EU AI Act Rules Are Rolling Out. The Need for AI Governance Isn't Going Anywhere.

From my perspective as Chief Technology Officer, these concerns represent the operational reality many enterprises face as regulations evolve, technology shifts, and transformation continues without a break. The EU AI Act is the latest catalyst. And while the European Commission has extended timelines for high-risk AI obligations to December 2027, the underlying challenge isn't new and it reinforces a simple point: Governance should be part of daily operations. It’s how you manage AI at scale and maintain control as requirements change.

As implementation continues—with guidance, codes of practice, and oversight bodies still being developed—that operational foundation remains essential. Enterprises need visibility and coordinated governance to manage AI responsibly and maintain confidence in their digital landscape.

Seeing the AI Act as a hurdle misses a bigger opportunity. Regulation will continue to evolve, but the steps organizations take now to strengthen that visibility and structure can build resilience and create the conditions to move faster, with fewer disruptions, and compete with greater confidence.

What the EU AI Act Requires in Practice

The Act sets clear expectations. Meeting them is another matter.

Its obligations span technical, operational, and governance domains — from how AI is developed and deployed to how it’s monitored, explained, and maintained.

Risk-Based Classification

The Act organizes AI systems into four risk tiers, each with specific obligations:

• Unacceptable-risk systems are banned. These include AI used for cognitive manipulation, government-run social scoring, or certain biometric surveillance in public.
   
• High-risk systems face strict controls. These include AI embedded in regulated products (like medical devices or aviation systems) and AI used for employment decisions, credit scoring, law enforcement, border control, judicial processes, and access to essential services.
   
• Limited-risk systems must meet transparency rules. For example, users must be informed when they interact with AI (like a chatbot) or view AI-generated content.
   
• Minimal-risk systems — such as spam filters or AI in games — are largely unaffected.

For high-risk AI, organizations must:

• Implement risk management across the AI lifecycle.
• Apply strict data governance to ensure datasets are relevant and representative.
• Maintain technical documentation for inspection.
• Design clear human oversight into system use.
• Ensure accuracy, robustness, and security.

How the EU AI Act Treats General-Purpose AI and GPAI Models with Systemic Risk

The Act introduces distinct obligations for general-purpose AI (GPAI) models and for GPAI models with systemic risk – typically the largest models trained with very high computing power. Providers of GPAI models must:

• Maintain documentation of the model’s training and testing.
• Provide clear technical documentation for downstream users.
• Respect EU copyright laws.
• Publish summaries of the content used for training.

Providers of GPAI models with systemic risk are subject to additional steps, including model evaluations with adversarial testing, systemic risk assessments and mitigation measures, and enhanced incident and cybersecurity controls.

Don’t Forget the Deployers

Beyond the developers and vendors, the Act also applies to organizations thatuseAI professionally in the EU. In some cases — for example, if they substantially modify a system or use it beyond its intended purpose — they take on provider-style obligations, including a new conformity assessment.

From Requirements to Operations

This mix of classification, documentation, risk management, oversight, and data governance reshapes how AI is built, bought, and used.

To meet these requirements, enterprises need shared visibility across AI systems, consistent classification processes, coordinated ownership, and documented oversight. Without this infrastructure, governance becomes fragmented, and compliance becomes reactive.

From my own experience working with enterprise teams, these gaps often aren’t due to lack of intent, but rather to a lack of connection across functions. That’s where enterprise transformation capabilities make the difference. They enable organizations to manage AI in a coordinated, transparent, and scalable way ––making governance part of how things work, not an extra layer added later.

Where Governance Efforts Stall

In my work with enterprise teams, I often see the same friction points. It’s rarely due to a lack of effort — the challenge lies in fragmented visibility and overlapping responsibilities. AI capabilities are deployed across different tools, vendors, and departments without a connected view. And without that shared visibility, governance work becomes reactive and disjointed.

Some common patterns:

• Incomplete inventories. AI features are embedded in a range of systems — résumé screening tools, credit decision engines, predictive models. If they’re not tracked properly, high-risk systems may go unclassified.
   
• Disconnected context. AI draws from multiple data sources, supports varied business capabilities, and may be subject to overlapping regulations such as GDPR, DORA, and sector-specific rules. Legal, IT, and risk teams may each manage a piece, but without clear handoffs or shared insight, the compliance picture stays partial.
   
