The EU AI Act And Beyond: A Leadership Guide To Ethical AI Governance

Artificial intelligence (AI), particularly generative artificial intelligence (GenAI), is having a far greater impact on the world than originally predicted.

This rapid transformation brings not only vast opportunities, but also a growing number of serious and complex risks. An astonishing number of people already use AI in the workplace. The Times of India reports that globally, 3 out of 4 people use GenAI in the workplace, while Microsoft reports that of the 75% of people who use AI at work, 78% bring their own AI tools to work. With such elevated levels of AI adoption, it is clear that government bodies and business leaders must adopt a proactive stance to ensure that these technologies remain compliant with business goals, legal requirements and ethical goals.

A recent regulatory development introduced in response to these requirements is the EU AI Act, which sets out a comprehensive framework for AI governance. We will examine this in more detail, but it classifies AI systems based on risk levels and imposes corresponding obligations. Although the United Kingdom is no longer an EU member, the Act has significant implications for UK businesses. For instance, the Act effectively extends beyond EU borders, as businesses, including UK businesses, which develop or deploy AI systems interacting with EU users or customers must ensure compliance with the Act. Depending on the risk classification of the AI system, ranging from minimal to unacceptable risk, UK businesses may need to adhere to specific requirements, such as conducting conformity assessments, implementing risk management systems, and ensuring transparency.

Additionally, the UK has its own more flexible approach. This iteration includes the Pro-Innovation Framework, which emphasises innovation and proposes non-statutory principles for AI regulation. This framework allows existing regulators to tailor guidelines to specific sectors. This approach balances technological advances with ethical artificial intelligence considerations, avoiding rigid legislative constraints.
​
There is also discussion regarding more formal AI regulations, including establishing a centralised supervisory body and aligning with international standards to facilitate cross-border cooperation.

The bottom line is that while differences exist between the EU and UK approaches, UK businesses must comply with the EU AI Act and domestic regulatory requirements.

Next, we will examine the EU AI Ac in some detail. The Act aims to ensure that AI systems used in the European Union (EU) are safe, transparent, traceable, non-discriminatory, and environmentally friendly while promoting innovation, competitiveness and Corporate AI responsibility.

. As mentioned, the AI Act defines rules based on the risk level of AI applications, classifying them into four categories:

LEVEL 1 – Unacceptable Risk – Prohibited AI Practices

The Act bans AI systems that directly threaten people’s rights and safety. Examples include social scoring by governments, such as ranking individuals based on their behaviour; real-time biometric identification in public spaces, such as facial recognition used for mass surveillance when not for national security or crime prevention; and AI-based predictive policing and behaviour manipulation.

LEVEL 2 – High-Risk AI Systems – Strict Regulations

High-risk systems include AI in healthcare, critical infrastructure such as transportation and power supply, education and employment, law enforcement, and border control.

Requirements for high-risk AI systems include mandatory risk assessments, ensuring human oversight, detailed documentation and logs, and implementing steps to ensure accuracy, cybersecurity, and transparency regarding how the AI system operates.

LEVEL 3 – Limited Risk – Transparency Obligations

This level applies to AI systems that interact with humans but do not pose significant risks, such as chatbots and AI assistants, deepfakes and AI-generated videos or audio that mimic real people.

Requirements for this risk level include informing people when interacting with AI, labelling AI-generated content, and ensuring transparency and fairness.

LEVEL 4 – Minimal Risk – No Specific Regulations

Most AI applications, such as streaming video services, carry minimal risk and do not require special regulations.

Penalties for Non-Compliance

The AI Act imposes strict penalties for violations. These include:

1. Up to €35 million or 7% of global annual turnover for prohibited AI practices.
2. Up to €15 million or 3% of global annual turnover for violations related to high-risk AI systems.
3. Up to €7.5 million or 1.5% of global turnover for providing incorrect information.

We cannot afford to hang around while the authorities get up to speed.

While these new regulations are a welcome assurance that regulatory authorities are addressing AI safety concerns, there is a nagging doubt that it is too little or too late. The technologies are advancing too rapidly, so legislative action must keep pace. Rather than wait for governments to catch up, business leaders would be better positioned if they took a far more proactive approach and acted now rather than wait.

There are two approaches to establishing this level of responsible AI leadership. The task could be outsourced to a business consultancy or handled in-house. Naturally, all enterprises are different, and the best strategy for you might not be the best for everyone. Still, data privacy and governance are best handled in-house by those who have a complete grasp of the business, its customers, processes, and ethics.

AI Governance for Ethical and Responsible

Given the current challenges, CEOs must take active leadership in ensuring the ethical use of AI. AI governance is no longer just a compliance requirement – it is a strategic imperative that affects brand reputation, customer trust, and long-term innovation.

The first task that will define the future of ethical AI in the organisation should be to appoint an ethical AI leadership team. Naturally, many alternative structures would work optimally with each organisation, but management should implement at least a close approximation to the following AI policy framework:

1. Chief AI Officer (CAIO)

AI governance is sufficiently complex and demanding to require dedicated leadership. Without a central figure overseeing AI ethics, responsibilities often become fragmented across departments, leading to inconsistencies and gaps in compliance. A Chief AI Officer (CAIO) ensures that AI systems align with regulatory requirements and the company’s ethical values.

The primary responsibilities of the CAIO would be to:

1. Define and oversee AI ethics strategy and governance.
2. Ensure AI systems align with ethical, legal, and regulatory requirements.
3. Lead cross-functional teams to assess AI risks and biases.
4. Establish ethical guidelines for AI development and deployment.
5. Serve as the public face of the organisation’s AI ethics efforts.

