EU AI Act compliance: Practical steps for good governance

If not before, introducing the EU Artificial Intelligence Act truly forces technical and non-technical employees to cooperate for successful implementation.

Cross-functional collaboration is essential to comply with the EU AI Act

The EU AI Act aims to regulate artificial intelligence in a way that safeguards fundamental rights while promoting innovation and trust. The regulation is complex, and risks span legal, ethical, technical, and operational domains. Implementation and operationalization, therefore, require collaboration across different organizational functions to be managed effectively. 

It is crucial that organizations develop governance structures that ensure technical expertise and non-technical insight work together throughout the whole AI lifecycle to ensure appropriate risk and compliance measures are taken. Without this cooperation, even the most well-intentioned compliance strategies for AI will be challenging to implement. 

Cross-functional cooperation ensures that:

• Risk assessment combines technical and compliance risk, ensuring a unified framework
• Developers are equipped to recognize and address the broader implications of their work
• Compliance is not an afterthought; it is integrated from the start.

Clear roles and responsibilities

As part of a robust governance framework, organizations must define who is accountable for what—from data acquisition to model monitoring. This includes technical leads, compliance officers, and risk managers working together across the AI lifecycle. 

The requirements are extensive and must be fully traceable, especially for high-risk systems: What data was used, how the model was trained, and what decisions were made? Good governance involves systematically recording and making these elements accessible. It also incorporates mechanisms for monitoring AI systems after deployment and addressing any issues that arise.

Practical steps toward good AI governance

Here’s how organizations can begin to prepare:

1. Define roles and responsibilities

Assign the overall responsibility for AI in the organization and create a cross-functional AI advisory board. Include representatives with perspectives on software development, legal, compliance, product development, ethics, etc., to ensure risk evaluations are an integral part of developing and/or using AI.

2. Map all development and use of AI across the organization 

Document where and how AI is being used across the organization and classify systems according to the AI Act’s definitions. The record needs to cover all uses of AI systems, also the ones implemented before the AI Act entered into force. Documentation needs to be kept updated if the use case changes.
All classifications need to be recorded, covering description, risk assessment, and reasoning. This helps demonstrate compliance if challenged. 

3. Develop internal policies aligned with the AI Act

Develop an AI strategy and policies to ensure responsible use, and to manage the risks that may arise in connection with the development and use of AI.

The policies should as a minimum, cover requirements regarding data quality, documentation, transparency, and human oversight.

4. Train your employees

Even though a great deal of responsibility for AI systems is placed on the supplier and developer of AI, there are also responsibilities as a user. Therefore, it is important to take measures to ensure all employees have sufficient AI literacy, tailored to their roles, technical knowledge, and the context of use. Everyone needs a shared vocabulary to collaborate effectively. Train everyone in the organization to make sure everyone understands how the system is intended to be used in the organization with its opportunities, risks, and limitations. 

The EU AI Act sets the regulatory foundation for trustworthy AI. But regulation alone won’t create safe, ethical, or transparent systems. That requires a culture of governance—where compliance, ethics, risk, and innovation are integrated, not siloed.