AI governance in e-commerce

In recent years, the conversation about artificial intelligence in e-commerce has very often started with tools. Companies tested product description generation, automatic translations, chatbots, recommendations, customer classification, review analysis, image creation, campaign automation, customer service support and the first agentic AI scenarios. In many organizations, AI entered everyday work faster than rules for its use were created.

This is understandable. Tools are easily available, effects often appear immediately, and the pressure to increase efficiency in e-commerce is very high. The product team wants to complete descriptions faster. Marketing wants to create more campaign variants. Customer service wants to reduce response time. B2B sales wants to classify customers more effectively and automate repetitive tasks. The management board wants to see time savings, faster implementations and higher productivity.

The problem begins when a company implements AI without answering basic questions. Who can use AI tools? What data can be entered into them? Who approves automatically generated content? Can AI influence communication with the customer? Can it analyze sales data? Can it support pricing decisions? Can it classify B2B customers? Can it create recommendations? Who is responsible for incorrect information, an inaccurate product description, a breach of brand tone, unauthorized use of data or a decision made on the basis of automated analysis?

That is why 2026 will be the year of AI governance in e-commerce, not more prompts. Not because prompting will cease to be important. Because efficient use of AI tools alone will not be enough if the company does not have control over data, processes, responsibility, risk and technological architecture. AI without governance can speed up work, but it can also duplicate errors faster, reveal organizational chaos and create risks that the company previously did not have to analyze at this scale.

AI governance does not mean blocking innovation. Well-designed governance does not slow down the organization, but allows it to use AI in a more predictable, safe and measurable way. In practice, it is about the company knowing where AI supports a process, where a human decision is required, what data is used, how the quality of results is assessed, who bears responsibility and how the solution fits into the architecture of the entire e-commerce ecosystem.

Why this topic is becoming important right now

Until recently, many companies treated AI as an experiment. Today, AI is increasingly becoming part of real business processes. It generates product content, supports translations, classifies customers, prepares data exports, analyzes reviews, helps with customer service, supports marketing activities, accelerates developers’ work, organizes documentation and can be connected to data from ERP, PIM, CRM, the e-commerce platform or reporting systems.

At the same time, regulatory pressure is growing. The EU AI Act is being implemented in stages, and obligations for providers of general-purpose AI models began to apply on 2 August 2025. The European Commission indicates that providers of GPAI models placed on the market after that date must meet relevant obligations, while the most powerful models with systemic risk are subject to additional requirements, including the obligation to notify the AI Office. At the same time, the debate around the AI Act’s timeline and scope remains dynamic, as shown by the latest reports on political agreements regarding the postponement of certain deadlines for high-risk systems

For e-commerce companies, however, the most important thing is not tracking every change in the regulatory calendar. The direction matters more: AI is no longer treated as a neutral tool that can be used freely, without rules and without documentation. It will become increasingly important whether an organization can demonstrate how it uses AI, what data it processes, what risks it assesses, what decisions it leaves to humans and how it controls the quality of results.

This direction is also reinforced by global standards for AI risk management. NIST developed the AI Risk Management Framework, whose purpose is to help organizations better manage risks related to artificial intelligence for people, organizations and society. In practice, this means that increasingly it will not be enough to say “we use AI”. Companies will have to be able to answer: for what purpose, on what data, with what supervision, with what quality assessment and with what safeguards.

The other side of this change is also visible in the market: some AI projects do not deliver the expected value. Gartner predicted in 2025 that more than 40% of agentic AI projects would be cancelled by the end of 2027 because of rising costs, unclear business value or insufficient risk control mechanisms. This is a very important signal for e-commerce. The problem is not a lack of tools. The problem is the lack of a clear model for implementing AI, measuring results and managing risk.

AI governance is not only a topic for corporations

When many companies hear “governance”, they imagine multi-page policies, complicated procedures, compliance departments and processes that slow down work. In e-commerce, this association can be particularly dangerous because organizations operating in online sales are used to speed. They test tools, launch campaigns, change offers, optimize checkout, expand catalogues, integrate marketplaces and respond to seasonality. Anything that sounds like additional bureaucracy may be perceived as an obstacle.