• Unclear roles. Many organizations both develop and deploy AI, sometimes within the same team. Without a clear understanding on whether they're acting as a provider, deployer, or both, accountability breaks down and obligations go unmet.
   
• Shadow AI and ad hoc implementation. AI tools are sometimes adopted outside procurement or governance workflows. This “shadow AI” can be effective in the short term, but if systems aren’t documented or reviewed, they become harder to oversee — especially when the environment changes.

In these situations, governance turns into a reactive exercise and reflects a coordination problem more than a tooling one. Visibility is what enables that coordination, and without it, even well-intended efforts stay disconnected. Over time, that shows up in practical ways: some systems don’t get the oversight they need, vendor changes trigger avoidable rework, and teams spend more time catching up — documenting systems and adjusting controls later than they should.

Coordination That Scales

The patterns above share a root cause: AI systems interact with many parts of the enterprise: business processes, technical architecture, regulated data, third-party services. That complexity demands a coordinated approach to AI governance.

One system might inform credit decisions, rely on real-time data, run on shared infrastructure, and require oversight from risk management and compliance. Managing that in isolation doesn’t hold. Nor do static inventories. Spreadsheets drift out of sync with reality. Local documentation misses upstream or downstream dependencies. 

Sustainable governance depends on structure. That means having a live model that connects AI systems to the capabilities they support, the processes they drive, the data they use, and the obligations they trigger, creating clearer accountability and enabling faster, better decision-making about where and how AI is used.

To make this work, teams need a shared understanding of:

• Where AI is deployed
• What it supports
• Who’s responsible
• Which obligations apply
• How decisions around it are made

This is the space where enterprise transformation capabilities deliver the most value. They provide the structure needed to connect business and IT, have shared visibility of the IT/digital landscape, map risk to operations, and execute transformation with full context.

One pressure point where this becomes especially clear is vendor reclassification. If a third-party system is classed as high-risk or withdrawn from the market, organizations need immediate answers: what uses it, what data it touches, what alternatives exist, and how fast they can switch. Without a connected view, teams spend a lot of time chasing this information. With visibility, they can see the impact at a glance and make changes with much less disruption.

Building the Foundation for Structured AI Governance

Achieving the level of visibility that lets you respond to AI Act obligations or vendor reclassifications in minutes rather than weeks requires capabilities that can manage AI activity across architecture, data, compliance, and strategy — in real time, and at scale.

The right capabilities bring the structure needed to align governance with transformation, trace risk to operations, and keep decisions grounded in business context.

In practice, that means:

• Create and maintain an AI system inventory
  Enterprise Architecture Management and Business Architecture Management model business capabilities, processes, applications, and technologies together — creating a living inventory of AI systems mapped to risk tiers and business context. Application Portfolio Management adds vendor visibility, critical when third-party tools are reclassified.
   
• Standardize oversight and decision logic
  Governance, Risk & Compliance capabilities link risks and controls to business and IT context. Business Process Management standardizes AI risk assessment workflows, human oversight procedures, and incident handling — ensuring governance is built into operations, not bolted on.
   
• Establish data lineage and quality controls
  Data Management capabilities trace lineage from source systems to AI models, document data quality controls, and demonstrate compliance with the Act's requirements for training data relevance, representativeness, and quality — making it easier to explain, defend, and refine how AI decisions are made.
   
• Connect regulatory timelines to transformation planning
  Strategic Portfolio Management aligns AI investments with business goals and regulatory timelines. Application and Technology Portfolio Management prioritize which systems to remediate, retire, or modernize — balancing compliance with innovation.

Governance as a Competitive Advantage

The EU AI Act reinforces what many enterprise leaders already recognize: Effective AI governance is a continuous, operational discipline. It supports compliance, yes — but more importantly, it supports clarity, resilience, and informed decision-making at scale.

In my view, the EU AI Act can serve as a practical design brief for how AI should be managed: with traceability, shared accountability, and the ability to respond to change without losing momentum. Used this way, regulatory pressure becomes a prompt to strengthen how organizations plan, adapt, and govern.

Bizzdesign’s Enterprise Transformation Suite supports the structured, scalable governance organizations need to stay compliant, stay adaptable, and keep transformation flowing.