Business AI Governance
| Risk Level | EU AI Act Category | Requirements | Examples |
|---|---|---|---|
| Unacceptable | Prohibited | Banned entirely | Social scoring, biometric surveillance |
| High | High-risk | Registration, conformity assessment, human oversight | Medical diagnosis, credit scoring, hiring tools |
| Limited | Transparency obligations | Disclose AI to users | Chatbots, deepfakes |
| Minimal | No requirements | Voluntary code of conduct | Spam filters |
- AI Inventory: Register all AI systems with risk level and responsible owner
- Vendor Due Diligence: Before using third-party AI APIs, assess data handling and bias testing
- AI Use Policy: Define what employees can/cannot use AI for (e.g., no client PII in ChatGPT)
- Training: All employees using AI need awareness training on risks and acceptable use
- Incident Response: Pre-define escalation path when an AI system causes harm