AI in Production: A 12-Point Readiness Checklist for European SMEs
Before AI goes live in your operations, run this 12-point checklist. Covers GDPR, EU AI Act, cost controls, and incident response for European SMEs.
TL;DR: Before AI goes live in your operations, run this 12-point checklist. Covers GDPR, EU AI Act, cost controls, and incident response for European SMEs.
There is a gap between "we use AI tools" and "AI is running in production." Many 15-50 person European companies are somewhere in the middle: staff have adopted tools like ChatGPT, Copilot, or Claude for daily work, a few API integrations are live, and the leadership team has signed off on expanding use. What is often missing is a structured check of whether the foundations are in place before those tools take on more critical functions. This matters because the failure modes in production are different from the failure modes in experimentation. A missed GDPR obligation, an unmonitored API cost spike, or a wrong AI output in a financial report all carry real consequences. This checklist covers 12 areas an operations leader, CTO, or IT manager should verify before treating AI as a production dependency.
Section 1: Data and Privacy
1. Data privacy audit: what data goes into each AI tool?
For every AI tool your team uses, document what categories of data are being sent to it. This includes prompts that contain customer names, employee data, financial figures, or health information. Under GDPR, sending personal data to a third-party AI provider makes that provider a data processor. You need a signed data processing agreement (DPA) with each vendor before personal data enters their systems. Check that each tool has a DPA in place and that your internal use policy matches what the DPA permits. If any tool lacks a DPA or your team is sending data beyond what the DPA covers, that is a blocking issue, not a note for later.
2. Access controls: who can use which tool, and what can they do with it?
Default to role-based access. Not everyone in a 30-person company needs access to the same AI tools with the same permission levels. A customer service agent using a chatbot assistant does not need API keys or the ability to configure system prompts. Define which roles get access to which tools, and configure access accordingly. For API-based tools, ensure keys are scoped to the minimum necessary permissions.
Section 2: Output Quality and Human Oversight
3. Output review process: is there a human in the loop for high-stakes outputs?
AI tools produce plausible-sounding text. They also make mistakes that are not obvious without domain knowledge. For outputs that carry legal, financial, or reputational weight (contract drafts, financial summaries, compliance reports, customer-facing communications), a documented human review step is not optional. Define which output categories require review, who is responsible, and what the review consists of. "Someone looks at it" is not a process; "the relevant department head signs off before it is sent" is.
4. Incident response: what happens when an AI tool is unavailable or produces wrong output?
Two failure modes need a plan. First: the tool goes down. If your customer support, internal knowledge base, or core workflow depends on an AI tool and that tool is unavailable, what is the manual fallback? Second: the tool produces a wrong output that gets acted on. How do you detect it, contain it, and communicate it? Write these scenarios down. A one-page incident response document is sufficient; the goal is that your team knows what to do without improvising under pressure.
5. Vendor SLA review: what uptime does your AI vendor actually guarantee?
Most consumer-grade AI tools do not come with a guaranteed SLA. Enterprise API plans often include uptime commitments, priority support, and incident communication channels. Before you route a business-critical process through an AI vendor, check whether your contract includes any uptime guarantee and what the remediation process is if they miss it. If you are on a free or standard consumer plan, the answer is usually "no guarantee" and you should design accordingly.
Section 3: Cost and Security Controls
6. Cost monitoring: is usage tracked per tool with budget alerts?
AI API costs scale with usage in ways that can surprise a team that has not set up monitoring. A single misconfigured prompt loop can generate thousands of requests and a significant bill before anyone notices. Set up budget alerts at both the team and project level. Most major providers (OpenAI, Anthropic, Azure OpenAI) support billing alerts via their dashboards or APIs. Assign a named owner for reviewing AI costs monthly.
7. API key rotation: is secrets management in place?
API keys should not live in code repositories, shared documents, or email threads. Use a secrets manager: 1Password, Doppler, AWS Secrets Manager, or equivalent. Keys should be rotated on a defined schedule and immediately rotated if there is any possibility of exposure. Define what "possible exposure" means for your team: a key checked into git, a key sent in Slack, a key on a laptop that was lost. Each of those is a rotation trigger.
8. Model version pinning: are you accepting automatic updates?
AI model providers update models without always preserving exact output behaviour. If your integration pins to a specific model version (e.g. claude-sonnet-3-5 rather than claude-sonnet-latest), you control when changes enter your production path and can test before adopting. If you accept automatic updates, a provider-side model change can alter outputs in your production workflow without any change on your side. For any workflow where output consistency matters, pin the version.
