Skip to main content

Perello Consulting
· Laurent Perello

What are the real risks of poor AI use in a French SME?

The most widespread risk is not artificial intelligence. It is the unframed use you make of it. A prompt sent into a consumer tool with a client file, a fabricated meeting summary slipped into a quote, an employee who automates a critical process without your knowledge. This article catalogues six operational risks -- dated, sourced, costed for a fifteen-person SME -- then proposes a ten-point governance framework, achievable without a CTO. The preliminary costing is covered in article 1, the method for choosing the first process in article 2.

Why talk about risks rather than benefits

Most articles on AI in SMEs stop at benefits. Time savings, scale effects, new capabilities. All true. All demonstrated, costed, modelled in the first two articles of this series. But a serious investment decision is always made on both sides of the scale. The OECD writes it in its Employment Outlook 2024: AI gains are measurable, its risks are too, and it is more costly to learn the latter through incidents than through reading1.

There is a more operational reason. Benefits materialise progressively, over six to eighteen months. Risks concentrate in the first six months of an unframed deployment. An LLM use with client data can trigger a CNIL complaint within weeks2. A contractual dependency signed without a portability clause is discovered at the first pricing renewal3. The risk timeline is short. The benefit timeline is long. This asymmetry requires governance set before the first pilot, not after the first incident.

Final reason: common reading conflates risk and compliance. The legal angle is necessary, but it covers a narrow subset. CNIL sanctions, AI Act articles, GDPR article 22. These texts frame. They do not suffice. Most losses observed in French SMEs do not come from a public sanction. They come from a tightening supplier dependency, from a hallucination that enters a client deliverable, from an orphaned automation that stops the day an employee leaves. [UNIQUE INSIGHT] AI risk in an SME is first operational, then reputational, then legal. This order determines the governance.

The six operational risks of poor use

The six risks presented below are not exhaustive. They do, however, cover more than eighty percent of incidents observed in French SMEs between 2024 and 202624. Each follows the same anatomy: definition, anonymised example, observable symptoms, typical cost for a fifteen-person SME, practical mitigation. Examples are composite, built from real situations but without any named reference.

Single-vendor dependency (vendor lock-in)

The business entrusts its value chain to a proprietary model or platform without a portability clause, without an exit plan, without interoperability with other providers. The day the vendor changes pricing, degrades quality, modifies terms or disappears, you have no leverage. This is not a theoretical scenario. It is the ordinary scenario of digital for twenty years, transposed to AI.

Composite anonymised example. B2B services SME, eighteen people. In 2024, deployment of a commercial assistant based on a single cloud provider: licence, prompts, histories, embeddings, everything resides with the vendor. July 2025, pricing overhaul. Monthly cost multiplied by 2.4. No structured export available. Migration estimated at six to eight months and approximately EUR 45,000 in data recovery. Forced decision: keep paying.

Observable symptoms. No portability clause in the contract. No automated export of prompts, embeddings and histories. Single model used, with no abstraction layer. Employees refer to "tool X" rather than "our assistant". No comparative test with an alternative provider since signing.

Typical cost for a fifteen-person SME. Vendor pricing overhaul: EUR 15,000 to 45,000 per year. Forced migration, data recovery, integration, training: EUR 35,000 to 90,000. Partial unavailability: two to six weeks. Sources: AI Act article 135, CNIL AI Recommendations6, ANSSI Generative AI Recommendations7.

Mitigation. Contractual portability clause with API export and standard formats. Abstraction layer (software orchestrator) allowing model changes without rebuilding workflows. Second provider tested quarterly on critical cases. Written exit plan from signing, ninety-day scenario documented.

Undetected hallucinations in production

A generative model produces a plausible but factually false answer. Fabricated figure, manufactured citation, imaginary legal clause, reference to a non-existent certification. Without human supervision, this output enters a quote, a meeting summary, a client report, a decision. The error is only detected after signing, after sending, after the damage.

Composite anonymised example. HR consulting firm, twelve people. LLM used to draft commercial proposals from a client brief. In 2025, a proposal mentions an ISO certification the firm does not hold. The client notices after signing. Contract termination, EUR 22,000 credit, reputation damage across three linked accounts.