Properly understood AI governance, however, is not about stopping work. It is about organizing rules in such a way that the team knows what it can use, for what purpose, with what data and at what level of responsibility. This is a very practical approach. If an e-commerce employee generates a product description using AI, they should know whether they can paste technical data from a supplier into the tool, whether they should anonymize information, who approves the final description and whether AI can create claims concerning composition, safety, use or product compliance.

If the marketing department uses AI for customer segmentation, it must understand whether it is working on anonymous, aggregated or personal data, whether results can be used for automated campaigns, who is responsible for incorrect classification and how to prevent communication that could be inappropriate, discriminatory or based on incomplete data. If the B2B team wants to use AI to analyze customer value, prioritize leads or suggest sales actions, it must know where analytical support ends and where a business decision requiring human involvement begins.

In small and medium-sized companies, governance can be simple. It does not immediately have to mean an extensive system of procedures. It can start with a map of AI use cases, risk-level classification, rules for working with data, a list of approved tools, defining processes that require human approval and a way of measuring results. The most important thing is for the company to stop operating in a model in which everyone uses AI in their own way, without shared standards.

In e-commerce, such a lack of standards very quickly leads to chaos. One team generates product descriptions in a different style than another. Marketing creates campaigns based on data whose sources are unclear. Customer service uses a tool that does not know the current return conditions. B2B salespeople ask AI to analyze customers, but without control over what data is used. Developers accelerate work with AI, but the organization does not set rules for code security, documentation and review. At first, it looks like increased efficiency. Over time, it begins to resemble a loss of control.

The biggest mistake: implementing AI without a map of processes and data

The most common mistake in e-commerce is that a company starts with a tool, not with a process. A need arises to generate descriptions, so the team chooses a tool. A need arises to automate customer service, so the company tests a chatbot. A need arises to analyze sales, so someone connects AI to reports. A need arises for faster development, so developers start using coding assistants. Each decision may make sense locally, but without a shared architecture the organization begins to build AI as a collection of random islands.

The problem is that AI is only as good as the context it receives. If product data is inconsistent, AI may generate inconsistent descriptions. If customer data is scattered, AI may create incorrect segments. If knowledge about terms and conditions, deliveries, complaints and product availability is not up to date, AI may provide answers that look credible but are incorrect. If B2B processes are full of exceptions, individual conditions and undocumented commercial rules, AI can duplicate chaos faster than organize it.

The same applies to more advanced implementations such as AI agents, automatic action recommendations, offer personalization or support for pricing decisions. If a company does not know which data is the source of truth, how often it is updated, who approves it and what its limitations are, AI governance will not be an add-on. It will be a condition for safely launching such a solution.

In practice, the first step toward AI governance should not be writing a policy, but mapping. The company should determine where AI is already being used, where it could be used, what data is used, what decisions it can support, which results reach the customer, which remain inside the organization and which processes require human control. Only then can rules be built that make business sense.

Without such a map, it is easy to create apparent efficiency. The team works faster, but the company does not know whether content quality is better. Campaigns are created faster, but no one checks whether segmentation is correct. A chatbot answers more questions, but it is unclear whether it reduces the number of real customer problems. AI suggests sales actions, but it is unclear whether it improves margin, retention or service quality. Then AI becomes an expensive layer of automation without a clear impact on the business.

AI governance starts with data

In e-commerce, data is the foundation of almost every meaningful AI scenario. Product data affects descriptions, recommendations, search, filters, comparisons, translations and handling customer questions. Transactional data affects segmentation, purchase predictions, campaign automation, cart analysis and inventory planning. Logistics data affects communication about availability, delivery times and order status. Data from PIM, ERP, CRM, WMS and the e-commerce platform creates the context without which AI operates on general assumptions rather than business reality.

That is why one of the most important elements of AI governance is answering the question of what data can be used in AI and under what rules. Not all data should go into every tool. Public product descriptions should be treated differently from technical data, margin information, customer data, B2B commercial terms, internal documentation or data covered by trade secrets.

