence was scattered across unversioned documents and ad hoc spreadsheets, hindering audit readiness, obscuring accountability, and undermining traceability. Adoption proceeded in three compact sprints that embedded governance in everyday engineering. First, the team created a dedicated governance repository, assigned named responsibility for each relevant legal clause, and completed an intake questionnaire capturing purpose, stakeholders, data lineage, model family, oversight thresholds, and the intended deployment path. A machine-readable clause map linked Annex IV requirements to specific document headings and checkboxes, ensuring that each item was either completed or explicitly marked as not applicable with justification. Next, developers and data scientists drafted seven Markdown sections mirroring Annex IV using language model assistance for first drafts with explicit verification markers, while legal and risk specialists resolved markers, corrected figures, validated links, and tightened claims. In parallel, the modelling team addressed dataset imbalance with balanced resampling and recorded the rationale for calibration and fairness thresholds alongside the data governance narrative. Finally, engineers implemented continuous integration that automatically renders the repository into a technical file with each change and enforces two release gates: full clause coverage with no unresolved verification markers, and a signed governance commit referenced by the product build. If either gate fails, the release is blocked and a remediation ticket is generated. The first end-to-end execution of this workflow produced a seventeen-page technical file, ready for engagement with a regulatory sandbox and for supporting early dialogue with assessors. Developers reported that handling governance artefacts through pull requests felt natural, while managers valued the living audit trail in Git and the clear line from requirement to mitigation. Although formal time and cost measurements are forthcoming, the team reports higher confidence and improved readiness for its first conformity assessment under the AIA.

The LAIG framework gives small enterprises a practical route to trustworthy AI by folding risk checks, human oversight, and continuous monitoring into the Git-based routines developers already follow. This arrangement addresses Annex IV documentation duties and supports the operationalisation of key Chapter III obligations within development workflows, while creating a minimum viable Plan–Do– Check–Act loop that aligns with the Govern and Manage functions of the NIST AI RMF. By slicing Annex IV into bite-sized tasks, the method lets teams focus on the highest risks first, a need often voiced in founder interviews. Governance files sit beside source code so engineers can move from feature branch to compliance update without changing context, and each commit records a searchable audit trail that managers and examiners value. Automated gap tests flag missing clauses the moment a pull request appears, and language models generate draft text that experts refine, a pairing that speeds writing yet keeps the final judgement human.

These gains come with caveats. The simplified nature of the framework, which is its main advantage for SMEs, simultaneously creates risks that must be managed. LAIG in its basic form is best suited for low- and moderate-risk systems. For AI systems classified as high-risk under the AI Act, such as tools for credit scoring or recruitment screening, a simplified governance approach alone may prove insuficient. SMEs implementing such systems will need to invest in more rigorous control, risk management, and post-market monitoring mechanisms in line with the strict requirements of the regulation. In this context, LAIG should be interpreted as a transitional instrument of proportional governance. Its role is not to replace comprehensive conformity assessment procedures prescribed for high-risk AI systems, but rather to enable SMEs to initiate systematic preparation of Annex IV documentation within their existing development workflows. The artefacts created in this process—Git-based audit trails, clause-referenced checklists, and modular records—constitute a preparatory layer of evidence that can be expanded into the full compliance structures required under ISO/IEC 42001 or NIST-aligned frameworks and presented to notified bodies during formal assessments.

A lightweight approach omits some formalities, which can lead to overlooking hidden issues such as undiscovered bias in training data or security vulnerabilities [ 15 ]. Although LAIG promotes bias mitigation through balanced resampling, its efectiveness depends on team diligence. There is also a risk that automated templates and checklists will be treated as a formality rather than an opportunity for critical risk assessment. The framework therefore depends on an organisational culture that supports critical evaluation of model outputs and continuous interrogation of compliance artefacts [ 11, 16 ]. By embedding governance routines directly into software engineering processes rather than relegating them to a separate compliance silo, LAIG fosters incremental institutional capacity-building. This incrementalism is consistent with the proportionality principle embedded in the AI Act and ensures that organisations can scale governance maturity progressively without disruptive restructuring when high-risk classification applies.

Using language models to assist with documentation speeds drafting but introduces concerns about data confidentiality and the accuracy of generated content. Although the framework requires human verification, the risk associated with sending sensitive information to external service providers remains significant. The FinPay case remains illustrative rather than empirical, hardware-rich products will require extra safety documentation, and sector-specific laws may layer additional duties on top of the AI Act. Future pilot deployments are expected to yield empirical data on time and cost eficiency, while the development of open-source tools for automated clause verification and dossier generation, combined with cooperation with notified bodies, may support the emergence of a “light audit track” in which the repository itself serves as primary evidence [ 15 ]. Accordingly, LAIG should be regarded not as a substitute for the comprehensive compliance architecture required under European Union law, but as an instrument of progressive compliance that operationalises the transition from minimum viable governance to the full spectrum of obligations triggered by deployment of high-risk systems.

The European AI Act asks SMEs to deliver governance that rivals large corporations even though their budgets are far smaller. The LAIG framework responds by turning every Annex IV duty, along with the intent of ISO/IEC 42001 and the NIST AI RMF, into modular routines that fit naturally within existing engineering practice. Documentation resides alongside source code in a version-controlled repository, and every change generates verifiable evidence that can be independently reviewed. Clause coverage is enforced through structured checklists and machine-readable mappings, ensuring that each requirement is either fulfilled or explicitly marked as not applicable with justification. Automated CI/CD gates prevent releases in which required artefacts or reviews are incomplete. Optional language model assistance accelerates drafting but human approval remains decisive, which preserves accountability and limits the risk of error. Teams define acceptance thresholds for accuracy, calibration, and fairness in line with the system’s risk profile and track them across releases. In this way LAIG establishes a disciplined cycle of planning, doing, checking, and improving that protects developer velocity while creating a durable audit trail.

Next steps are empirical and collaborative. Planned pilots in finance and health analytics will measure documentation efort, auditor revision cycles, developer usability, and outcome quality including calibration and fairness. Findings will feed improvements to templates, coverage checks, and acceptance criteria and will inform engagement with regulators and notified bodies toward a credible light audit path in which a well-maintained repository can serve as primary evidence of compliance. If the expected gains are confirmed, LAIG will lower the organisational and financial threshold for trustworthy AI and help European SMEs sustain innovation while meeting both the letter and the spirit of the Act.

During the preparation of this work, the authors used ChatGPT to generate Figures 1 and 2. After using this tool, the authors reviewed and edited the content as needed and take full responsibility for the publication’s content.