Observable symptoms. No human review process before external output. No factual quality metric measured on sample. No sources systematically cited in outputs. Employees copy-paste without verification. No adversarial tests (trap prompts to detect model limits).

Typical cost for a fifteen-person SME. Average client incident: EUR 5,000 to 30,000 (credit, rework, lost account). Serious incident with professional liability: EUR 50,000 to 200,000. Ongoing non-quality cost if the defect is systemic: 2 to 6% of revenue. Sources: AI Act article 145, CNIL AI Recommendations6, CNPEN8.

Mitigation. Mandatory human supervision on all external output, one hundred percent for the first three months then twenty percent sampling. Systematic sourcing: every figure and citation references a verifiable source. Monthly quality review on thirty randomly drawn outputs. Quarterly adversarial tests.

Personal data leakage

Personal, confidential or strategic data is sent to a third-party model without legal framework. Without a GDPR legal basis, without an impact assessment, without a contractual clause on non-reuse for training. The business is exposed to a CNIL sanction under GDPR and, since 2024, to a sanction under the AI Act. Article 99 of regulation 2024/1689 caps fines at EUR 35M or 7% of worldwide turnover for the most serious infringements5.

Composite anonymised example. Mid-cap company, one hundred and forty people. A quality engineer pastes into a consumer LLM an extract from a specification containing client personal data and an industrial secret. Data absorbed for training per the terms of service in force. CNIL inspection six months later following an internal complaint. Sanction: EUR 75,000, forced compliance.

Observable symptoms. No written policy on data permitted or forbidden in an external LLM. Personal LLM accounts used professionally. No impact assessment (DPIA) on AI uses. No list of AI processing in the GDPR register. No contractual clause on non-reuse for training.

Typical cost for a fifteen-person SME. Probable CNIL sanction: EUR 20,000 to 150,000 (orders of magnitude from recent decisions). Theoretical AI Act ceiling: up to 7% of worldwide turnover. Hot compliance (external DPO, DPIA, training): EUR 25,000 to 80,000. Sources: AI Act art. 10 and 995, CNIL6, SREN Law9, EDPB opinion 28/20244.

Mitigation. Written policy listing data never sent to an external LLM: named clients, health, industrial secrets, HR data. Company accounts with a contract guaranteeing non-reuse for training. GDPR register entry for each AI processing, DPIA if high risk. Models deployed in controlled environment (contracted API or self-hosting) for sensitive data. Mandatory annual training.

Reproduced and amplified biases

A model learns from historical data containing social, demographic or sectoral biases. Used to sort CVs, score clients, set prices or grant credit, it reproduces these biases at scale, faster than a human decision. The business is exposed to a discrimination sanction (Defender of Rights, CNIL under GDPR article 22), to employment tribunal proceedings, and to a silent loss of decision quality.

Composite anonymised example. Recruitment SME, twenty people. CV pre-screening tool trained on ten years of internal history. In 2025, an audit reveals a systematically lower selection rate for applications from certain employment catchment areas. Report to the Defender of Rights, emergency remediation, tool suspended for three months.

Observable symptoms. No bias audit conducted before production for human-impact use. Training data undocumented. No parity metric tracked (acceptance rate by subgroup). No one internally can explain why the model made a specific decision. No operational right to explanation.

Typical cost for a fifteen-person SME. Employment tribunal or discrimination proceedings: EUR 30,000 to 250,000 (damages and costs). CNIL sanction on GDPR article 22: EUR 20,000 to 100,000. Technical remediation and external audit: EUR 40,000 to 120,000. Employer brand damage: long effect, unquantifiable. Sources: AI Act article 6 and annex III5, CNIL6, Defender of Rights2.

Mitigation. Mandatory bias audit before production for any human-impact use (recruitment, credit, differentiated pricing). Parity metric tracked monthly. Systematic human supervision on adverse decisions, as required by GDPR article 22. Training data documentation. Operational right to explanation: the business must be able to justify any automated decision.

