Governance frameworks

AI Governance for the EU AI Act

The EU AI Act does not prescribe a single governance platform or methodology. But the obligations it creates - inventory your AI systems, classify their risk, document controls, assign oversight, train staff, and monitor in production - together define what a compliant AI governance framework needs to do. This guide maps those obligations to the governance pillars that satisfy them.

In short

AI governance for the AI Act means: catalogue every AI system you use or provide, classify its risk tier, document controls per the applicable obligations, assign trained human overseers, and monitor performance post-deployment. AI literacy (Art. 4) applies to all organisations in scope, and has been in force since 2 February 2025. AI Act Art. 17 (quality management)

Why it matters

Why governance comes before compliance

Most organisations discover they are deployers - not providers - of AI systems. They buy AI from vendors, embed it in workflows, and are only dimly aware of which systems are high-risk, which obligations apply to them, and what documentation they hold. The first governance task is therefore to know what you have before you can act on it.

A governance framework is also the evidence you show a regulator. The AI Act shifts obligations to deployers substantially: Article 26 requires deployers to assign oversight, keep logs, monitor operation, and notify providers and authorities if risks emerge. Without documented governance, you have no paper trail.

Already in force

AI literacy (Article 4) has been binding since 2 February 2025 for all organisations in scope - including non-EU entities whose AI outputs are used in the EU. If you have not yet documented an AI literacy programme for staff who operate or use AI systems on your behalf, that is the first gap to close. Art. 4 - AI literacy

The six pillars

What an AI governance framework needs to cover

AI system inventory

Art. 9 (risk management), Art. 17 (quality management)

A register of every AI system your organisation develops or uses - what it does, who owns it, where it runs, and what data it touches. The inventory is the foundation of everything else: you cannot classify risk, assign obligations, or demonstrate oversight of systems you have not catalogued.

Risk classification

Art. 5 (prohibited), Art. 6 (high-risk classification)

Mapping each inventoried AI system to the Act's risk tiers - prohibited, high-risk (Annex I / Annex III), limited/transparency risk, or minimal risk. Classification determines which obligations apply and by when. A system can also be reclassified when its purpose changes.

Documentation and record-keeping

Art. 11-12 (providers), Art. 26(6) (deployers)

Technical documentation (Annex IV for high-risk providers), instructions for use, conformity declarations, and the automatic logs that high-risk systems must generate. Deployers must also keep logs for at least 6 months unless other law requires longer.

Human oversight

Art. 14 (providers), Art. 26(1)-(2) (deployers)

Designing, assigning and training the natural persons who oversee AI system operation. Providers must build systems so they can be monitored and intervened in; deployers must assign competent, authorised individuals who understand the system's limitations.

AI literacy training

Art. 4 (in force 2 Feb 2025)

Article 4 requires providers and deployers to ensure staff and operators have a sufficient level of AI literacy - including technical knowledge, experience, and awareness of context. In force since 2 February 2025. No prescribed curriculum; document your tailored programme.

Post-deployment monitoring

Art. 72-73 (providers), Art. 26-27 (deployers)

Ongoing collection and review of real-world performance data. High-risk providers must run a post-market monitoring system and report serious incidents; deployers must monitor operation, suspend use when risks arise, and inform the provider or authority. Fundamental Rights Impact Assessments (FRIA) are required for certain deployers.

Standards

How ISO/IEC 42001 fits in

ISO/IEC 42001 is the international certifiable AI Management System standard (Plan-Do-Check-Act). It provides a governance framework that covers risk management, data governance, transparency, human oversight, and continuous improvement - all of which map closely to AI Act obligations.

The important caveat is that ISO 42001 is an international standard, not a harmonised European standard. It therefore does not provide an automatic legal presumption of conformity with the AI Act under Article 40. That presumption comes from harmonised standards being developed by CEN-CENELEC (JTC 21), with the draft prEN 18286 mapping closely to ISO 42001 controls. Art. 40 - Presumption of conformity

In practice: ISO 42001 certification is strong evidence of governance maturity and a significant head-start toward harmonised standard compliance. It is not a substitute for the AI Act's specific obligations (conformity assessment, CE marking, registration, GPAI documentation), which are separate processes. Read the full ISO 42001 explainer.

Tools and platforms

What governance software typically covers

A number of commercial AI governance platforms have emerged to help organisations manage AI Act obligations at scale. These tools vary widely in scope - from inventory registers to full lifecycle compliance suites - but common feature clusters include:

  • Use-case / system register: A central catalogue of every AI system in use, with metadata (purpose, vendor, risk tier, owner, data processed).
  • Risk classification workflow: Guided questionnaires to classify each system against the Act's tiers, with rationale recorded for audit.
  • Documentation management: Templates and version control for technical documentation, instructions for use, and conformity declarations.
  • Oversight assignment: Role mapping - who is responsible for each system, whether they are trained, and when reviews are due.
  • Monitoring and alerting: Integration with system logs or performance metrics to surface anomalies and support the deployer's incident-reporting duties.
  • AI literacy tracking: Evidence that staff and operators have completed tailored training, supporting the Article 4 duty.

AI Act Navigator does not endorse or review specific vendor products. The AI System Inventory template gives you a spreadsheet-based starting point that covers the register and risk-tier columns; you can migrate to a dedicated platform as your needs grow.

Start with the inventory

The AI System Inventory template is a free spreadsheet register for every AI system your organisation uses - with columns for risk tier, role (provider / deployer), owner, data processed, and compliance status. The practical first step to AI governance.

Get the AI System Inventory templateAI Act Readiness Checklist

Risk-tier classifier

Answer questions and get the risk tier for your AI system.

Obligations tool

Your specific obligations as a provider or deployer.

ISO/IEC 42001

What ISO 42001 covers and what it does not.

This is guidance to help you understand AI governance under the EU AI Act, not legal advice. For decisions specific to your organisation, confirm with the official sources we link or a qualified adviser. Last updated: 9 June 2026.

Sources

  1. [1]Regulation (EU) 2024/1689 (EU AI Act), EUR-Lexretrieved 9 Jun 2026
  2. [2]AI Act, Article 9 - Risk management systemretrieved 9 Jun 2026
  3. [3]AI Act, Article 17 - Quality management systemretrieved 9 Jun 2026
  4. [4]AI Act, Article 26 - Obligations of deployersretrieved 9 Jun 2026
  5. [5]AI Act, Article 27 - Fundamental Rights Impact Assessmentretrieved 9 Jun 2026
  6. [6]AI Act, Article 4 - AI literacy (in force 2 Feb 2025)retrieved 9 Jun 2026

The AI Act Brief

Subscribe to The AI Act Brief

We watch Brussels so you don't. Plain-English EU AI Act updates, free.

No spam. Unsubscribe anytime.

AI Governance for the EU AI Act: Framework, Tools and Obligations · AI Act Navigator