Your Data Governance Won't Save You From the AI Act
Read time: 6 minutes
Welcome to AI-Empowered Leaders. In this weekly email, I share actionable advice on AI adoption, use cases & strategic thinking from my experience as AI Trainer, Leadership Coach, and Consultant.
In a recent leadership workshop, the CIO told me: "We're fine. We've had data governance for years." Total confidence.
Data policy. Ownership. A catalog. The whole setup.
I asked:
"Who's accountable when your Chatbot gives a customer the wrong answer?"
Silence.
That's exactly the gap I keep seeing.
Let's dive in.
The Briefing
Data governance is not AI governance.
A lot of leaders assume it is. They have the data side handled, so they figure AI is covered, too.
It isn't.
The difference:
Data Governance manages the raw material -> Everything that goes into the system.
AI Governance manages the machine and the decisions -> Everything that comes out.
One protects your data. The other protects your business from what AI does with that data.
The maturity gap is real. Fewer than half of organizations have an AI governance policy at all, and only about a third have a formal framework. Most have plenty of data governance and almost nothing governing AI.
Why it matters now:
The EU AI Act is already enforceable for prohibited practices, with high-risk obligations landing in 2026. Penalties run up to €35 million or 7% of global turnover for the worst violations. For smaller companies the cap is the lower of those two numbers, so it scales to your size, but it is still material enough to hurt.
The Act does not care whether you "have governance." It cares whether your governance covers what AI actually does.
The Real Story
Most companies sit at the bottom of a five-level ladder and never climb it:
- Level 1, Data Only.
- Level 2, Data Governed.
- Level 3, AI Extended.
- Level 4, AI Controlled.
- Level 5, AI Governance.
Most are stuck at 1 or 2. They govern data. They don't govern AI.
The gap shows up in five dimensions. This is the part most people miss.
1. Policy: your rulebook is silent on AI
Your data policy probably says nothing about which AI models you allow, which vendors are approved, or what happens to AI outputs.
A policy that covers storage but not models has a hole in it.
2. Risk: you're tracking the wrong failures
You monitor data breaches. Good. But do you track hallucinations, bias, or model drift? Do you consistently evaluate your AI Agents?
A breach leaks information. A confident, wrong AI output makes a decision. Different failure, same balance sheet.
3. Roles: a data steward is not an AI governance lead
I have seen lots of resistance on this one. Your data steward owns data quality and access. That is not the same job as owning AI risk, model behavior, and vendor oversight.
Different skills. Different accountability. If nobody owns AI specifically, nobody owns it.
4. Compliance: GDPR and the EU AI Act both apply
GDPR governs how you handle personal data. The EU AI Act governs the AI systems themselves. These are two regimes, not one.
Being GDPR-compliant tells you nothing about whether your AI use is compliant.
5. Data: a clean catalog is the floor, not the ceiling
A tidy data catalog is step one. AI needs more: data lineage from source to output, bias checks, and controls on what flows into the pipeline.
Clean data feeds a good model. Ungoverned data feeds a confident, biased one.
The real question isn't "Do we have governance?" It's "Does our governance cover what AI actually does?"
The Playbook
Five moves to close the gap. None of them need a data science team.
- Run a Shadow AI inventory. List every AI tool your people actually use, not the ones you think they use. You can't govern what you can't see.
- Extend your policy to models, vendors, and outputs. Add an approved-vendor list and clear usage boundaries. One page is enough to start.
- Name an AI owner. One person accountable for AI risk and oversight. Don't default to your data steward without checking it's the right fit.
- Map your AI use to EU AI Act risk tiers. Sort your tools into prohibited, high-risk, limited, and minimal. This alone tells you where your exposure is.
- Add AI-specific risks to your risk register. Drift, bias, and hallucination belong next to your data breach line items.
The Monday Test
This week, try this: pick the one AI tool your team uses most, and ask out loud, "Who owns the risk if this gets it wrong?"
If you get a name, you have AI governance starting to form. If you get silence, you have AI usage with no governance behind it. That's the gap, in one question.
Whenever you’re ready, here’s how I can help you win with AI:
1) AI Business Advisory
Spot, plan & launch AI use cases that save hours and unlock new value.
2) AI Enablement
Take your team on a journey from AI beginners to critical-thinking power-users—working securely across tools, saving costs, and driving results.
I’ve already trained and coached 3,000+ leaders who are saving hours and performing at a higher level. Your team could be next.
Have questions? Hit reply to this email and I'll help out!
Talk soon,
Alex