An AI system that scores job applications and consistently rates women lower. A pricing algorithm that systematically charges customers in certain postcodes more. A chatbot that responds differently to non-Western names. These aren't hypothetical examples — they're three things that have surfaced in Dutch and international companies in recent years, in a number of cases leading to lawsuits, fines, or reputational damage.
For SMBs, "bias audit" sounds like something for banks and big tech with data scientists on staff. But under the EU AI Act and GDPR, you're equally responsible if you use AI to make decisions about people — whether those decisions concern applicants, customers, suppliers, or employees. This guide explains what a bias audit looks like at SMB scale, and how to run one without an in-house AI team.
What AI bias actually is
AI bias is when an AI system systematically gives different outcomes for different groups of people, in a way that's legally or ethically problematic. Bias isn't the same as "the algorithm has an opinion" — bias usually arises unintentionally, from three sources:
1. Contaminated training data. If you train an AI on historical data where a group was underrepresented or stereotype-loaded, the AI learns that pattern. A widely discussed example: a recruitment AI that learned "successful engineers in this company are usually male" — not because that's causally true, but because the historical dataset had grown that way.
2. Poorly chosen features. Variables that look neutral on the surface but correlate with protected characteristics. Postcode can correlate with ethnic background. Surname with country of birth. Browsing pattern with gender. An AI using these features can effectively discriminate without you intending it.
3. Wrong optimization targets. An AI trained to "minimize cost" or "maximize conversion" without fairness constraints can find solutions that benefit one group at the expense of another. A pricing algorithm that purely optimizes on willingness-to-pay often ends up with systematically higher prices for groups that negotiate less — a pattern no one explicitly built in.
For broader context, see AI risks and liability and the pillar AI legislation in the Netherlands and EU AI Act.
When is a bias audit required?
Not every AI use needs a formal bias audit. Three categories where it is, or effectively is, required:
High-risk AI systems under the AI Act. Annex III names explicitly: HR tools, credit scoring, education admissions, biometric categorization, AI in critical infrastructure. For these categories, AI Act Art. 10 requires that training, validation, and test datasets are examined for possible bias and that appropriate measures are taken.
Automated decisions under GDPR Art. 22. When an AI system (jointly) decides about someone without substantial human intervention, and that decision has legal effect or "similarly significantly affects" the person, you must be able to demonstrate the decision was reached fairly — and therefore that your system doesn't make prohibited distinctions.
On any discrimination complaint. Even without Annex III status, an applicant, customer, or employee can claim they were unfairly disadvantaged by your AI. Then you must be able to reconstruct why the decision came out that way — and demonstrate it wasn't prohibited discrimination on protected grounds (gender, age, origin, religion, or other protected characteristics).
In practice: if you use AI to make decisions about people — applications, credit, pricing, customer service prioritization, supplier evaluations — you must be able to produce a bias audit. Not as a formal document on the shelf, but as a process demonstrably executed.
The four steps of an SMB bias audit
A workable approach for an SMB with one to five AI systems where bias could matter:
Step 1: Inventory which decisions your AI makes
Per AI system: which decisions are taken? Which groups of people are affected? What are the potential differences between those groups? For a recruitment AI the list is long (gender, age, origin, education level, location); for a pricing algorithm shorter but no less important.
The output of this step is a simple document per AI system: "this system decides X about Y group of people, and the possible fairness concerns are Z."
Step 2: Collect outcome data per group
This is the heart of the audit. For each decision your AI made over a recent period (3-12 months), categorize per protected characteristic and check whether outcome rates differ significantly. For recruitment, for instance: of the 200 men and 200 women who applied, how many were positively scored by the AI?
What you often discover here: there's a difference, and you didn't notice. Sometimes that difference is explicable (the men had on average more relevant experience), sometimes not. Both call for follow-up — only the nature differs.
Important nuance: you can run this analysis on anonymized, aggregated data. You don't need to store ethnicity per individual to test whether your system scores ethnically neutrally. For more complex cases, work with a Trusted Third Party or a DPIA approach (see DPIA for AI projects).
Step 3: Analyze and classify
Three kinds of patterns that can show up:
- No significant difference — fine, your system is fair within the dimensions measured.
- Difference that's technically explicable from objective criteria — document why, and monitor whether it stays stable.
- Difference not explicable from legitimate criteria — you have a bias problem that needs attention.
For the third category, the follow-up depends on where the bias originates: adjust training data, remove features, revise the model, or in extreme cases switch the system off until the problem is resolved.
Step 4: Document and repeat
A bias audit isn't a one-off. What was fair last month may have skewed this quarter because your input data shifts. Quarterly or semi-annual repetition is the right cadence for most SMBs.
Document per audit: what you measured, which outcomes, which conclusions, which actions. This is exactly the evidence you need to produce in an audit — and it overlaps largely with what you already do for AI explainability in decision-making and AI audit trail logging.
Save 12 hours per week on ad-hoc bias discussions after the fact when a complaint or audit arrives
Practical tools that work
For an SMB without a data science team:
Simple Excel analysis. For systems with under 10,000 decisions per quarter, a well-built pivot table with groups on rows and outcomes on columns is often enough. No software investment, but discipline required.
Open-source bias toolkits. IBM's AI Fairness 360, Microsoft's Fairlearn, Google's What-If Tool — free, well documented, and usable by anyone with basic Python skills. For mid-sized SMBs (50-250 employees), this is often the sweet spot.
External audit firm. For high-risk systems or when you must demonstrate AI Act compliance to customers or regulators, an external party is valuable. Plan for €5,000-€15,000 per audit, depending on complexity.
Learn more about AI consulting?
View serviceHuman-in-the-loop is not a free pass
A misconception we encounter often: "we have a human reviewing every decision, so we don't need a bias audit." That's not true. Research on automation bias consistently shows human reviewers follow AI recommendations far more often than they overrule them — especially when the AI looks reasonable in the majority of cases. If your AI pre-sorts skewed, your entire decision-making is pre-sorted skewed, even with a human in the loop.
A bias audit and human review are complementary, not substitutes. Review catches individual mistakes; audits catch systematic skew. You need both.
What it costs
For an SMB with one to three AI systems where fairness matters:
| Component | Cost |
|---|---|
| One-off bias-measurement setup (per system) | €3,000-€10,000 |
| Tooling (open-source with implementation) | €2,000-€6,000 one-off |
| Ongoing quarterly audit (internal) | €500-€1,500/quarter |
| External audit for high-risk systems | €5,000-€15,000/year |
Year 1: €10,000-€30,000 for an SMB. Against an AI Act fine of up to €15 million or 3% of global turnover (whichever higher) for breaches around data quality and bias monitoring (Art. 99), this is cheap insurance — and it builds customer trust, which in an AI-saturated market is becoming worth more all the time.
What you can do this month
Three concrete actions without budget:
List the AI decisions that touch people. Often there are one to three systems in this category in an SMB. Start there.
Ask your AI vendor what they do about bias monitoring. A good answer contains concrete metrics, a measurement cadence, and evidence of action when deviations were found. If the answer is vague — "we have an ethics framework" — you know where the work lies.
Appoint one person as fairness point of contact. As with governance: not "the team," but one name. Someone who can judge whether a new AI application falls in scope and what's needed.
Bias audits aren't a mathematically perfect problem. They're a promise to the people your system touches — that they aren't treated as a number by an opaque machine. Those who keep that promise have less to fear from regulators, customers, and future employees — and build the kind of trust AI-mature organizations distinguish themselves with.