Shadow AI -- unframed use by teams

Unframed AI use by employees, outside any company policy. Personal ChatGPT, Claude, Gemini accounts. Prompts containing confidential data. Individual automations cobbled together on no-code tools. Plugins installed without validation. Management does not know who is using what, on what data, for what decisions. Shadow AI combines data leakage, unsupervised hallucinations and uninventoried dependency.

Composite anonymised example. Services SME, twenty-five people. Anonymous internal survey in 2026. Result: seventeen out of twenty-five employees use a consumer LLM at least once a week for professional tasks, of which nine with client data. No written policy, no training, no inventory. Two incidents already gone unnoticed (hallucinated commercial proposals sent to prospects).

Observable symptoms. No inventory of AI tools used. Employees do not know whether they have the right to use a consumer LLM at work. No company accounts deployed, so personal accounts by default. No AI training delivered in the year. Finance sees no AI budget line, yet AI is everywhere in practice.

Typical cost for a fifteen-person SME. GDPR incident from shadow AI: EUR 20,000 to 100,000. Quality incident (published hallucination): EUR 5,000 to 30,000 per case. After-the-fact regularisation: EUR 15,000 to 50,000. Opportunity cost: the best uses are not capitalised because they are invisible. Sources: CNIL6, ANSSI7, DGE AI and SMEs10, CNPEN8.

Mitigation. Annual anonymous inventory of AI uses. Company account deployment before any ban (banning without an alternative drives workarounds). Two-page written policy: authorised, forbidden, conditional. Short annual training (two hours) for every user employee. Named AI referent as point of contact.

Hidden technical debt

Automations and AI agents built in a rush, without documentation, without tests, without versioning, without a maintenance plan. After six to eighteen months, no one knows how the chain works. The day a prompt breaks, an API changes, or the person who built it leaves the company, the chain stops. The reconstruction cost is often higher than the initial build cost.

Composite anonymised example. Marketing SME, fourteen people. In 2024, an intern builds an automation chain across five tools (no-code, API, LLM). Departs September 2025. In December, a vendor changes their API endpoint. Chain broken, no one understands the architecture. Eleven days down, rebuilt from scratch, external cost EUR 28,000.

Observable symptoms. No written technical documentation for automations. No prompt and workflow versioning. A single person understands a critical process. No monitoring: you do not know a chain has broken until a client complains. Prompts stored in plain text in no-code tools without backup.

Typical cost for a fifteen-person SME. Reconstruction of a lost chain: EUR 15,000 to 60,000. Service interruption: EUR 500 to 3,000 per day depending on process criticality. Inability to migrate vendor (compounding risk 1): EUR 30,000 to 100,000. Institutional knowledge loss: long effect. Sources: ANSSI7, AI Act articles 11 and 125, Cour des comptes11.

Mitigation. Mandatory technical documentation from production: one page per automation specifying objective, inputs, outputs, dependencies, primary owner and backup. Prompt and workflow versioning (git or equivalent). Dual owner on every critical chain. Simple monitoring, alert if down more than twenty-four hours. Quarterly review, archival of unused automations.

A composite case: EUR 145,000 lost over 18 months

[ORIGINAL DATA] Composite case, anonymised, no client named. Built from three situations observed between 2024 and 2026, aggregated to preserve confidentiality. HR consulting SME, sixteen people, EUR 2.4M revenue. Unframed AI deployment between January 2024 and March 2026. Three of the six risks materialise in cascade. Total cumulative amount reaches approximately EUR 145,000, or 6% of annual revenue.

Sequence of events. T0, January 2024: management informally encourages use of a consumer LLM to save time. No written policy. Shadow AI takes hold (risk 5). T+3 months: a consultant uses a consumer LLM with a named candidate file for pre-screening. Data absorbed for training per the vendor's terms of service (risk 3, data leakage). T+8 months: the sales team adopts a single proprietary writing assistant, without portability clause (risk 1 germinating).

T+14 months: quality incident. An automatically generated commercial proposal contains a reference to a certified methodology the firm does not hold. The client notices after signing. EUR 18,000 credit and loss of the account. T+18 months, July 2025: candidate complaint to CNIL for non-compliant automated processing under GDPR article 22. Inspection triggered. T+22 months, November 2025: the main AI vendor doubles prices. No exit plan. Management realises it is captive. T+24 months, January 2026: CNIL sanction of EUR 55,000, forced compliance.