In e-commerce companies, it is particularly important to distinguish between AI used for internal work and AI that affects the customer. Different risks arise when an employee asks a tool to summarize meeting notes, and different risks arise when AI generates a publicly visible product description, a review summary, an automatic response to a complaint or a product recommendation. In the first case, an error may remain inside the organization. In the second, it may affect a purchasing decision, brand trust, communication compliance or the company’s responsibility for information.

Data must also be up to date. AI connected to outdated product data, archived price lists or incomplete inventory levels will not improve service quality. It may only create incorrect answers faster. In B2B, this problem is particularly sensitive because a customer may have an individual price list, credit limit, delivery terms, product scope, user roles and an order approval process. AI that does not understand this context should not automatically influence the sales process.

That is why AI governance must be connected with data architecture. If a company has a well-implemented PIM, consistent data in ERP, an organized CRM, stable integrations and clear sources of truth, it can build AI on a solid foundation. If data is scattered, outdated and full of exceptions, AI governance should first stop excessive automation and direct the organization toward organizing the basics.

Human-in-the-loop as a principle, not decoration

Many companies declare that a human always supervises AI. The problem is that in practice, human-in-the-loop is often treated very superficially. Someone “can check” generated content, but there are no clear assessment criteria. Someone “approves” an answer, but does not know what data the tool used. Someone “has control”, but the system operates so quickly that control becomes a formality.

A well-designed human-in-the-loop should be adapted to the risk of the process. If AI generates a draft text proposal for a campaign, editorial and marketing approval is enough. If AI creates a product description containing technical information, subject-matter control is needed. If AI answers customer questions about returns, complaints, availability or purchase conditions, control of compliance with current rules is needed. If AI supports pricing, discount or segmentation decisions, business control and analysis of impact on margin, customer and error risk are needed.

Human-in-the-loop does not mean that a human must manually approve every simplest result. It means that the company consciously determines which AI activities can be automatic, which require control before publication, which should be monitored after implementation and which should not be automated at all at a given level of organizational maturity.

In e-commerce, processes that directly affect the customer are particularly important. A product description, a checkout message, a customer service response, a product recommendation, customer classification, price presentation, availability information or a suggestion of a substitute may have a real impact on sales and trust. If AI operates in these areas without clear rules, the company transfers risk to the customer and the brand.

That is why human-in-the-loop should be part of process architecture, not an addition in an AI policy. The system should support control, versioning, approval, audit and the possibility to reverse an incorrect change. If AI generates product content, it is worth knowing who approved it and when. If AI classifies customers, it is worth knowing what data was used. If AI supports customer service, it is worth monitoring response quality and escalations to humans. Without this, control remains only a declaration.

AI in e-commerce has different levels of risk

Not every AI use case in e-commerce has the same level of risk. This is important because an approach that is too broad can paralyze the organization, while an approach that is too loose can lead to loss of control. Governance should differentiate levels of risk and adapt rules accordingly.

The lowest risk is usually associated with internal uses that do not rely on sensitive data and do not directly affect the customer. This may include creating draft headline variants, summarizing internal notes, organizing content ideas, supporting task list creation or analyzing text that will in any case be edited by a human.

Medium risk appears where AI affects customer-facing content or sales processes, but a human still has clear control. Examples include product descriptions, translations, review summaries, category recommendations, marketing segment proposals, data exports or automatic preparation of campaign content. Here, governance should cover quality control, approval, data handling rules and brand standards.

Higher risk appears when AI begins to support decisions that may affect commercial terms, access to the offer, complaint handling, customer prioritization, discount policy, lead scoring, dynamic pricing or communication in disputed situations. In such areas, not only human control is needed, but also documentation, testing, monitoring and clear limits of automation.

The highest risk concerns situations in which AI would act autonomously on behalf of the company, make high-value business decisions, serve customers without supervision or use data that cannot be safely shared. In such cases, governance should be very cautious, and automation should be preceded by analysis of the process, data, risks, responsibility and auditability.

