The Governance Gap

Episode 26

May 22, 2026

Hi there, 

This week, the European Commission published 167 pages of draft guidance explaining how organizations should classify high-risk AI systems under the EU AI Act.

Most coverage focused on legal definitions and delayed enforcement timelines. But the more important takeaway is operational.

The draft guidelines make one thing very clear: regulators are no longer evaluating AI systems only at launch. They increasingly expect organizations to understand how those systems behave after deployment — as models evolve, data changes, integrations expand, and decisions influence real users in production environments.

For many companies, that visibility still does not exist.

Inside the Issue

  • Why classification is only the beginning

  • The operational burden hidden inside the EU AI Act

  • Why AI governance is becoming an engineering problem

  • The growing importance of runtime visibility and traceability

  • What mature AI teams are building now

Classification Is Not the Hard Part

The new guidance gives organizations far more clarity around what may qualify as “high-risk” AI under Annex III categories, including systems used in hiring, education, insurance, biometric identification, credit scoring, and critical infrastructure.

The Commission also introduced important exemptions for systems performing “narrow procedural tasks” or supportive functions that do not materially influence outcomes. That distinction matters because many companies are currently trying to determine whether their AI features trigger the heavier compliance obligations attached to high-risk systems.

But the difficult part is not the classification exercise itself.

Most organizations can document intended use cases, map workflows, and complete legal assessments. The harder challenge begins after deployment, when systems continue changing in production.

A recommendation engine may use updated models six months later. A support assistant may start relying on different external tools. A hiring workflow may gradually shift from “supportive” to materially influencing decisions as adoption increases internally.

The EU AI Act is forcing companies to confront something uncomfortable: many enterprises still cannot clearly explain how their AI systems behave once they are operating at scale.

Not theoretically. Operationally.

Can teams identify which model version generated a specific output months later? Can they reconstruct what data was available at the time? Can they explain why performance degraded for one customer segment but not another? Can they prove meaningful human oversight actually happened?

Those questions sit underneath almost every major requirement inside the AI Act.

Governance Is Becoming Operational Infrastructure

One of the biggest misconceptions around AI governance is that it primarily lives in policy documents, legal reviews, or approval processes. The draft guidelines point in a different direction.

In practice, continuous compliance depends on runtime infrastructure: telemetry, traceability, monitoring, identity controls, audit logging, resilience testing, and incident response systems capable of operating continuously alongside production AI environments. That is a very different operational model from traditional software governance.

Most governance processes were designed for systems that changed slowly after release. AI systems behave differently. Inputs evolve, models are updated, prompts change, external dependencies shift, and outputs become increasingly difficult to evaluate manually at scale.

This is one reason industry groups had been pushing for clearer guidance. The International Association of Privacy Professionals (IAPP) noted that uncertainty around classification had already slowed implementation planning across the market. But clearer definitions do not solve the deeper operational problem many organizations face: fragmented visibility into production AI systems. And that fragmentation is growing faster than most governance processes can adapt.

The Real Risk Is Operational Fragmentation

Reuters reported this month that parts of the AI Act timeline were delayed partly because both governments and companies were struggling with implementation readiness. That detail matters because it reflects a broader reality inside enterprise AI.

The challenge is no longer simply understanding the regulation. The challenge is maintaining operational control once AI systems become deeply embedded across products, workflows, vendors, and teams.

Many organizations already have dozens of AI systems operating simultaneously across departments with different monitoring standards, different ownership structures, and different levels of oversight. Some are internally developed. Others come from external vendors or APIs integrated directly into workflows. Over time, visibility starts breaking down. That is where governance becomes difficult — not because companies refuse to comply, but because they no longer have a clean operational picture of what is actually happening inside production environments.

Closing

The most important question raised by the EU AI Act is not whether a system qualifies as “high-risk.” It is whether organizations can still clearly understand, monitor, and control the AI systems already operating inside their business. Because once AI systems become deeply embedded across products, workflows, vendors, and teams, governance stops being a documentation exercise. It becomes an operational challenge. And for many companies, that challenge is arriving faster than expected.

Sources & Further Reading

IAPP — European Commission Delivers Draft High-Risk AI Guidelines
https://iapp.org/news/a/european-commission-delivers-draft-high-risk-ai-guidelines-after-delays/

Thank you for joining us for another edition of The Foundation.

We help organizations design and build AI systems with production-grade observability, operational control, and long-term scalability in mind from the start.

P.S. We want to make sure this newsletter hits the mark. So reply to this email and let us know what you think.