Be EU AI Act Ready with Our Regulatory Conformity Assessments

AI is everywhere, but governance is lagging. While 96% of large enterprises already use AI and nearly all plan to boost AI investment in 2025, only 5% have implemented formal AI governance frameworks. At the same time, 82% of executives say governance is a top priority, recognising it as essential for managing risk, maintaining trust, and complying with fast-evolving regulations.   This blog is produced in collaboration with Parker and Lawrence, leaders in AI, risk, and compliance research,. Combining our respective research and client engagements, we explain the crucial role of AI governance in 2025, including the principles that underpin effective governance and the business case for developing your own world-class framework.   Defining AI Governance AI governance is the set of policies, processes, and controls that guide the responsible development, deployment, use, and oversight of artificial intelligence systems. It ensures AI is ethical, safe, transparent, and aligned with organisational and social values, helping enterprises manage risk, build trust, and unlock value with confidence.   AI governance intersects technology, strategy, risk, compliance, and operations. It connects leadership intent with day-to-day AI practices, embedding accountability, oversight, and ethical considerations across the entire AI lifecycle. From data governance to model validation, deployment monitoring to post-launch audits, AI governance ensures that AI systems remain robust, explainable, and aligned with evolving business goals.   The Hourglass Model  There are many ways to implement and visualise AI Governance. The hourglass model is one such approach.   The Hourglass Model of AI Governance provides a layered framework to operationalise ethical and regulatory requirements for AI systems within organisations. It consists of three interconnected levels: the environmental layer, which includes external forces such as laws, ethical guidelines, and stakeholder pressure; the organisational layer, where strategic and value alignment decisions are made to translate those external demands into internal practices; and the AI system layer, where governance is implemented through concrete controls in data, models, risk management, and accountability mechanisms.    The model visualises governance as a dynamic, bidirectional flow, from regulatory intent to system implementation, and from technical feedback to strategic refinement, helping organisations embed responsible AI practices across the full lifecycle of their systems while aligning with frameworks like the EU AI Act and ISO/IEC 42001.   Why is AI Governance Dominating the Enterprise Agenda? AI governance is not just a matter of ethics or compliance; it’s rapidly becoming a core business requirement in 2025. As enterprises scale AI, the risks grow with it. A McKinsey study underscores this reality: even as of March 2024, 83% of generative AI adopters reported negative consequences, detailed in the chart below.   Question was asked only of respondents whose organisations have adopted generative AI in at least 1 function, n = 876. The 17 percent of respondents who said “don’t know/not applicable” are not shown. Source: McKinsey Global Survey on AI, March 2024. For many organisations, AI governance is a gateway to growth. World-class governance practices signal credibility to customers, partners, and regulators. They show that AI systems are functional and safe, fair, and auditable. This is especially important in high-impact use cases like HR, healthcare, or financial services, where risk tolerance is low and trust is everything.   Increasingly, AI assurance is a market expectation. For enterprise buyers, governance is shifting from a nice-to-have to a must-have. This shift is driven by corporate leaders who recognise that demonstrating control over AI is essential to securing partnerships, entering new markets, and aligning with emerging regulations like the EU AI Act.   How AI Governance Differs From Existing Frameworks AI governance isn’t just an extension of existing risk or compliance frameworks, it requires fundamentally different thinking.    Probabilistic Outputs Unlike traditional systems, the latest wave of AI models are non-deterministic, opaque, and dynamic. For decades, institutions relied on deterministic models like logistic regression for credit scoring: submit the same application twice, and you’d get the same score every time. These models produced consistent, transparent, and stable outputs.   However, with today’s cutting-edge models, outputs aren’t always predictable, and their performance can degrade or shift over time due to model drift, data changes, or feedback loops. This means governance can’t be a one-off design decision; more so than ever, it demands continuous, multidisciplinary oversight.   Cross-Functional Coordination Governing AI systems is more complex than traditional software because AI development and use involves a broader and more fragmented set of stakeholders, and its impact extends beyond internal operations, influencing real people in legal, social, and ethical contexts.   Internally, it draws in HR teams who apply AI to hiring or performance decisions, managers who act on AI-driven recommendations, and legal and compliance teams who must ensure fairness, non-discrimination, and data protection. IT, security, and data science teams are responsible for system reliability, integration, and transparency, while senior leadership remains ultimately accountable for reputational and ethical risks.   