Such a division helps avoid two extremes. The first is blocking all AI because the company fears risk. The second is automating everything because tools are available and fast. A mature organization does something different: it chooses use cases with the greatest value and a reasonable risk level, and then builds a controlled operating model for them.

From prompts to the company’s AI operating system

Many organizations start with prompts because they are the simplest entry point. Employees learn to formulate instructions, create content variants, analyze data, summarize documents and accelerate everyday work. This is a good beginning, but it cannot be the end of an AI strategy.

A prompt is an interaction with a tool. Governance is an operating system for the organization. If a company truly wants to use AI in e-commerce, it must move from individual experiments to repeatable processes. This means that best practices should be documented, prompting should be embedded in specific workflows, data should come from controlled sources and results should be assessed in terms of quality and business impact.

In practice, this can be compared to the development of e-commerce. At the beginning, a simple store is enough. Later, integrations, ERP, PIM, automations, B2B, marketplaces, international sales, analytics, approval processes and user roles appear. At some point, the store stops being only a website and becomes a sales system. Similarly, AI in a company cannot remain a collection of random prompts. It must become part of processes.

This requires organizational decisions. It is necessary to define which tools are approved, what data can be processed in them, which processes have priority, who is responsible for quality, how results are measured, what result reviews look like, how the company reacts to errors and how teams are trained. Without this, AI will depend on the individual skills of particular people rather than on the maturity of the entire organization.

The greatest value will come from AI implementations that are not detached from systems. AI connected to organized product data, documentation, order history, B2B rules, logistics statuses and service processes can truly increase efficiency. AI used only as an external text generator will be useful, but its impact on scaling the business will be limited.

Shopware and AI: features matter, but governance determines value

Shopware is already developing AI-based features that can support everyday e-commerce work. Official Shopware materials describe, among other things, AI Copilot, which includes content generation for Shopping Experiences, an export assistant, customer classification, an image keyword assistant, product review summaries, product property generation, review translations, product descriptions and contextual search. Shopware documentation also indicates that AI-based customer classification can generate labels based on customers’ order history and then use them, for example, as tags for marketing mailings.

This shows that AI in e-commerce is no longer an abstract add-on. It enters very specific areas: content, data export, customer classification, reviews, translations, product properties and search. Each of these areas can bring value. Each of them, however, requires careful consideration of usage rules.

If AI generates product descriptions, the company should know whether the content is consistent with technical data, brand tone and industry requirements. If AI summarizes reviews, it is necessary to monitor whether it does not excessively simplify negative signals or create a misleading image of the product. If AI classifies customers, it is necessary to understand what input data is used and whether the results are appropriate for use in campaigns. If AI helps with data export, it is necessary to know what information can be exported and who has access to it.

This is precisely where governance determines the difference between a useful feature and an operational risk. The same AI feature can increase efficiency if it is based on good data, controlled by a human and embedded in a process. It can also generate chaos if it operates without rules, on inconsistent data and without quality monitoring.

Shopware provides capabilities, but how they are used depends on implementation architecture. If the platform is connected with PIM, ERP, CRM and operational systems in a thoughtful way, AI can use better context and support real processes. If, however, data is scattered, integrations unstable and responsibility for information unclear, AI will be just another layer on top of existing chaos.

AI governance in B2B e-commerce

In B2B, AI governance is particularly important because the sales process is more complex than in classic B2C. A B2B platform handles not only products and the cart, but also customer organizational structures, user roles, individual prices, discounts, credit limits, approval processes, requests for quotation, repeat orders, documents, complaints, commercial terms and integrations with the customer’s systems.

If AI is to support such a model, it must operate in a very precise context. It cannot suggest the same discount to all customers. It cannot show products unavailable to a given group. It cannot ignore budget limits, contractual terms, user permissions or the order approval process. Nor can it generate communication that does not take into account the commercial relationship and cooperation history.

In B2B, automating decisions without understanding the process is particularly risky. AI can help a salesperson prepare an offer, indicate complementary products, summarize customer history, detect a drop in purchasing activity, suggest contact or organize data for a meeting. However, decisions about commercial terms, prices, priorities, availability or exceptions should remain under human control, especially where they affect margin and customer relationships.