Consolidated final cost. CNIL sanction: EUR 55,000. Hot compliance (external DPO, DPIA, policy, training): EUR 42,000. Client credit on quality incident: EUR 18,000. Captive vendor surcharge over twelve months: EUR 21,000. Management time spent on crisis, estimated at eighty hours at loaded cost: approximately EUR 9,000. Consolidated total: EUR 145,000, or 6% of the company's annual revenue.

Lessons. None of the three risks taken in isolation was severe. Their accumulation, in the absence of written governance, becomes critical. The cost of after-the-fact governance is three to five times the cost of upfront governance. Management did not lack tools. It lacked a two-page framework, signed by management and the AI referent, enforceable on employees and vendors. Implementing this framework in January 2024 would have cost between EUR 3,000 and 8,000, internal time included673.

The AI governance framework for an SME

The framework presented below is achievable without a CTO. You implement it in four to six weeks, for a total cost of EUR 3,000 to 8,000 (your referent's internal time plus occasional external support). Compare that to the EUR 145,000 of the previous case. Each point rests on a public French or European source. The whole fits in two pages, signed by management and the AI referent, then distributed to employees. This is not a legal document. It is an operational document that everyone in the business must be able to read in ten minutes.

Named AI referent

An internal person, mandated by management, single point of contact for every AI topic in the business. Not the intern. Not a diluted function. Two to four hours per week reserved in their schedule, a written mandate, a direct reporting line to management. This referent is your internal interlocutor, that of your employees, your vendors and, in case of incident, the CNIL or ANSSI. Source: CNIL AI Recommendations6, AI Act article 265.

Written ethical framework

Two pages maximum. Explicit principles: human supervision on external outputs, non-discrimination on human-impact uses, transparency towards clients and employees, protection of personal and strategic data, reversibility of automated decisions. Signed by management and the AI referent. Reviewed annually. This document is not meant to be exhaustive. It is meant to be read. Source: CNPEN8, Defender of Rights2.

Authorised and forbidden uses

One-page table, three columns: authorised, forbidden, conditional. Example of forbidden use: sending named client data to a consumer LLM. Example of conditional use: drafting a commercial proposal with human supervision and systematic sourcing. Example of authorised use: reformulating an internal text without personal data. This table is the only document your employees will consult regularly. Source: CNIL6, AI Act article 5 (prohibited practices)5.

Data policy

Explicit list of data never sent to an external LLM: named client data, named employee data, health, confidential financial information, industrial secrets, client intellectual property. GDPR register entry for each AI processing. Impact assessment (DPIA) for any high-risk processing. Vendor contract with non-reuse-for-training clause. Source: CNIL AI Recommendations6, GDPR article 5, SREN Law9, EDPB opinion 28/20244.

Human supervision

Explicit table, supervision rate by task type. External content production: one hundred percent review before sending for the first three months, then twenty percent sampling. Human-impact decisions (recruitment, credit, differentiated pricing): one hundred percent permanent review, no exception. Internal use without external stakes: review by exception. This table is enforceable: it lets you explain to an auditor, the CNIL, an employee, why a given output was or was not checked. Source: AI Act article 145, GDPR article 22.

Monthly quality review

Thirty randomly drawn outputs each month, evaluated on three criteria: factual accuracy, business relevance, risk level. A shared journal with management. Objective: bring the published hallucination rate below one percent. Without this ritual, the typical observed rate exceeds five percent, with a direct effect on quality perceived by clients. This review articulates with step 7 of the selection method (before/after measurement). Source: CNIL6, ANSSI7.

AI Act and CNIL regulatory watch

Subscription to CNIL newsletters and the European AI Office12. Quarterly review led by the AI referent. Framework update within forty-eight hours in case of major news (EDPB guideline, CNIL guide, reference sanction). The AI Act has been entering into force in stages since August 2024, with full applicability planned for August 2026. The sanctions mentioned in this article are legal ceilings: the practice of French authorities on SMEs, in 2024 and 2025, sits significantly below these ceilings. Source: AI Act5, CNIL6, EU AI Office12.

