The EU AI Act is now in force. Companies that deploy AI systems in Europe face obligations ranging from documentation requirements to mandatory conformity assessments — with penalties up to 7% of global revenue for non-compliance. But governance isn't just about avoiding fines. It's about building AI systems that work correctly, treat people fairly, and don't create liability.
This is a practical governance framework — not an academic paper. It's designed for CTOs who need to ship AI features while managing risk responsibly.
Why Governance Matters Now
Three forces are converging:
-
Regulation. The EU AI Act, China's AI regulations, and emerging US state-level laws create a patchwork of compliance obligations. If you serve customers in the EU — and if you're reading this, you probably do — you're subject to the AI Act.
-
Liability. When an AI system makes a decision that harms someone (denies a loan, misdiagnoses a condition, discriminates in hiring), the question "who is liable?" now has legal teeth. The company deploying the AI is liable, even if they didn't build the underlying model.
-
Trust. Customers, employees, and partners are increasingly skeptical of AI. Companies that can demonstrate responsible AI practices have a competitive advantage in trust-sensitive markets (healthcare, finance, insurance, government).
The Four Pillars
Pillar 1: Transparency
Principle: People affected by AI decisions should understand that AI is involved and how it works.
In practice:
- Disclosure: Inform users when they're interacting with AI (chatbots, generated content, automated decisions)
- Explainability: Provide meaningful explanations for AI-driven decisions, especially when those decisions affect individuals (credit scoring, hiring, insurance pricing)
- Documentation: Maintain technical documentation of how models work, what data they use, and what their limitations are
Minimum implementation:
- AI interaction disclosure in UI (clear labeling)
- Model cards for each deployed model (purpose, training data, performance metrics, known limitations)
- Decision explanations for any AI that affects individuals (even if the explanation is simplified)
Pillar 2: Fairness
Principle: AI systems should not discriminate based on protected characteristics, and should produce equitable outcomes across demographic groups.
In practice:
- Bias testing: Before deployment, test model performance across demographic groups (gender, age, ethnicity, disability status)
- Disparate impact analysis: Measure whether outcomes differ significantly between groups, even if the model doesn't use protected characteristics directly (proxy discrimination)
- Ongoing monitoring: Bias can emerge over time as data distributions shift. Continuous monitoring is required, not just pre-deployment testing
Minimum implementation:
- Bias audit for any model that affects individuals (hiring, lending, insurance, content moderation)
- Documented fairness metrics with defined thresholds
- Quarterly bias monitoring reports
Pillar 3: Security
Principle: AI systems should be secure against adversarial attacks, data breaches, and misuse.
In practice:
- Model security: Protect against adversarial inputs, prompt injection, model extraction, and data poisoning
- Data security: Training data and inference data are protected with the same rigour as any sensitive data (encryption, access controls, retention policies)
- Access control: Model APIs have authentication, rate limiting, and usage monitoring
- Red teaming: Regularly test AI systems for vulnerabilities, including adversarial prompts and edge cases
Minimum implementation:
- Input validation and sanitisation for all AI endpoints
- Model API access controls and rate limiting
- Annual red teaming for high-risk AI systems
- Incident response plan that includes AI-specific scenarios
Pillar 4: Accountability
Principle: There is always a human accountable for the AI system's behaviour and outcomes.
In practice:
- Ownership: Every AI system has a named human owner who is accountable for its behaviour
- Audit trail: All AI decisions are logged with sufficient context for post-hoc review
- Override capability: Humans can override AI decisions, and there's a clear process for doing so
- Incident response: When AI systems cause harm, there's a defined process for investigation, remediation, and communication
Minimum implementation:
- AI system registry with human owners
- Decision logging for all consequential AI actions
- Human override process documented and tested
- AI incident response playbook
Risk Classification
The EU AI Act classifies AI systems by risk level. Even if you're not legally required to comply yet, this classification is a useful framework for prioritising governance investment.
Unacceptable Risk (Banned)
- Social scoring by governments
- Real-time biometric identification in public spaces (with limited exceptions)
- Manipulation of vulnerable groups
- Emotion recognition in workplaces and schools
High Risk (Heavy Regulation)
- Hiring and recruitment tools
- Credit scoring and insurance pricing
- Medical devices and clinical decision support
- Critical infrastructure management
- Law enforcement tools
Requirements: Conformity assessment, detailed technical documentation, risk management system, human oversight, accuracy and robustness testing.
Limited Risk (Transparency Obligations)
- Chatbots (must disclose AI interaction)
- Deepfake generation (must label as AI-generated)
- Emotion recognition systems (must inform subjects)
Minimal Risk (No Specific Obligations)
- Spam filters
- AI-powered search
- Content recommendations
- Most business automation
The AI Governance Organisation
Option 1: AI Ethics Board (for larger organisations)
A cross-functional board that reviews high-risk AI deployments, sets policy, and handles escalations.
Composition: CTO (or delegate), Legal, Compliance, a domain expert, an external advisor (optional but valuable for credibility).
Cadence: Monthly reviews of new AI deployments, quarterly policy updates, ad-hoc review for high-risk systems.
Option 2: AI Governance Champion (for smaller organisations)
A single person (often the CTO or a senior engineer) who owns AI governance as part of their role.
Responsibilities: Maintain the AI system registry, conduct bias audits, review new AI deployments against the governance framework, ensure documentation is current.
What Doesn't Work
- Governance by committee with no authority. If the governance body can't stop a deployment, it's a rubber stamp.
- One-time review. Governance is continuous, not a gate. Models in production need ongoing monitoring.
- Engineering-only governance. Without legal, compliance, and business input, the governance is technically sound but practically blind.
Practical Implementation Steps
Step 1: Inventory Your AI Systems (Week 1-2)
Create a registry of every AI system in production or development. For each system, document: purpose, data sources, decision scope, affected populations, risk level, human owner.
Step 2: Classify Risk (Week 2-3)
Apply the risk classification to each system. Focus governance investment on high-risk systems.
Step 3: Implement Minimum Viable Governance (Month 1-2)
For each high-risk system: create a model card, run a bias audit, implement decision logging, define a human override process, assign a human owner.
Step 4: Establish Process (Month 2-3)
Define the review process for new AI deployments. Create templates for documentation. Establish a monitoring cadence.
Step 5: Continuous Improvement (Ongoing)
Quarterly review of the governance framework effectiveness. Update policies as regulation evolves. Incorporate lessons from incidents.
AI governance is a competitive advantage disguised as a compliance obligation. The companies that build governance into their AI practice from the start will move faster, not slower — because they'll avoid the costly incidents and regulatory actions that slow everyone else down. If you need help building your AI governance framework, let's talk.