AI governance in B2B should therefore cover not only data, but also roles and boundaries of responsibility. A salesperson should have different permissions, a sales manager different ones, a platform administrator different ones, the marketing department different ones and an external technology partner different ones. If AI is to operate in a B2B environment, it should respect the same rules that apply in the sales process.

This is also why AI implementations in B2B should not be run solely as a tooling project. The starting point should be understanding how the company sells, where exceptions arise, which data is critical, which decisions have high business value and where automation can truly relieve the team without undermining control over the customer relationship.

AI governance in B2C and retail

In B2C, the risks are different, but equally important. Retail operates at a large scale of customer contact, with a large number of products, seasonality, promotions, reviews, recommendations, campaigns and post-sales communication. AI can very quickly increase the number of content pieces, campaign variants and automated interactions. It can also very quickly reduce quality if the company does not control data sources, communication tone and content consistency with reality.

In B2C, product descriptions, marketing promises, recommendations, personalization and customer service are particularly important. If AI generates an imprecise description of a cosmetic, electronic device, supplement, children’s product, sports equipment or technical device, the problem may concern not only conversion, but also responsibility for information. If AI responds to a customer inconsistently with the terms and conditions, it may increase the number of conflicts. If AI creates customer segments based on incomplete data, campaigns may become inaccurate or inadequate.

In retail, AI governance should be very close to the teams responsible for brand, product, customer service and data. AI cannot be treated only as a tool for increasing the number of content pieces. It is necessary to define which product categories require additional control, which messages must be approved, how translations are checked, how response quality is monitored and how the company reacts if AI generates an error.

B2C is also an area where AI can affect trust in the brand. The customer does not always know whether an answer, description or recommendation was created using AI. What matters to them is whether the information is correct, helpful and consistent with the brand experience. If automation lowers the quality of communication, the company may save time in the short term, but weaken the customer relationship in the long term.

That is why in B2C governance should combine efficiency with quality. AI can support scale, but it cannot replace responsibility for content, product and shopping experience.

How to measure the value of AI so it is not implemented only for the novelty effect

One of the most common problems of AI projects is an unclear definition of success. A company implements a tool because “everyone is using AI”, but does not define what exactly is supposed to improve. Is it about saving time? Shortening time-to-market? Better data quality? Fewer customer service inquiries? Higher conversion? Faster description creation? Better segmentation? Higher margin? Lower service costs? Greater predictability of team work?

If goals are not clear, after a few months it is difficult to assess whether AI actually works. The team may feel that it works faster, but the company does not know how much time it saves. Marketing may create more content, but it is unclear whether the content converts better. Customer service may automate responses, but it is unclear whether the number of repeat contacts and escalations decreases. Development may use AI, but it is unclear whether code quality, documentation or implementation predictability improves.

AI governance should therefore cover not only risks, but also value metrics. Every significant use case should have a business objective, a measurement method, a responsible owner and continuation criteria. Without this, the organization will implement AI as a trend, not as an element of operational development.

In e-commerce, good metrics may include: time required to prepare a product for publication, number of errors in descriptions, inquiry handling time, number of escalations, segmentation quality, time required to prepare data export, campaign effectiveness, impact on conversion, reduction of manual work, number of corrections after content generation, cost of handling a given process or implementation stability. The most important thing is that metrics are connected to the process, not only to the number of tools used.

Here we return to Gartner’s forecast about the cancellation of a large share of agentic AI projects because of costs, unclear business value and insufficient risk control mechanisms. This is not an argument against AI. It is an argument against implementing AI without a value and control model.

What practical AI governance in e-commerce should look like

Practical AI governance should be simple enough for the team to actually use it and specific enough to protect the company from chaos. In e-commerce, a document detached from everyday work will not work. Rules must be connected with real processes: product management, marketing, customer service, B2B sales, development, analytics and integrations.

The first element should be a list of AI use cases. The company should know where AI is already used, by whom, in what tools and with what data. Without this, it is impossible to manage risk because the organization does not know what is actually happening in teams.