Contractual portability clause

Every contract signed after framework implementation includes three clauses: API export of data and histories in standard format, no reuse of data for vendor training, minimum notice (typically ninety days) in case of substantial pricing or functional change. These clauses protect migration freedom. They cost zero euros at signing. They are worth several tens of thousands of euros the day the vendor changes terms. Source: ANSSI7, Cour des comptes11, AI Act article 135.

Technical documentation

One page per AI chain in production: objective, inputs, outputs, dependencies, primary owner, backup owner, date of last review. Critical prompt versioning (git or equivalent). Inventory maintained by the AI referent. Quarterly review, archival of unused chains. This documentation is the only known defence against hidden technical debt. Source: AI Act article 115, ANSSI7, Cour des comptes11.

Vendor exit plan

For each critical vendor, write a scenario: what to do in case of seven-day unavailability, thirty-day, permanent? Tested at least once a year, by a simulated switchover on a test environment. This plan is not theoretical. It is the only document that, on the day of a major outage, lets you make a decision in hours rather than weeks. Source: ANSSI7, Cour des comptes11.

What this framework concretely changes

This framework, seriously applied over twelve months in your SME, produces four measurable effects you can observe yourself on your dashboards. First effect: avoided incidents. In SMEs that adopt the ten points, the number of reported AI incidents drops by approximately two-thirds in the year following implementation, according to public reports from specialist firms and publicly available CNIL files613. The framework does not eliminate risks. It brings them to a manageable level for a structure without a CTO.

Second effect: compliance maintained. The framework covers the main requirements of GDPR (articles 5, 22, 35) and the AI Act (articles 5, 6, 10, 11, 13, 14, 26, 99)5. It does not replace a dedicated impact assessment on a high-risk processing. It constitutes the documentary base the CNIL will request in case of inspection. If you present these ten signed and dated documents, you demonstrate active governance -- what the CNIL explicitly calls "reasonable diligence"13.

Third effect: reassured teams. [PERSONAL EXPERIENCE] In engagements conducted in recent years, the most consistent effect is not legal. It is human. Employees want to use AI. They are afraid of doing it wrong. A one-page table specifying what is authorised, forbidden, conditional, frees up use rather than constraining it. Productive uses increase, risky uses decrease. Shadow AI disappears within three to six months, replaced by declared and supervised uses.

Fourth effect: disciplined vendors. Once your contracts include the portability clause, the non-reuse-for-training clause and the modification notice, your serious vendors accept. Those who refuse signal themselves. This selection, silent but constant, improves the quality of your vendor portfolio over eighteen months without you needing to run a formal tender. You gain freedom without ever having to negotiate head-on. Our methodology integrates these four effects as measurement criteria.

Frequently asked questions

What are the most frequent risks in SMEs?

The three most frequent risks are shadow AI (unframed use by employees), data leakage to external models, and single-vendor dependency. They precede the more publicised risks like algorithmic bias or hallucinations, because they materialise in the first months of use, without management knowing. The ten-point governance framework presented in this article addresses these three first, then covers the other three610.

Should consumer ChatGPT be banned in the workplace?

No. Banning without an alternative drives shadow AI and worsens the risk. The right sequence has three steps. First, deploy company accounts with a contract guaranteeing non-reuse for training. Second, publish a two-page written policy on authorised, forbidden and conditional uses. Third, train employees (two hours suffice for a first level). Once this framework is in place, consumer versions can be framed or excluded as appropriate. The CNIL and ANSSI favour this pragmatic approach67.

What are the legal risks under the AI Act?

The AI Act (EU regulation 2024/1689) provides for sanctions up to EUR 35M or 7% of worldwide turnover for infringements of the prohibited practices in article 55. For high-risk systems (recruitment, credit, client scoring listed in annex III), obligations cover technical documentation, human supervision, data quality, transparency. For your SME, the realistic scenario combines a CNIL sanction under GDPR (EUR 20,000 to 150,000 based on recent cases) and compliance obligations. Entry into force is progressive between 2025 and 2027, with full applicability in August 2026.

