Who is responsible for AI governance within your organization?

Responsibility for AI governance does not rest with a single person but is distributed across multiple roles within an organization. In practice, ultimate responsibility often lies with management or a designated AI lead, while implementation and oversight are shared by IT, legal, compliance, and operational teams. AI-driven intelligence requires a structured approach in which everyone knows their role. This article answers the most frequently asked questions about AI governance, from definition to implementation.

What does AI governance mean in practice?

AI governance refers to the set of policies, processes, roles, and responsibilities through which an organization manages, monitors, and accounts for the use of artificial intelligence. In practice, this involves specific agreements regarding who is authorized to deploy AI systems, how risks are assessed, how decisions are documented, and how compliance with laws and regulations is ensured.

Governance goes beyond a manual or internal regulations. It also encompasses day-to-day practices: Who approves a new AI model before it goes into production? Who is responsible if an AI system makes a mistake? How are employees trained in the responsible use of AI tools?

In practical terms, AI governance in 2026 also means taking into account the EU AI Act, the world’s first comprehensive AI regulation. This law, published on July 12, 2024, and phased in gradually through 2031, requires organizations to classify AI systems by risk level and implement appropriate control measures accordingly. High-risk systems require extensive documentation, human oversight, and compliance assessments. Prohibited applications, such as manipulative AI techniques or social scoring by governments, have been banned since February 2, 2025.

Practical AI governance consists of at least the following elements:

  • An inventory of all AI systems used or developed within the organization
  • A risk classification for each system based on the EU AI Act or an internal risk model
  • Clear ownership for each system, including a designated person or team responsible for it
  • Documentation of decisions, training dates, and intended uses
  • A process for reporting and handling incidents
  • Periodic evaluation and adjustment of the governance framework

Who are the key roles in AI governance?

Within a well-functioning AI governance structure, at least four roles are essential: a senior executive with ultimate responsibility, an AI coordinator or Chief AI Officer, a legal or compliance officer, and the operational owners of individual AI systems. These roles may be combined in smaller organizations, but the responsibilities must not be left undefined.

Strategic and operational roles

At the executive level, management bears ultimate responsibility for AI policy. This means that they establish frameworks, approve budgets, and the organization is accountable to regulatory authorities. In larger organizations, this task is often supported by a Chief AI Officer or an AI Governance Board, which translates policy into action.

The operational owners are the managers or team leaders who work with AI systems on a daily basis. They identify anomalies, report incidents, and ensure that employees use the systems correctly. They are also the first point of contact when problems arise in practice.

Legal and Technical Roles

Legal and compliance staff monitor compliance with laws and regulations, including the EU AI Act and the GDPR. They assess whether new AI applications meet applicable requirements and provide advice on risk management.

IT and data teams are responsible for the technical implementation of governance measures, such as access control, logging, model version control, and technical documentation. Without their involvement, governance remains nothing more than a policy on paper.

What is the difference between AI governance and AI compliance?

AI compliance is a component of AI governance, but it is not the same thing. Compliance focuses on adhering to external laws and regulations, such as the EU AI Act or sector-specific standards. AI governance is broader: it also encompasses internal policy decisions, ethical principles, risk appetite, and the way in which an organization intends to use AI responsibly, even in areas where the law does not impose specific requirements.

A practical example illustrates the difference. The EU AI Act requires providers of high-risk AI systems to maintain technical documentation and ensure human oversight. That is compliance. But an organization may also decide never to use AI for employee evaluations, even if the law does not prohibit it. That is a governance choice based on the organization’s own values and risk appetite.

Compliance is reactive by nature: you respond to what the law requires of you. Governance is proactive: you decide for yourself how you want to use AI and what limits to set, before a regulator does it for you. Organizations that focus solely on compliance miss the opportunity to build trust with customers, employees, and partners.

How do you set up an AI governance structure within your organization?

Setting up an AI governance structure starts with identifying all the AI systems you’re already using, followed by assigning ownership, drafting policies, and establishing oversight and reporting processes. You don’t have to do everything at once, but you do need a concrete starting point.

