What the board should know about the AI Act before making decisions over the summer holidays 

The AI Act is no longer just an abstract regulation from Brussels, but a practical test of whether a company knows where and why it uses artificial intelligence. For boards of directors, this means that AI must be included not only in the innovation budget, but also in the budget for accountability, oversight, and risk management.

10 Min Read
sztuczna inteligencja ai

The AI Act is looking less and less like a distant legal issue and is increasingly becoming a test of an organisation’s maturity. For boards of directors, the most important question is no longer whether the company uses artificial intelligence, but whether it can identify where AI is actually being used, who is responsible for it, and how much it will cost to scale it up safely.

The European AI Act came into force on 1 August 2024, but its obligations are being phased in. It is precisely this phased approach that may prove most treacherous for companies. The AI Act does not appear within an organisation overnight as a single obligation to tick off a list. It permeates budgets, supplier contracts, procurement processes, security policies, technical documentation and decisions on which AI projects may be scaled up and which require suspension or redesign.

That is why the summer of 2026 is a pivotal moment for boards of directors. Some of the obligations under the AI Act are already a tangible benchmark for the market, whilst others have been or may be postponed as part of European efforts to streamline digital regulations; however, the direction of change remains clear: companies will have to prove that artificial intelligence is not a collection of ownerless experiments within their organisations, but a controlled part of their operational activities. According to reports from recent months, work and consultations are ongoing regarding the classification of high-risk systems and the timetable for the application of selected provisions, including those relating to high-risk systems. This does not relieve the pressure on companies. Rather, it shifts the focus from reactive compliance to preparing an AI governance framework.

The biggest mistake would be to treat the AI Act as a legal cost. In practice, it is a regulation that forces a review of the entire portfolio of AI projects. If a company uses generative tools in marketing, automates candidate selection, implements chatbots in customer service, analyses credit risk, supports HR decisions or integrates AI models with operational processes, a general ‘responsible AI’ policy is not enough. It is necessary to know where the system operates, what data it uses, for what purpose, who oversees it, who authorised its use, and what impact it may have on customers, employees or business partners.

This means that the AI budget for the second half of the year should not consist solely of licences, integrations and pilot schemes. It should also include funding for an inventory of AI applications, risk classification, documentation, monitoring, training, supplier audits and the redesign of decision-making processes. In many companies, this will be the less glamorous part of the transformation, but without it, scaling up AI will remain risky. This is particularly true where tools are implemented from the bottom up by business departments, without a central register and without clear approval rules.

The AI Act is also changing the way we think about technology roadmaps. Until now, many organisations have planned AI according to the following logic: a quick pilot, proof of value, then a decision to roll out. Now, an additional hurdle has emerged between the pilot and scaling: organisational readiness. A project that works well in a small team may not be ready for company-wide roll-out if it lacks defined input data, human oversight mechanisms, an error response procedure, rules for documenting model changes, and a clear business owner.

This problem will be particularly evident in the case of AI agents. A system that not only generates a response but also plans actions independently, uses tools, retrieves data from various sources and performs multi-step tasks is more difficult to control than a traditional application. The latest analyses of AI agents in the context of EU law indicate that the primary task of compliance is to carry out a comprehensive inventory of the agent’s activities, data flows, interconnected systems and the individuals who may be affected by its operations. Without this, the organisation does not even know the scope of the risks it is attempting to control.

From the board’s perspective, however, the most significant change lies elsewhere: AI is no longer the sole domain of IT. The CIO should continue to be responsible for architecture, security, integrations, monitoring and technical implementation standards. Compliance and the legal department must interpret obligations, support documentation and liaise with regulators. But it is the business that should be responsible for the purpose of using AI, its impact on processes and the consequences of decisions made with the system’s assistance. The board, meanwhile, must determine who within the organisation has the authority to approve new AI applications, who can accept the risks, and which projects are strategic enough to warrant additional funding for compliance.

In practice, the board should make five decisions before August. Firstly, whether the company will create a central register of AI applications, including tools used by teams at a grassroots level. Secondly, who owns each significant AI system: IT, business, compliance, or a specific sponsor on the board. Thirdly, which projects could potentially fall into the high-risk category or have a significant impact on people. Fourthly, how much of the AI budget will be allocated not to new features, but to documentation, data, monitoring and oversight. Fifthly, do contracts with suppliers give the company sufficient control over information regarding models, data, limitations and changes to the system?

This last point may prove to be one of the most underestimated costs of the AI Act. Many companies purchase AI solutions as off-the-shelf services, but operational responsibility does not disappear simply because the technology comes from an external supplier. If an organisation implements a system into a business process, it must understand its limitations and be able to demonstrate that it is using it for its intended purpose. Research into high-risk systems indicates that one of the key challenges will also be assessing when a modified AI system remains the same system, and when a change is significant enough to require re-evaluation. For boards of directors, this means having to fund not only the implementation but the entire life cycle of the system.

The most expensive part will be catching up on compliance after the fact. If a company first builds an extensive network of AI applications and only later begins to determine which data was used, who approved the model and what decisions were made with its support, the cost of sorting things out may exceed the cost of the implementation itself. The AI Act rewards organisations that treat compliance as part of the process architecture, rather than a document prepared at the end of a project. This is the difference between a controlled transformation and a superficial one.

This does not mean that the AI Act should halt investment in artificial intelligence. On the contrary, it can help distinguish strategic projects from experiments that should never progress beyond the pilot stage. Companies that establish a register of AI applications, a clear accountability model and a budget for oversight today will be able to scale up their solutions more quickly in the second half of the year. Those that treat regulation as a problem for lawyers may discover this autumn that their greatest constraint is not the technology, but a lack of control over their own roadmap.

The AI Act will not halt investment in artificial intelligence, but it will change the cost of being unprepared. For boards, therefore, the question is not whether it is worth investing in AI. It is whether the company is already in a position to do so safely, responsibly and in a way that can be justified to regulators, customers and the business itself.

Share This Article