The second element should be data classification. It is necessary to clearly define which data is public, internal, confidential, personal, commercial, technical and which should not be entered into external AI tools. Such classification is particularly important when the company works with customer data, B2B terms, margins, price lists, technical documentation, development roadmaps or ERP data.

The third element should be risk levels for use cases. Simple content support requires different rules than AI supporting pricing decisions, customer service or customer classification. Thanks to this, governance does not block the entire organization, but strengthens control where the risk is highest.

The fourth element should be human-in-the-loop rules. The company should determine which AI results require approval before publication, which can operate automatically, which should be monitored after implementation and who is responsible for the final decision.

The fifth element should be documentation and monitoring. If AI affects the sales process, product data, customer service or business decisions, the company should know how to assess quality, detect errors and respond to incidents. The NIST AI Risk Management Framework emphasizes the importance of AI risk management and creating processes that help organizations identify, measure and control risks related to AI systems.

The sixth element should be team training. AI governance cannot exist only in a document. Employees must know how to use AI safely, what not to enter into tools, when approval is needed, how to check results and where to report doubts.

The role of CREHLER: AI-first development without losing control

At CREHLER, we look at AI not as a fashionable add-on, but as an element of a change in the way e-commerce is designed, implemented and developed. AI can truly accelerate analysis, organization of requirements, documentation preparation, development, testing, debugging, optimization and planning of subsequent iterations. It can also support companies in process automation, data analysis, content work and handling more complex sales scenarios.

At the same time, we believe that AI-first development cannot mean AI without control. In e-commerce projects, data security, integration stability, code quality, implementation predictability, responsibility for technological decisions and alignment of the solution with the client’s business processes are particularly important. AI can accelerate work, but it should not replace architecture, team experience and conscious decision-making.

That is why, in CREHLER’s approach, AI should be embedded in the process. First, business goals, data, integrations, architecture and organizational limitations must be understood. Only then can it be decided where AI will bring the greatest value. Sometimes this will mean accelerating the work of the technology team. Sometimes organizing data. Sometimes automating repetitive tasks. Sometimes supporting marketing or e-commerce. Sometimes preparing the organization for more advanced AI scenarios.

In the context of Shopware, this means the possibility of combining a flexible platform with a mature approach to data and integrations. Shopware provides a foundation for developing B2B, B2C, headless, composable, cross-border and AI-enabled e-commerce, but the value of the implementation is determined by architecture. If the platform is well connected with PIM, ERP, WMS, CRM and the client’s processes, AI can operate on better context. If systems are chaotic, AI will only accelerate that chaos.

That is why the conversation about AI governance should be part of the conversation about e-commerce development. Not as a separate document, but as an element of decisions about data, integrations, processes, automation and scaling.

Companies that organize AI earlier will scale value faster

AI in e-commerce will not disappear. It will be increasingly present in platforms, marketing tools, customer service, analytics, search engines, personalization, B2B automation, development processes and sales channels. The question is therefore not whether companies will use AI. The question is whether they will do it consciously.

Organizations that stop at the level of individual prompts may achieve a short-term improvement in efficiency, but they will not build a lasting advantage. Organizations that connect AI with data, architecture, processes and governance will be able to scale the use of artificial intelligence without a sudden increase in risk.

This is particularly important in e-commerce, where data quality, speed of operation and control over the process have a direct impact on sales. AI can help prepare offers faster, serve customers better, analyze data more efficiently and develop the platform. It can also generate errors faster than a human if it operates on an unorganized foundation.

That is why 2026 should be for companies not only the year of testing more AI tools, but the year of building rules. Who can use AI? For what purpose? On what data? With what supervision? With what measurement of results? With what responsibility? In what architecture?

Companies that answer these questions earlier will be able to use AI more calmly, faster and more strategically. Not because they will have more prompts. Because they will have greater control over how AI works in their business.

At CREHLER, we help companies design and develop scalable e-commerce platforms based on Shopware, ready for AI development, automation, integrations and future market requirements. If you want to check how to safely and meaningfully introduce AI into your e-commerce, it is worth starting not with a tool, but with a conversation about data, processes and architecture.