The CAIEO would report directly to the CEO or board and work closely with the legal, compliance, and technology teams.

2. Chief Data & AI Officer (CDAO)

The Chief Data & AI Officer oversees data governance, AI strategy, and innovation to drive business value while ensuring compliance and ethical considerations.

Their responsibility would be to:

1. Develop and execute the organisation’s AI and data strategy.
2. Ensure data integrity, security, and regulation compliance (e.g., GDPR, CCPA).
3. Oversee AI-driven business models and digital transformation.
4. Collaborate with the CAIEO to align AI innovation with ethical principles.
5. Manage data science and AI engineering teams.

The CDAO would work alongside the CAIEO but focus more on operational aspects of AI and data strategies. It would report to the CEO or CIO and collaborate with technology, product, and legal teams to integrate responsible AI practices.

3. Head of Responsible AI

The Head of Responsible AI ensures AI models and applications align with ethical standards, fairness, transparency, and accountability principles. Responsibilities would include:

1. Develop frameworks and tools for responsible AI deployment.
2. Conduct AI ethics impact assessments.
3. Work with technical teams to mitigate bias and risks in AI models.
4. Provide training on responsible AI practices.
5. Engage with stakeholders, including regulators and civil society groups.

The responsible AI head would report to the CAIEO and work closely with the AI Governance Lead and CDAO to implement ethical AI strategies across business units.

4. AI Governance Lead

The AI Governance Lead establishes governance policies, risk management frameworks, and compliance mechanisms for AI systems. The primary responsibilities would include:

1. Define AI governance policies and frameworks.
2. Ensure AI compliance with regulatory and ethical guidelines.
3. Develop audit and monitoring processes for AI systems.
4. Report AI risks and governance status to executives and regulators.
5. Work with legal and risk management teams to address AI-related challenges.

This role is within the governance, risk, and compliance (GRC) function and reports to the CAIEO or CDAO. It ensures AI aligns with corporate policies and external regulations.

5. Digital Ethics Committee or Board Subcommittee

A Digital Ethics Committee or Board Subcommittee provides oversight and strategic guidance on ethical AI and digital governance. Primary responsibilities would include:

1. Review AI policies, ethical considerations, and governance frameworks.
2. Provide independent oversight on AI-related decisions and risks.
3. Ensure accountability in AI development and deployment.
4. Engage with external ethics experts and regulatory bodies.
5. Advise the board and executives on emerging AI risks.

This body operates at the board level, working closely with the CAIEO and CDAO to ensure ethical AI principles guide organisational decision-making.

Key Actions for AI Leadership in Ethical AI Implementation

To ensure AI’s responsible development, deployment, and governance, the leadership team must take numerous proactive steps to mitigate risks and promote trust. These are likely to include:

1. Regularly Monitor and Audit AI Systems

AI systems evolve, and without continuous oversight, they may introduce bias, errors, or security vulnerabilities. Regular audits are essential to maintaining accuracy, fairness, and compliance.

2. Ensure Transparency with Users

User trust in AI depends on transparency and control. If stakeholders are unaware of how AI influences decisions, they may perceive the system as unfair or untrustworthy.

3. Implement an AI Model Registry

Organisations should document and track all deployed AI models to maintain accountability and ensure responsible AI use.

4. Foster Ethical AI Culture and Training

An ethical AI approach requires ongoing education and awareness across the organisation. This approach includes regular AI ethics training for employees, particularly those in AI development and deployment.

5. Strengthen AI Security and Risk Management

AI systems are vulnerable to adversarial attacks, data breaches, and security threats. A strong security posture minimises these risks.

6. Engage with External Stakeholders and Regulators

AI governance extends beyond internal policies. Engaging with external stakeholders ensures compliance and aligns with evolving global standards.

By integrating these key actions into AI governance strategies, leadership can ensure AI systems are ethical, transparent, and accountable. Proactive monitoring, transparency, proper documentation, strong governance, training, security measures, and stakeholder engagement will collectively drive responsible AI development and deployment.

Alignment with the EU AI Act and other international measures

AI governance is being shaped by both corporate leadership and regulatory frameworks. While CEOs are encouraged to take proactive steps in managing AI ethics, global AI regulations, such as the EU AI Act, set legal requirements for businesses to comply. How do the key action steps for CEOs align with the EU AI Act and other international regulatory efforts?

• EU AI Act: This guide’s recommendations emphasise risk-based governance, transparency, and accountability, which aligns with the EU’s tiered regulatory model.
• UK Pro-Innovation Framework: The flexible, sector-specific governance approach is like in our in-house AI ethics leadership model.
• OECD AI Principles: The proposed AI oversight mechanisms align with the OECD’s focus on human-centric AI, accountability, and transparency.
• US Executive Order on AI: The emphasis on AI safety, bias mitigation, and model documentation is consistent with recent US federal AI governance directives.

Conclusion

AI presents an extraordinary opportunity to drive innovation, efficiency, and growth, but it also introduces ethical and regulatory challenges that we cannot ignore. Governments worldwide are taking steps to regulate AI, but the rapid evolution of technology demands that businesses take an active role in ensuring responsible AI use.
By establishing a structured leadership framework, implementing strong governance policies, and aligning with global AI regulations, organisations can build AI systems that are transparent, fair, and accountable. Ethical AI governance is not just a legal necessity. it offers a strategic advantage that fosters trust, protects stakeholders, and ensures long-term success in an increasingly AI-driven world.

Download the full report to explore the EU AI Act in-depth and discover key insights on ethical AI governance.