A proven approach consists of the following steps:

  1. Take stock: Identify which AI systems and tools are used within the organization, including purchased software with AI functionality.
  2. Classify: Assess each system’s risk level based on the EU AI Act categories: prohibited, high-risk, limited-risk, or minimal-risk.
  3. Assign ownership: Determine who is responsible for the use, documentation, and incident reporting for each system.
  4. Develop a policy: Establish internal guidelines for evaluating, approving, and monitoring AI applications.
  5. Train employees: Ensure AI literacy at all levels. The EU AI Act explicitly requires this under Article 4, which takes effect on February 2, 2025.
  6. Establish oversight: Determine how and how often you will evaluate and adjust the governance framework.

Start small if the organization does not yet have a formal governance structure. A working group with representatives from IT, legal, and operational teams can already accomplish a great deal without setting up a large-scale program.

What risks arise in the absence of clear AI governance?

Without AI governance, your organization faces legal, operational, and reputational risks. The EU AI Act imposes fines of up to 35 million euros or 7% of global annual revenue for violations of the most serious prohibitions. But the risks go beyond fines: uncontrolled use of AI can also result in unintended harm to customers, employees, or society.

Specific risks associated with a lack of governance include:

  • Legal liability: Using high-risk AI without the required documentation or conformity assessment results in non-compliance under the EU AI Act, subject to corresponding fines.
  • Data privacy violations: AI systems that process personal data without adequate safeguards violate the GDPR.
  • Operational errors: Without supervision, AI systems can make decisions based on outdated or incorrect data, resulting in harm to customers or processes.
  • Reputational damage: Unintentionally discriminatory or manipulative AI outputs can seriously damage customer trust and public opinion.
  • Loss of control: Without ownership and documentation, no one knows exactly which AI systems are active, what they do, and who is responsible.

National market surveillance authorities are responsible for enforcing the EU AI Act with regard to high-risk AI. In January 2026, Finland became the first member state to formally grant enforcement powers to its authority. The Netherlands will follow suit, meaning that oversight is becoming increasingly concrete.

When will your organization be ready for formal AI governance?

Your organization is ready for formal AI governance as soon as you use AI systems that affect customers, employees, or business processes, and as soon as more than one person is involved with those systems. That is already the case for most organizations. Waiting for the “right moment” only increases the risks.

There are, however, signs that indicate that formalization is urgent:

  • You use AI tools that no one knows exactly how they work or who manages them
  • There are no internal guidelines for approving new AI applications
  • Employees use AI tools on their own initiative without central coordination
  • There is no process for reporting AI-related errors or incidents
  • You operate in sectors that the EU AI Act classifies as high-risk, such as government, education, or critical infrastructure

Formal governance doesn’t have to be complicated. A clear policy document, a designated person in charge, and an annual review already provide a solid foundation. Build on that as the use of AI within the organization grows.

How Pegamento Helps with AI Governance

We understand that for many organizations, AI governance feels like a complex issue where it’s hard to know where to start. Drawing on our experience with Agentic AI for customer service, we help organizations deploy AI in a responsible and controlled manner. Agentic AI represents the evolution from task-oriented bots to self-thinking assistants that not only follow instructions but also take the initiative and act independently. It is precisely this autonomy that requires clear governance.

What we can do for you:

  • Understanding Your Current Situation: We help you identify which AI systems you’re already using and the associated governance risks
  • Practical solutions without unnecessary complexity: No costly custom development, but a smart combination of proven modules tailored to your organization’s size and industry
  • Everything under one roof: From consulting and implementation to management and support, without having to coordinate multiple vendors
  • Compliance-focused solutions: Our approach takes into account the EU AI Act and related laws and regulations, supported by our ISO 27001, ISO 9001, and ISO 26000 certifications
  • Human-centered technology: We strengthen human connections rather than replace them, making governance simpler and more transparent

Would you like to know where your organization currently stands in terms of AI governance? Contact us, and we’d be happy to discuss this with you—with no obligation.

Frequently Asked Questions

How does AI governance for small organizations differ from that of large companies?

Small organizations do not need to set up an extensive governance structure to operate in a compliant and responsible manner. A basic document that includes an AI inventory, a single designated person in charge, and a simple approval process for new tools already provides a strong foundation. The difference compared to large organizations lies mainly in scale: while a multinational may need an AI Governance Board and a Chief AI Officer, an SME can assign these tasks to an existing IT or compliance staff member. It is essential that these responsibilities are assigned, regardless of the organization’s size.

