Insights
5 min read

Family business and AI: three questions the chair should be able to answer in an hour

Spanish family businesses are tackling AI without the safety net of the compliance apparatus that listed companies have. These are the three questions I recommend the chair clarifies before approving the next AI investment.

  • Topics:
  • Family business
  • AI governance
  • Advisory board

The Spanish family business — which accounts for 88.8 % of the country's business fabric and 67.4 % of private employment, according to the Family Business Institute — is navigating the AI adoption curve with a feature it does not share with listed companies: it usually does so without the apparatus of compliance, risk and internal audit that a listed company has already used in past regulatory transitions.

This does not mean the family business does it worse. In many cases, it does it faster and with less theatre. But it does mean that ultimate responsibility, which on listed companies dilutes across committees, in the family business usually converges on one person: the chair, typically a family member, often the founder or the second generation.

In the conversations I have with chairs of mid-market family businesses, I tend to reduce all the European regulatory complexity to three questions. If the chair can answer them with data in one hour, the organisation is where it needs to be. If not, there is preliminary work to do before the next investment decision.

Question 1: which AI systems does our organisation operate today?

Apparently simple, almost always poorly answered. The trap is that many executives define "AI system" as "the ChatGPT we are testing in marketing" and do not include:

  • The e-commerce recommendation engine
  • The payment provider's anti-fraud system
  • The credit scoring of consumer financing
  • Dynamic pricing models
  • HR selection tools
  • The defect detector on the production line
  • Customer service chatbots

These systems exist, they make decisions about customers and employees, and many fall under the high-risk classification of Annex III of the AI Act. Not knowing the inventory is the operational equivalent of not knowing which machines are on the factory floor.

The operational question: is there an up-to-date AI system registry, with risk classification and an assigned internal owner?

Question 2: who decides on behalf of the organisation when an AI system gets it wrong?

Imagine a scoring model rejects a credit transaction that turns out to be legitimate, and the customer complains in writing. Who reviews it? Who reverses it? With what audit trail? Who informs the customer?

Article 14 of the AI Act demands effective human oversight of high-risk systems. "Effective" is not "someone in the org chart"; it is someone who can intervene, reverse and leave a record. In the mid-market family business, this chain usually exists informally but is not documented — which renders it useless when a complaint or, worse, an inspection arrives.

The operational question: is there a written human-oversight protocol for each high-risk system, with an identified owner and a register of interventions?

Question 3: what happens to our data when it leaves the organisation?

Almost every modern AI system involves a third party. The model is hosted by AWS, Azure or Google; the capabilities come from OpenAI, Anthropic or Mistral; the HR SaaS has models behind it. The organisation remains responsible for the data it sends, even when a third party processes it.

The three concrete questions here are:

  • Do we know which personal or business data are flowing to which providers?
  • Do we have contracts that restrict their use for model training?
  • In which jurisdiction is it processed? (Important for data sovereignty and for upcoming CJEU rulings)

The family business tends to trust its long-standing providers. That is reasonable and is part of its strength. But long-standing providers are embedding AI into their products without the customer noticing; the contract looks the same, but the processing chain has changed. That renegotiation is new work.

The operational question: have we mapped the providers processing data through AI systems and the applicable contractual terms?

What an external director contributes in this context

It is not bringing in a complex methodology or an 80-KPI dashboard. It is bringing language and discipline to a topic that the executive team knows is outstanding but cannot quite tackle.

An advisory director with a technology focus brings three concrete things to a family business:

  1. Common vocabulary among the family, management and providers: the conversation stops being ambiguous.
  2. Realistic calendar of regulatory and operational milestones, aligned with the organisation's actual capacity.
  3. Documented decisions: what is approved, why, and what is expected. Valuable in its own right, and critical when a generational transition or a corporate transaction arrives.

The Spanish family business has an advantage it should not waste: it can make these decisions fast if the concepts are clear. The role of an external advisor is precisely that — clarifying concepts to accelerate decisions, not adding layers of bureaucracy where none exist.