Section 4: Engineering Practices
9. Prompt versioning: are prompts version-controlled alongside code?
Prompts are logic. Changing a system prompt changes the behaviour of your AI integration, sometimes significantly. Prompts should be stored in version control alongside the code that uses them, not in a spreadsheet, a Notion page, or a developer's local file. When a prompt changes, the change should be reviewed, tested, and deployed the same way a code change is. This is not bureaucracy; it is the minimum needed to understand why your AI integration behaves differently from one week to the next.
10. Employee training records: is there documentation that staff know the tool's limitations?
AI tools have limitations that are not self-evident to new users. Staff who understand that AI outputs require verification, that the tool does not have access to real-time information by default, and that confidential data should not be pasted into consumer AI interfaces are meaningfully safer users than staff who do not. Document that training has happened. Under EU AI Act requirements that are increasingly relevant to business AI use, demonstrable training records matter. See EU AI Act Enforcement Q1 2026: SME Checklist for what is currently in scope.
Section 5: Governance and Review
11. EU AI Act classification: have you assessed whether your AI use is high-risk?
The EU AI Act creates obligations that scale with risk classification. Most internal productivity tools (writing assistance, meeting summaries, code generation) fall into the minimal-risk category. AI systems used in HR decisions, credit assessment, access to essential services, or safety-critical contexts may qualify as high-risk and trigger significant documentation and conformity obligations. If you have not assessed your AI use cases against the Act's risk categories, that assessment belongs on your roadmap. The AI Governance Framework for European SMEs covers how to structure this.
12. Quarterly review cadence: do you have a scheduled review of AI tool performance and costs?
Production AI use drifts. Costs change as usage grows. Models get updated. New tools appear that would serve a use case better than the current one. Compliance requirements evolve. A quarterly review that covers (a) cost per tool against budget, (b) any incidents or near-misses, (c) output quality spot-checks, and (d) any regulatory updates relevant to your AI use is the minimum governance structure for a company where AI has become a genuine operational dependency. Without a scheduled review, this work accumulates until a forcing event (an audit, a cost spike, a public mistake) makes it urgent.
Using This Checklist
Work through these 12 points with the person responsible for each area: your IT manager, your compliance lead, or yourself. Mark each item as complete, in progress, or not started. Anything marked "not started" that falls in Sections 1, 2, or 3 should be treated as a priority before expanding AI use further.
For teams working through a broader AI adoption programme, the First 90 Days AI Adoption Checklist for European SMEs provides a sequenced roadmap. For compliance monitoring specifically, see AI Compliance Monitoring Checklist for European SMEs.
FAQ
How long does this readiness check take to complete?
A team that has been using AI tools for several months typically completes the initial assessment in one to two working days. The time is split between documentation review (what do we actually have in place?), gap identification (what is missing?), and assigning owners for each gap. The checklist itself is a starting point; closing the gaps takes longer depending on what you find.
Do we need a lawyer to complete this checklist?
Not for most items. The data privacy audit (item 1) may benefit from legal input if your use cases are complex or if you handle special-category personal data. The EU AI Act classification (item 11) may also warrant legal review if you have use cases that could plausibly qualify as high-risk. For most 15-50 person companies running standard productivity and coding tools, the checklist is an internal operations exercise.
Is this checklist sufficient for ISO 27001 or SOC 2 purposes?
No. This checklist covers the minimum baseline for responsible AI production use. ISO 27001 and SOC 2 have broader scope and formal audit requirements. If your company is pursuing either certification, your AI governance practices will need to be embedded in your information security management system, which goes beyond what this checklist covers.
What is the most common gap you see in European SMEs?
Items 1 (data privacy audit), 3 (output review process), and 9 (prompt versioning) are consistently underdone. Most teams have thought about access controls and cost monitoring at some level. Fewer have a clear documented answer to "what personal data goes into which tool and is there a DPA?" or "what outputs require human sign-off before use?"
Further Reading
- EU AI Act Enforcement Q1 2026: SME Checklist
- AI Governance Framework for European SMEs 2026
- AI Compliance Monitoring Checklist for European SMEs
- First 90 Days AI Adoption Checklist for European SMEs
Want a structured review of your AI readiness posture? Book a session with a First AI Movers consultant to work through this checklist with your team.