Externally, the governance environment is shaped by vendors who develop or maintain AI systems, regulators and standard setters who define compliance expectations, and civil society groups and researchers who highlight emerging risks. Even individuals affected by AI decisions contribute indirectly, as their experiences can surface issues that drive policy or oversight responses.   In this context, AI governance evolves from a contained compliance function into an enterprise-wide coordination effort, requiring ongoing collaboration across legal, risk, product, ethics, and external stakeholders. For many organisations, this shift represents a steep but necessary learning curve.   Accountability for Autonomy Effective accountability hinges on two essential conditions:    Clear responsibility who is accountable, to whom, for what, under which standards, and;  The capacity to explain and justify actions and face consequences.    With AI, especially autonomous or generative models, both conditions frequently break down. Complex supply chains, third‑party components, tuning cycles, and multiple human/non‑human actors blur responsibility (the “many hands” problem). Even when responsibility can be assigned, technical opacity prevents actors from truly explaining outcomes. And in the absence of agreed standards—ethical, legal, or regulatory—it’s unclear what they should be answerable for.    As a result, AI governance must confront an accountability

Chips are the fuel driving the global AI race, essential for both training models and running real-time applications. While the US leads in chip design, manufacturing is concentrated in Taiwan’s TSMC, which produces over 90% of the world’s most advanced chips. This dependence has become a geopolitical risk, especially amid tensions with China.TSMC’s dominance stems not only from technology but from decades of investment, scale, and expertise that are difficult to replicate. Some have even proposed destroying its facilities in the event of a Chinese invasion. To limit China’s access to this strategic technology, the US introduced the AI Diffusion Rule, aiming to block not just hardware exports but also the proprietary model parameters behind advanced AI systems. The policy sparked immediate backlash and was eventually repealed by the Trump administration. The Biden AI Diffusion Rule Explained In its final days, the Biden administration introduced the AI Diffusion Rule—a national security measure aimed at preventing adversarial states, primarily China, from accessing high-performance AI chips and proprietary model parameters developed by US firms such as Nvidia and AMD. Proprietary model parameters are the learned numerical values—like the DNA of an AI model—that determine how it processes inputs and makes decisions. If someone gains access to a model’s parameters, they can recreate that model exactly. The rule established a three-tier system to govern the export of AI chips and model parameters: Tier 1 – Strategic Allies (G7, Taiwan, Japan, South Korea): full access with no restrictions. Tier 2 – Friendly but Controlled (over 100 countries including India, Switzerland, Singapore, Israel): subject to export caps and licensing requirements. Tier 3 – Adversarial States (China, Russia, Iran, North Korea): total export ban. For example, Tier 2 countries could receive up to 100,000 Nvidia H100-equivalent chips in 2025, but US firms were required to ensure that no more than 7% of their global compute capacity was deployed in any single Tier 2 nation. Why It Faced Heavy Backlash The aim was to prevent indirect access by Chinese firms via intermediary countries such as India, Switzerland, and Singapore—but critics argued the policy was deeply flawed. Unworkable Complexity The licensing regime was overly bureaucratic and difficult to enforce. Exporters had to manage thresholds, government notifications, and fragmented approvals—creating a logistical nightmare. Damage to US Industry The rule restricted legitimate exports to friendly and strategic partners, putting billions in sales at risk. Industry leaders warned it would hand market share to Chinese competitors like Huawei, who could step in to fill the void. Industry Reaction The Trump administration’s decision to abandon the rule was warmly welcomed by the tech sector. Nvidia called it a “once-in-a-generation opportunity” for the US to lead a new industrial era, highlighting potential gains in jobs, infrastructure, and the trade balance. The market reacted positively: Nvidia +3% AMD +1.8% Broadcom +1.5% Security vs. Innovation Trump officials made it clear that repealing the rule does not equate to full deregulation. A new framework is in development to better balance national security with US tech competitiveness—potentially through bilateral licensing and more targeted restrictions. Meanwhile, the administration is reassessing semiconductor tariffs and tightening rules on China-specific chips, reinforcing a more nuanced and strategic approach to export policy. Broader Geopolitical Implications In recent Senate hearings, leaders from OpenAI, Microsoft, and AMD emphasised the urgent need for regulatory consistency and sustained investment to maintain US leadership in AI. With Nvidia’s Q1 results due on 28 May, investors are now watching closely to see how ongoing trade dynamics may impact the company’s outlook.