What does 'AI governance' mean in practical terms?

It means having three things in order: a real list of the AI systems your company uses, the purpose of each one (what it decides, about whom, with what data), and a trail of evidence to support those answers before an auditor or regulator. It is not a document: it is a system with an owner, processes, and review — what the international standard ISO/IEC 42001 calls an AIMS (AI Management System).

If I have a technical team, why do I need to see the AI myself?

Because the signature is yours. The technical team will handle day-to-day operations, but accountability before the board, auditor, or regulator cannot be delegated: either you can point to the document that supports a decision, or you are trusting someone else's word. Governance turns the team's tacit knowledge into evidence you can show.

AI Governance for Decision-Makers

Q: What is the first step if we have never done this?

The inventory. Knowing which AI systems exist in your company (not the ones you think exist) and what each one is used for. It sounds trivial, and that is precisely why almost no one has it in writing. In our method, that inventory is the first thing committed to writing in the first fifteen days, for a single department — not the entire company.

The noise is enormous: ISO 42001, EU AI Act, GDPR, AESIA, fines of up to 35 million euros. Every week a new standard, framework, or acronym appears. But the question that matters — the one a board member signs off on — is simpler, and almost no one answers it in writing:

What exactly does the AI in my company do, what risks does it carry, and how is it kept under control?

If that answer does not exist in a document you can open, standards are dead letter. And if it depends on someone telling you, that is not governance: it is trust.

The problem is not regulatory. It is one of visibility.

Decision-makers do not need to become technical. But they do need to be able to see: which AI systems the company uses, what decisions each one makes, on what data, and who is accountable if something goes wrong. Without that, any conversation about compliance stays theoretical, and any audit becomes a surprise examination.

European regulation accepts this reading explicitly. Regulation (EU) 2024/1689 does not require a chief executive to know how to code; it requires the company to have documented — in writing, before putting the system into operation — what each AI does and why it fits in the relevant category [Source: Regulation (EU) 2024/1689, art. 17 and art. 6.4, EUR-Lex, https://eur-lex.europa.eu/eli/reg/2024/1689/oj].

The three standards, translated into three board-level questions

Three frameworks are cited simultaneously and conflated in the conversation: ISO/IEC 42001, the EU AI Act, and the GDPR. In reality, each answers a different management question. Seen that way, they stop being a tangle.

1 · ISO/IEC 42001 — "Am I managing my AI or just improvising?"

ISO/IEC 42001 is the international standard that defines what it means to manage AI as a system, not as an intention. It calls this an AIMS (AI Management System): a framework with an owner, processes, review, and records. It shares structure with ISO 9001 and ISO 27001, so it fits with what your organisation already has if it holds any of those certifications. Its Annex A groups 38 controls across 9 objectives covering the AI lifecycle; the company declares which apply and why, in a document called the SoA (Statement of Applicability) [Source: ISO/IEC 42001:2023; figures verified in GOB-SRC-ISO42001-001].

Translated: ISO 42001 is the answer to "is this being done properly or on the fly?" It does not promise that the AI will be correct; it promises that a system exists to govern and improve it.

2 · EU AI Act — "Does it apply to me, and what do I need to have in place?"

The Regulation classifies systems by risk: prohibited (forbidden uses), high-risk (sensitive permitted uses, with serious obligations), and those with transparency obligations (informing users that a response is AI-generated). For high-risk systems — where most companies face a compliance question — art. 17 requires a documented quality management system: data management, risk management, post-market monitoring, records, and a clear framework for who is accountable for what [Source: Regulation (EU) 2024/1689, art. 17, EUR-Lex].

If the AI uses or influences anything in Annex III (employment, credit, critical infrastructure, education), it is probably high-risk. There is an exit — but it must be documented in writing before the system is used. How to find out without being a lawyer, here.

For a reference on the cost of non-compliance: prohibited practices are sanctioned with up to 35 million euros or 7% of worldwide turnover (whichever is greater); other infringements by high-risk providers carry penalties of up to 15 million or 3%. For SMEs and start-ups, each fine is capped at the amount or the percentage, whichever is lower — a nuance worth keeping in mind when reading the large figures [Source: Regulation (EU) 2024/1689, art. 99, EUR-Lex].

3 · GDPR — "Do I know if my AI is harming people, and can I prove I govern it?"

The GDPR does not disappear because an AI Act exists. It applies to all processing of personal data, regardless of the system's risk level. What it asks of an organisation operating AI is very specific: a legal basis for using each piece of data (art. 6); a written DPIA before launching high-risk processing (art. 35); a specific contract with each provider that touches the data (art. 28); and, where the system decides alone about a person — a credit decision, an employment decision — that person's right to human intervention and to appeal (art. 22) [Source: Regulation (EU) 2016/679, EUR-Lex; synthesis in GOB-SRC-DSGVO-001].

In plain terms: the GDPR is the answer to "I will know if this is harming someone, and I will be able to prove I acted." Without a living record of what the AI decides and about whom, that answer does not hold.

Governance is not a formality. It is what makes AI operate.

This is the frame shift that matters. The usual conversation presents governance as a cost — documents, controls, audits — that the company pays to avoid a fine. That is only half the picture.

The other half: the very artefacts required for compliance are the ones that make AI actually operate in your business. The system inventory is what allows you to know what is being used and where. The record of purposes is what prevents a project from inheriting data it should not have. The map of who is accountable for what is what distinguishes "we have AI" from "we operate AI." Traceability is what turns a pilot into production.

That is why we say that the same foundation that makes your AI work is what lets you defend it before the regulator. They are not two separate projects.

What you must be able to point to, on a single page

If you want an operational test that governance exists in your company, you do not need an external audit. You need to be able to point to five artefacts, all in plain language:

The inventory. The real list of AI systems the company uses, with the owner of each one.
The documented purpose. For each system: what it decides, about whom, with what data, and under what legal basis.
The risk classification. For each system, which category of the EU AI Act it falls into, and the written justification if it is deemed not high-risk.
The living risk register. What can go wrong and what you do to prevent or detect it in time.
The accountability map. Who is responsible for what — with names, not generic job titles.

If those five exist and are kept up to date, everything else — certification, audit, response to a regulatory request — is an exercise in demonstrating, not in improvising. If they do not exist, no policy, framework, or slogan replaces them.

Where to start

With the inventory. It sounds trivial, and that is precisely why almost no one has it in writing. Start with a single department — not the entire company — and commit to writing, within fifteen days, which systems exist, what they are used for, and which fall into a category under Annex III.

In our method, that inventory is the first thing committed to writing. Not to reassure you: so that you, and not a third party, know where you stand.

And if you first want to understand why we talk about "operable by AI" as a precondition for all of this, we define it there without jargon.