The Governance Gap: Why the EU AI Act Is the Moment Boards Can No Longer Treat Compliance as Someone Else's Problem

The Governance Gap: Why the EU AI Act Is the Moment Boards Can No Longer Treat Compliance as Someone Else’s Problem

By Rebecca Harper • 4 June 2026 • 7 min read

The EU AI Act is already in force, penalties are already active, and most enterprises cannot classify their own AI systems. The governance gap is no longer theoretical; it is a liability sitting on the balance sheet.

For the past three years, boards have been enthusiastically deploying AI across hiring, credit decisioning, customer service, operations, and strategy. Most have done so without building the governance architecture to manage it. Now the regulatory framework has arrived, and it has arrived with teeth.

Parts of the EU AI Act are already in force. Prohibitions on unacceptable AI practices came into effect in February 2025. Penalties for general-purpose AI model providers activated in August 2025. Full enforcement of regulations against high-risk AI systems will now take effect in stages across August and December 2027. The window between now and then is not breathing room. It is the entire runway.

And yet the readiness gap is striking. An appliedAI study of 106 enterprise AI systems found that 40% could not clearly identify their own risk classification under the Act. The most basic step in the compliance process remains incomplete for a large proportion of enterprise deployments. A majority of C-suite leaders now identify regulatory non-compliance as their primary AI concern. The lagging factor is the operational response.

This is the crux of the issue. The AI investment is real. The competitive pressure to deploy is real. The regulatory obligation is now real. What has not kept pace is governance.

The Gap No One is Talking About

Most enterprise AI conversations still centre on capability and investment. The governance conversation has lagged, and the consequences are already felt.

Data from the IO State of Information Security Report states that 79% of organisations have adopted AI or machine learning in the past 12 months, with a further 19% planning to do so. That makes AI deployment near-universal. What makes the governance gap that follows all the more acute is this: 37% of organisations report that employees are using generative AI without permission.

Additional research from IBM indicates that shadow AI-related incidents accounted for 20% of breaches over the past year, and 11% of breached organisations were unsure whether they had experienced a shadow AI incident. The implication for AI Act compliance is direct: where employees are deploying AI without organisational knowledge, the organisation may be operating high-risk AI systems it cannot classify, cannot monitor, and cannot evidence governance over. Under the Act, that is a deployer liability.

You cannot govern what you cannot see. And most organisations cannot yet see all their AI.

This problem does not lie in one part of the business. The EU AI Act creates simultaneous obligations across information security, data privacy, and AI governance. Any AI system that processes personal data falls under both the Act and the GDPR. Any system embedded in hiring, credit, or customer decisioning carries deployer obligations regardless of whether it was built in-house or procured from a vendor. Vendor contracts must now allocate AI compliance responsibilities. The AI governance supply chain is the organisation’s responsibility.

Most organisations have these functions in separate rooms, having separate conversations. That fragmentation is precisely the structural vulnerability the Act will expose.

The Regulation Reaches Further than Most Boards Currently Understand

The penalty structure is significant: fines of up to 35 million euros or 7% of global annual turnover for the most serious violations, a ceiling that exceeds even GDPR.

Personal liability for senior management is provided for in the Act. And its reach is extraterritorial. Any organisation whose AI systems affect users or markets in the EU is in scope, regardless of its headquarters. London, New York, Singapore: if your AI touches the EU, you carry the obligation. For UK businesses operating under the assumption that post-Brexit regulatory distance provides any shelter here, it does not.

The obligation follows the system, not the flag.

The timeline is a sequence, not a single future date. The prohibitions are already in force. The general-purpose AI penalties are already active. December 2027 is not a distant deadline. Building an integrated governance infrastructure across functions that currently operate independently, on different cycles, with different tooling, takes more time than most organisations running reactive compliance programmes have left.

Why the Checkbox Model Breaks Down

The traditional compliance response; producing a risk assessment document, assigning a policy owner, and scheduling an annual review, does not work. The Act’s requirements are technical and operational. AI systems must be continuously monitored, logged, and tested against current performance. Models drift. Training data becomes stale. Deployment contexts change. A governance model designed around periodic reviews cannot keep pace.

The IO data makes the scale of this clear. 54% of respondents say they adopted AI technology too quickly and are now facing challenges scaling it back or implementing it more responsibly. Only 21% cite establishing responsible AI usage policies as a priority for the coming year. The contrast is striking, near-universal deployment, minimal governance priority.

More fundamentally, no single function owns the full compliance surface that the Act examines. A legal team addressing only the privacy threat leaves security and AI risk exposed. A CISO addressing only security leaves classification and data governance uncovered. A product team addressing only AI risk has no visibility into the privacy or security posture of the systems it owns. Siloed responses to cross-functional regulations do not result in partial compliance. They produce the illusion of compliance, and that illusion is exactly what regulators are looking to test.

The Resilience Loop

The insight that separates organisations building genuine resilience from those managing isolated obligations is this: AI governance cannot be treated in isolation from information security and data privacy, because in practice these risks are inseparable.

The resilience loop, the continuous, unified management of information security, data privacy, and AI governance as a single integrated system, is the architectural response to that reality. One that generates a clear overview of risks and mitigations, adapts to new regulatory requirements, and delivers the kind of demonstrable, auditable resilience that regulators, investors, and enterprise customers increasingly demand.

The three domains the EU AI Act simultaneously activates are precisely the three domains the resilience loop unifies. An organisation already operating this way does not need to retrofit AI Act compliance onto existing programmes. The infrastructure is already in place, governing the full cross-functional surface that the regulation is examining.

Organisations that have not yet made this shift are not facing a documentation gap. They are facing an architectural one.

The Competitive Case

Regulated sectors; financial services, healthcare, and critical infrastructure, are accelerating AI governance requirements for vendors and partners. Enterprise procurement increasingly includes AI governance assessments. Institutional investors are beginning to treat AI oversight maturity as part of their risk evaluation.

The IO data points to what is already happening. Respondents report that the biggest increases in compliance ROI came from improved business decision-making, customer retention, and new sales opportunities, and those gains have strengthened considerably year on year. The pattern is consistent: organisations that move earliest on integrated governance pull away from those still managing compliance reactively, not because the governance itself is a competitive advantage, but because the infrastructure it builds enables faster, more confident deployment of the capabilities that are.

The AI Act is not the ceiling on what governance requires. It is the floor.

The Window is Shorter than Most Boards Currently Understand

December 2027 is the hard line for high-risk AI systems. Building the integrated governance infrastructure to meet that deadline is not a project that starts in Q3 2026. It starts now.

The organisations that act in this window will enter enforcement readiness from a position of strength. Those that wait will be retrofitting under pressure, against a deadline already visible on every regulator’s horizon.

The question every board should be asking is not whether to act. It is whether there is still time. And the answer, for now, is yes.