Risques IA pour les PME : un registre pratique

Ce qu'elle couvre

Cet atelier d'une journée guide les fondateurs et responsables opérationnels à travers les 15 risques IA les plus courants dans les PME — fuites de données, hallucinations, shadow AI, dépendance fournisseur, etc. Chaque risque est associé à un propriétaire, des mesures d'atténuation proportionnées et une cadence de révision légère. Le format est résolument pratique : chaque équipe repart avec un registre des risques renseigné et prêt à l'emploi.

À l'issue, vous saurez

• Identify and rank the top 15 AI risks most likely to affect your specific SME context
• Assign a named owner and at least one concrete mitigation to each risk in your register
• Define a realistic review schedule (quarterly cadence or trigger-based) for your risk register
• Apply a vendor due diligence checklist before onboarding a new AI tool or SaaS provider
• Detect and document shadow AI usage within your team using a structured discovery process

Sujets abordés

• Top 15 SME-specific AI risks (data leakage, hallucination, vendor lock-in, shadow AI, bias, IP exposure, third-party dependency, model drift, consent failures, over-reliance, cost overruns, auditability, staff misuse, regulatory exposure, reputational risk)
• Risk ownership assignment and RACI mapping for small teams
• Proportionate mitigations: controls that fit SME budgets and headcount
• Shadow AI identification: spotting unsanctioned tool usage
• Vendor due diligence checklist for AI SaaS procurement
• Review cadence design: quarterly vs. event-triggered reassessment
• GDPR and data-handling obligations relevant to AI use in SMEs
• Populating and maintaining a living risk register

Modalité

Delivered in-person or live-online (half-day sessions can be split into two 3-hour blocks for remote cohorts). Participants receive a pre-filled risk register template (Google Sheets / Excel), a vendor checklist, and a one-page shadow AI audit guide. Approximately 60% of the session is hands-on working time on participants' own context; 40% is facilitated instruction and group discussion. A 30-day async follow-up check-in via email or Slack is recommended to review completed registers.

Ce qui fait que ça marche

• Nominating a single named 'risk register keeper' before the workshop ends, with a calendar invite for the first review
• Starting from the pre-filled template rather than a blank sheet — momentum from partial completion drives follow-through
• Linking each risk to a real recent incident or near-miss from the team's own experience to make ownership feel concrete
• Integrating the vendor checklist into the procurement sign-off process so it becomes a default gate, not an optional step

Erreurs fréquentes

• Treating AI risk as an IT-only concern rather than a whole-business responsibility, leaving founders disengaged from the register
• Copying enterprise risk frameworks verbatim — the controls are disproportionate and the register is abandoned within weeks
• Ignoring shadow AI: employees using personal ChatGPT or other tools with company data is often the highest actual risk and the least visible
• Setting a review cadence without nominating a specific owner, so the register is never updated after the first session

Fournisseurs à considérer

• Wavestonewww.wavestone.com →
• Inria Academylearninglab.inria.fr →
• DataScientestdatascientest.com →
• Digital Greenhouse (Guernsey / UK SME focus)www.digitalgreenhouse.gg →

Sources

• ENISA AI Threat Landscape Report →
• NIST AI Risk Management Framework (AI RMF 1.0) →