AI governance for technology companies.

EU AI Act — provider obligations

Technology companies that place AI systems on the EU market carry provider obligations: conformity assessment, technical documentation, quality management system, EU AI database registration, post-market monitoring, and incident reporting. These obligations follow the system regardless of where the provider is based.

GPAI model rules

General-purpose AI model providers — companies that train foundation models or make them accessible via API — have specific obligations from August 2025: technical documentation, copyright compliance policy, model transparency reporting, and for models with systemic risk, additional evaluation and incident reporting requirements.

Product liability

The EU Product Liability Directive and AI Liability Directive (in progress) create civil liability pathways for AI-caused harm. Technology companies that build AI products face product liability exposure analogous to other product manufacturers — including for defects in third-party components they incorporate.

Data governance and training data

AI companies training models on personal data must establish lawful basis for that processing, address copyright and intellectual property questions for training data, and manage data subject rights requests that extend to data used in training.

High-risk AI without conformity assessment

Technology companies that have shipped AI products that fall within the EU AI Act's Annex III high-risk categories without conducting conformity assessment are in a non-compliance position that creates both regulatory and civil liability risk, regardless of whether enforcement has yet commenced.

GPAI copyright and training data

AI companies that trained models on scraped web content without adequate copyright analysis face significant IP liability exposure. Several jurisdictions have seen litigation against AI companies for training data practices. Governance requires legal assessment of training data provenance before models are deployed.

Inadequate incident response

Technology companies whose AI systems cause harm often lack defined incident response processes — which regulatory frameworks increasingly require. The absence of a process becomes evidence of inadequate governance in enforcement and litigation.

Governance theater in AI ethics

Technology companies with published AI ethics principles but no operational governance implementation face credibility risk when their AI causes harm. Regulators and courts will assess actual governance practice, not stated principles.

Have you classified all AI products you supply to others against the EU AI Act's risk tiers — and conducted conformity assessments for any high-risk systems?

If you provide a general-purpose AI model or API, have you addressed the GPAI model obligations that apply from August 2025?

What is your training data provenance and copyright assessment process — and do you have records demonstrating compliance?

Do you have an AI incident response process that meets EU AI Act serious incident notification requirements?

What governance evidence can you provide to enterprise customers who require AI governance documentation as a condition of procurement?

How is AI governance accountability assigned within your organisation — who owns it, and how is it reported to the board?