How do I detect hallucinations in production?

Three combined practices. One hundred percent human supervision for the first three months on all external output, then twenty percent sampling. Systematic sourcing: every figure and citation references a verifiable source, integrated into the output itself. Monthly quality review on thirty randomly drawn outputs, evaluated on three criteria (accuracy, relevance, risk). Complete with quarterly adversarial tests (prompts designed to make the model hallucinate). This combination brings the published hallucination rate below one percent; without these practices, the typical rate exceeds five percent6.

What is the minimum budget for an AI governance framework?

Between EUR 3,000 and 8,000 for initial implementation of the ten-point framework. Breakdown: AI referent internal time (forty to sixty hours over a quarter), occasional external support (one to three days), short employee training (two hours per person). Annual maintenance sits between EUR 2,000 and 5,000, essentially internal time. Compare to the average cost of an AI incident in an SME (CNIL sanction, quality incident, captive vendor surcharge), which runs to tens of thousands of euros. The governance ROI is structural63.

Can I protect against shadow AI without banning AI?

Yes, and it is the only approach that works sustainably. Banning drives workarounds, as twenty years of enterprise IT have shown. The effective sequence deploys over three months: annual anonymous inventory of actual uses, company account deployment on the most-used tools, clear policy publication, mandatory short training, named AI referent as point of contact. Employees do not use AI to circumvent -- they use it to save time. Give them a framework rather than a ban, and shadow AI disappears within three to six months67.

What is the difference between risk and uncertainty with AI?

A risk is measurable and, in principle, insurable: probability times impact. An uncertainty is not -- it falls in the domain of the unknowable. With AI, the six risks presented in this article are measurable: you can anticipate and cost them for your own SME. Uncertainties concern medium-term regulatory evolution, the technological trajectory of models, the transformation of occupations. Governance addresses risks. Watch and contractual flexibility address uncertainties. The two are distinct and complementary.

What should I do if an AI incident occurs?

Four steps in order. First, contain: stop the relevant chain, preserve traces (logs, prompts, outputs), isolate the data. Second, qualify with the AI referent: does the incident fall under GDPR (CNIL notification within seventy-two hours if personal data), quality (client to inform), security (ANSSI depending on severity)? Third, correct: technical and organisational remediation. Fourth, capitalise: add the incident to the journal, update the governance framework, train the relevant teams. Never conceal an internal incident: its later revelation systematically worsens the consequences67.

Set the framework before deploying

The right sequence is known. Measure the cost of automatable tasks (article 1). Choose a first process according to a public method (article 2). Set a ten-point governance framework before the pilot, not after the incident. This article closes the trilogy. The three pieces hold together: costing, method, governance.

If you run an SME in 2026 and have not yet set this framework, the moment is now. The free AI audit includes a compliance review across the six risks and an initial diagnostic of the ten governance points. You leave with a two-page summary document, actionable from the following Monday, signed by your AI referent and your management. For what comes next, you can discover the full methodology or meet the team that carries these engagements.

Request your AI audit ->

Read also

Sources and methodology

This article relies exclusively on public sources, French and European where possible, international where French data is unavailable. Tier 1 reference sources cover public authorities (CNIL, ANSSI, Defender of Rights, Cour des comptes), legislative and regulatory texts (AI Act, GDPR, SREN Law), European bodies (Commission, EDPB, AI Office), statistical services (INSEE, DARES, France Strategie) and public support operators (France Num, DGE, Bpifrance). Tier 2 sources cover international organisations (OECD, NIST) and reference academic or professional publications (MIT Sloan, HBR).

Selection methodology. Each quantified or normative claim in the article is associated with a consulted and dated source. Cost ranges presented (CNIL sanction, quality incident, forced migration, etc.) are built from public CNIL decisions over the 2022-2025 period, from firm engagement feedback and from orders of magnitude communicated by Bpifrance and France Num. Anonymised examples are composite: they aggregate several situations to preserve confidentiality and to refer to no identifiable client.

