Your AI isn’t the risk, your lack of oversight is.

Article

By: Alex Hunt

Without structured controls, AI risks accumulate quietly. Shadow AI deployments, unmonitored model drift, and gaps between what AI is registered and what’s actually in use are more common that most realise in practice. Alex Hunt outlines how to build strong AI governance, oversight and monitoring.
Contents

AI is being deployed faster than organisation’s can govern. As AI becomes embedded in core operations such as decision-making, automation and customer engagement, the need for model validation, lifecycle management, bias detection, and performance monitoring grows with it. Alongside this, regulations and obligations are to be complied with, in an ever-changing landscape with ever-increasing pressures.

Upcoming key dates:

August 2026 December 2027 August 2028
EU AI Act transparency obligations (Article 50) apply from this date
Deadline for stand-alone high-risk AI systems (Annex III)
Deadline for high-risk AI embedded in regulated products (Annex I)

The direction of travel is clear: regulation is tightening — and converging globally.

For organisations with significant European operations, the EU AI Act's enforcement timetable has been materially updated by the Digital Omnibus on AI, for which EU institutions reached provisional political agreement on 7 May 2026. Most transparency obligations under Article 50 remain active from August 2026.

Requirements for stand-alone high-risk AI systems (Annex III — covering recruitment, credit scoring, law enforcement, education and border control) have been deferred to 2 December 2027,

High-risk AI embedded in regulated products such as medical devices and machinery (Annex I) is pushed to 2 August 2028. The Omnibus is not yet formally enacted: if not adopted before 2 August 2026, the original deadlines apply. Organisations should therefore continue preparing against the original timeline. And the Act has extraterritorial scope — any organisation whose AI systems affect EU users must comply.

Non-compliance carries fines of up to 7% of global annual turnover

The convergent global standard:

  • EU AI Act (Regulation 2024/1689): the world's first comprehensive binding AI law — risk classification, conformity assessment, technical documentation and human oversight requirements
  • NIST AI Risk Management Framework: the de facto US and international governance standard, structuring AI risk across Govern, Map, Measure and Manage functions
  • ISO/IEC 42001: a certifiable AI management system standard, increasingly expected in enterprise procurement and by regulators as evidence of governance maturity
  • Emerging jurisdictions: South Korea (Framework Act on AI, January 2026) and Vietnam (Law 134/2025, March 2026) are adopting EU-model frameworks — signalling global convergence

Keeping up with compliance without slowing innovation

While compliance is key. The central governance tension is ensuring a framework covers all regulatory bases globally without becoming a brake on innovation. The EU AI Act's risk-based approach is instructive: low-risk systems face minimal obligations. A well-designed framework creates clear lanes for innovators and is modular enough to adapt as regulations evolve without requiring full redesign.

In practice, strong AI governance isn’t about control for control’s sake — it’s about visibility, accountability, and the ability to act quickly when something changes. In practice, effective oversight programmes have a few non-negotiables:

  • A centralised AI inventory — track every system across all business functions, with completeness attestation
  • Continuous model performance monitoring: flag bias, drift, and degradation in real time
  • Immutable audit logs recording what each model did, when, on whose authority, and under which policy
  • Aggregated risk dashboards converting individual model assessments into a portfolio-level view
  • Automated escalation workflows for anomalies, policy breaches, or significant performance changes
  • AI risk integrated into existing GRC frameworks rather than managed as a separate workstream

If you would like to discuss any of the above areas or your AI governance, please get in contact with Alex Hunt.