AI Governance

Global AI regulation will not stay fragmented. This paper forecasts its coalescence around three regulatory blocs on staggered timelines, and the bipolar interregnum that precedes the full structure.

Ungoverned AI is now a top-tier institutional risk. This paper sizes the exposure across thirteen categories and shows where governance investment produces the largest reduction in expected loss.

A single AI system rarely sits under a single rulebook. This paper sets out TRACE, a five-phase methodology for governing AI across overlapping frameworks, and a maturity model for locating where an organisation stands.

Agentic AI reshapes work, not just tools. This paper offers a governance and workforce framework: principles, board fluency, role and career architecture, and a maturity pathway.

Recruitment and workforce-management AI falls within Annex III. This paper maps what is in scope, how the Act meets GDPR and equal-treatment law, and the data-governance duties that follow.

Credit and insurance AI sits squarely in Annex III. This paper maps what falls in scope, how the Act meets EBA and EIOPA guidance, and how to manage a large model portfolio.

Article 10 and the GDPR pull in opposite directions on training data. This paper maps the conflicts, including representativeness versus minimisation, and offers a practical framework.

The AI Act is enforced through layered oversight: national authorities, the AI Office, and the AI Board. This paper maps how supervision will work and what draws regulatory attention.

High-risk AI must be registered in the EU database. This paper covers who registers, what Annex VIII requires, the deadlines, and how to keep an entry accurate over time.

A practical approach to establishing AI governance structures that satisfy regulatory requirements while enabling innovation.

Which high-risk AI can be self-assessed, and which needs a notified body? This paper maps the pathways category by category, with the declaration of conformity and post-market duties.

Article 72 requires a post-market monitoring plan for high-risk AI. Done well, it reuses the infrastructure you already run rather than spawning a second compliance programme.

Annex IV is not a one-off deliverable. It is a living technical file across fourteen elements, and the standard notified bodies expect is higher than the text suggests.

Article 14 requires effective human oversight of high-risk AI. The hard part is designing oversight that is genuine rather than nominal, without making the system useless.

Article 4 has been enforceable since February 2025. Sufficient AI literacy is contextual, not universal, and a tiered, role-based programme is the only model that holds up.

Article 5's eight prohibitions have been in force since February 2025, as absolute bans. This paper maps where the boundaries sit, including the hardest provisions to read.

Classification is the first legal obligation under the Act, and every later decision flows from it. This decision-maker's guide maps the four tiers and the judgement calls that decide them.

Classification is the first legal obligation and the costliest to get wrong. This guide maps the four tiers, the Article 6(3) exception, and the modern edge cases that break old frameworks.

A whole-regime view of the EU AI Act for boards and compliance leaders: risk classification, the eight high-risk pillars, GPAI duties, enforcement, and a five-action roadmap.