Regulatory precision. The AI Act (EU regulation 2024/1689) has been entering into force in stages since August 2024. Prohibited practices provisions have applied since February 2025. Obligations for general-purpose AI models have applied since August 2025. Full applicability, including high-risk systems listed in annex III, is planned for August 2026. Sanctions mentioned in this article (EUR 35M or 7% of worldwide turnover) are the legal ceilings of article 99. The practice of French authorities (CNIL and, in time, national AI Act authority) on SMEs, in 2024 and 2025, sits significantly below these ceilings.

Precision on composite cases. The EUR 145,000 case is composite, anonymised, no client named. It is built from three situations observed between 2024 and 2026, aggregated to preserve confidentiality. Individual amounts (CNIL sanction EUR 55,000, client credit EUR 18,000, vendor surcharge EUR 21,000, compliance EUR 42,000, management time EUR 9,000) are orders of magnitude consistent with public CNIL decisions, observed market practice and the loaded hourly cost of SME management calculated from INSEE and URSSAF sources. Anonymised examples for the six risks follow the same convention. No client named, no direct citation of a real contract, no traceable reference to a specific entity.

About the author

Laurent Perello runs Perello Consulting, an independent AI automation firm for French SMEs. After 25 years building products for the web, he now orchestrates ten AI agents that he pilots alone, with a production log published daily at perfectaiagent.xyz. He publishes his methodologies and pricing online so that every executive can decide with full information.

Orchestrator: Alpha -- Perello Consulting | 2026-04-17

Footnotes

  1. OECD. Employment Outlook 2024. https://www.oecd.org/employment-outlook/. Consulted 13 April 2026.

  2. Defender of Rights. Algorithms: preventing automated discrimination. https://www.defenseurdesdroits.fr/publications/rapports/algorithmes-prevenir-lautomatisation-des-discriminations. Consulted 13 April 2026. 2 3 4

  3. France Num (DGE / Bpifrance). AI self-diagnostic for businesses. https://www.francenum.gouv.fr/guides-et-conseils/strategie-numerique/diagnostic-numerique/autodiag-ia-evaluez-la-capacite-de. Consulted 13 April 2026. 2 3

  4. EDPB. Opinion 28/2024 on data protection aspects of AI model processing. https://www.edpb.europa.eu/our-work-tools/documents/public-consultations_fr. Consulted 13 April 2026. 2 3

  5. European AI Regulation (AI Act, 2024/1689). Consolidated text. https://eur-lex.europa.eu/eli/reg/2024/1689/oj. Consulted 13 April 2026. 2 3 4 5 6 7 8 9 10 11 12 13 14

  6. CNIL. Recommendations on AI system development. https://www.cnil.fr/fr/intelligence-artificielle/recommandations-developpement-systemes-ia. Consulted 13 April 2026. 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

  7. ANSSI. Security recommendations for a generative AI system. https://cyber.gouv.fr/publications/recommandations-de-securite-pour-un-systeme-dia-generative. Consulted 13 April 2026. 2 3 4 5 6 7 8 9 10 11

  8. CNPEN. Opinion on conversational agents and generative AI systems. https://www.ccne-ethique.fr/publications/avis-cnpen. Consulted 13 April 2026. 2 3

  9. Law No. 2024-449 of 21 May 2024 (SREN). Law on securing and regulating digital space. https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000049563368. Consulted 13 April 2026. 2

  10. DGE. AI and SME transformation. https://www.entreprises.gouv.fr/fr/numerique/enjeux/intelligence-artificielle. Consulted 13 April 2026. 2

  11. Cour des comptes. Digital thematic publications and cloud vendor dependency. https://www.ccomptes.fr/fr/publications-thematiques?theme=numerique. Consulted 13 April 2026. 2 3 4

  12. European Commission. AI Office. https://digital-strategy.ec.europa.eu/en/policies/ai-office. Consulted 13 April 2026. 2

  13. CNIL. Public sanctions and formal notices. https://www.cnil.fr/fr/les-sanctions-prononcees-par-la-cnil. Consulted 13 April 2026. 2

← Back to blog