The Gap That Is Becoming Visible
Enterprise AI deployment has accelerated faster than governance frameworks. This is not a technology failure or a management failure. It is a predictable consequence of the pace at which AI capability has become accessible: tools that were experimental in 2022 are production-grade in 2025, and organisations that moved quickly to capture AI productivity gains did so in advance of the regulatory clarity and governance maturity that responsible deployment at scale requires.
The gap between deployment pace and governance maturity is becoming visible in the same way that other technology governance gaps have become visible before it: through regulatory engagement that reveals what organisations do not have, through AI system failures that surface in places where oversight was absent, and through the audit scrutiny that follows these events. The CxOs who are aware of the gap and are actively closing it are in a different position from those who are not, regardless of whether an enforcement action has occurred yet.
The governance gap is not uniformly distributed. It is concentrated in four specific areas that together constitute the AI systems that carry the highest business, regulatory, and reputational risk. Understanding which of these four areas applies to your organisation’s AI portfolio is the starting point for an honest governance assessment.
The Four Areas Where the Gap Is Concentrated
Automated decision systems that affect individual rights or access to services are the highest-risk category under the EU AI Act’s high-risk classification and the most likely to attract regulatory scrutiny first. Credit scoring systems that inform lending decisions. HR screening systems that filter candidates. Customer service systems that determine access to benefits or services. These systems have been deployed at scale in many European organisations and were in some cases implemented before the AI Act’s requirements were clear enough to build against.
The governance requirements for these systems are now clear: risk assessment documentation, conformity assessment for systems in the high-risk categories, transparency to individuals subject to AI-assisted decisions, and human oversight mechanisms that are genuine rather than nominal. The human oversight mechanism is the most commonly absent or inadequate: many systems nominally include a human review step that in practice is never used because the AI output is accepted as the decision without independent review.
AI content generation systems used for customer communications, marketing, or regulatory documentation carry a different governance risk profile. The regulatory concern is accuracy and the potential for AI-generated content to be incorrect, misleading, or non-compliant with sector-specific communication requirements. The governance framework for these systems should include output quality validation, provenance tracking that identifies AI-generated content for enhanced review, and audit trails that provide accountability for AI-generated communications.
AI-assisted code generation that is deployed in production systems without adequate security review is the governance gap that is producing the security posture degradation described in multiple cybersecurity contexts. The code that the AI generates is the organisation’s code, and the responsibility for its security is the organisation’s responsibility. Governance frameworks that treat AI-generated code as a distinct category requiring enhanced security review are addressing a real risk. Those that do not are accumulating security debt.
Internal knowledge management AI systems that access and synthesise sensitive business information are the least regulated but often the most governance-immature. An AI system with access to financial data, personal data, and proprietary business information that provides this information to employees in response to natural language queries is an access control and data governance problem that most AI deployments have not fully addressed. The governance framework for these systems should include data access controls that reflect the same principles as other system access controls, not the open access model that AI knowledge systems default to.
The Regulatory Requirements That Now Apply
The EU AI Act’s obligations for high-risk AI systems are in force. The Act’s prohibited practices provisions are enforceable. NIS2’s ICT risk management requirements apply to AI systems as ICT systems. DORA’s operational resilience requirements apply to AI systems in financial services. GDPR’s requirements for automated decision-making continue to apply where AI systems make or significantly influence decisions about individuals.
The overlap between these regulatory instruments on any single AI deployment creates a complex compliance picture. An AI system used for credit risk assessment in a bank covered by DORA is potentially in scope for the AI Act’s high-risk requirements, DORA’s ICT risk management obligations, GDPR’s automated decision provisions, and sector-specific financial regulation. Managing this compliance picture requires a governance framework that addresses all applicable instruments rather than the most prominent one.
The organisations that have built a unified AI governance framework that addresses this regulatory overlay are better positioned than those managing each regulatory instrument separately. The unified framework is not necessarily more complex; it is structured to avoid duplication and contradiction across the instruments.
The Governance Structure the Frameworks Require
The AI governance structure that meets the combined requirements of the AI Act, NIS2, DORA, and GDPR has four organisational components.
An AI inventory that is comprehensive, maintained, and regularly reviewed. Without an inventory, governance is applied to the AI systems the organisation knows about and misses the ones it does not. The inventory should include AI capabilities embedded in third-party applications, not just the AI systems the organisation built or procured as standalone systems.
An AI risk classification process that assesses each system in the inventory against the applicable regulatory risk frameworks and assigns governance requirements proportionate to the risk classification. Not every AI system requires the full suite of high-risk controls; the classification process ensures that controls are applied where they are needed and not applied where they create governance overhead without corresponding risk reduction.
AI system accountability assignment that names specific individuals responsible for the governance of each significant AI system: the system owner who is accountable for the system’s behaviour and its governance compliance, and the management body member who has oversight responsibility under the AI Act’s article 28 requirements. The accountability must be genuine rather than nominal: the accountable individual must have the authority and the information required to exercise their accountability.
An AI incident and anomaly monitoring process that can detect when AI systems behave in unexpected ways that require governance escalation. AI systems can fail in ways that are difficult to detect without specific monitoring: output drift, biased outputs in distribution subgroups, accuracy degradation over time as the deployment context diverges from the training context. The monitoring process that catches these failures before they cause material harm is the operational expression of the governance framework.
The CxO Accountability That Cannot Be Delegated
The management body obligations in the EU AI Act and the personal accountability provisions in DORA both establish that CxO and board-level accountability for AI governance is not delegable to the technology function. The CISO can own the security governance of AI systems. The CTO can own the technical governance. The board member with AI oversight responsibility under article 28 of the AI Act must own the oversight function and must have the information, training, and engagement to exercise it genuinely.
The board that has delegated AI governance to the CTO and CISO and is receiving quarterly update slides has not met the management body engagement requirement. The board that has approved an AI governance framework, receives regular performance data against that framework, and is exercising the oversight function as defined in the framework has met it.
The difference between these two positions is visible to an auditor in the board minutes within minutes. It will be visible to a supervisor at the same speed.