What should I do if an employee has started using an AI tool without authorization?

Start by assessing the situation: which tool is it, what data is being processed, and what are the risks? Use this as an opportunity to establish clear internal guidelines for approving AI tools, so employees know what process to follow. Don’t react punitively; instead, view it as a sign that there is a need for AI literacy and clear communication about what is and isn’t permitted. This type of ‘shadow AI’ is one of the biggest governance blind spots in many organizations.

How do I know if an AI system I’m purchasing from a supplier complies with the EU AI Act?

Ask your supplier explicitly about the system’s risk category under the EU AI Act and whether they, as the provider, can provide the required conformity documentation. For high-risk systems, providers are required to maintain a technical file and conduct a conformity assessment. However, as a user, you are also responsible for ensuring proper use within the established frameworks, so make sure that contractual agreements regarding the division of responsibilities are clearly defined.

How often should an AI governance framework be reviewed?

A minimum review cycle of once a year is a good starting point for most organizations, but in practice, the governance framework deserves more frequent attention. You should also review the framework when introducing a new AI system, when making significant changes to existing systems, in the event of an incident, or when new laws or regulations come into effect. Given the phased implementation of the EU AI Act through 2031, it is wise to check each year which new obligations have come into effect.

What is the biggest misconception about AI governance that costs organizations dearly?

The most common misconception is that AI governance is a one-time project rather than an ongoing process. Organizations draft a policy document, then stop there, thinking they’re done—all while AI systems continue to evolve, new tools are introduced, and legislation changes. A second costly misconception is that governance is only relevant for organizations that develop AI themselves: even organizations that use only off-the-shelf AI software have governance obligations and face risks if the software is used without oversight.

How do I involve employees in AI governance without creating resistance?

Don’t communicate governance as a control mechanism, but as a way to protect employees and provide clarity on what they are allowed to do with AI. Involve representatives from operational teams early in the process so that policies align with daily practice rather than being at odds with it. Practical AI training tailored to their specific work context is more effective than abstract compliance sessions. Furthermore, Article 4 of the EU AI Act mandates AI literacy at all levels, which provides a concrete reason to address this in a structured manner.

Can I reuse existing compliance processes, such as those for the GDPR, for AI governance?

Yes, and that is also recommended. Processes such as risk assessments, incident reporting, and processing records that you’ve already set up for the GDPR provide a solid foundation for AI governance. AI systems that process personal data fall under both frameworks simultaneously, so integration saves you from duplicating efforts. Keep in mind, however, that the EU AI Act imposes additional requirements that go beyond the GDPR, such as technical documentation of models, human oversight, and conformity assessments for high-risk systems. Use the GDPR framework as a foundation and build the AI-specific layers on top of it.

More blogs

Download the white paper here

Deepen your knowledge with Pegamento’s white papers.

Joost Schaap-Account manager Pegamento

Joost Schaap

Senoir Account Manager

When a customer contacts an organization because they have a complaint, it is crucial that the employee of the organization begin by listening carefully. What does this complaint mean for the customer and also for their own organization? How can this complaint be resolved? After listening carefully the employee needs the right information so that a solution can be offered.

This piece was written by Joost Schaap, working as an Account Manager at Pegamento.

Tim Treurniet-AI developer Pegamento

Tim Treurniet

Designer of Intelligent Systems

Real childhood heroes I never had. But in retrospect, I believe figures like Willie Carrot or Dexter’s lab may have had an influence on me. I get energy from actually making innovative and useful products myself. Nothing like seeing the effect of a project that automates a boring task, or makes a complex process suddenly accessible.

A nice bridge to my photograph is the physical aspect of my work. By working with image recognition, I am often very directly connected to the physical world and my work is more than just programming. For example, our image recognition software ensures safety on bridges, tracks players on a soccer field or uses your own smartphone to accurately measure yourself. This combination between physical and digital provides variety and extra challenge. For me, these are the main reasons for my interest and enthusiasm in what I do!

This piece was written by Tim Treurniet, employed Designer of intelligent systems at Pegamento.

Vera van der Plas-UI-UX designer

Vera van der Plas

UI/UX Designer

As a UX/UI designer, I deal daily with transforming complex data into user-friendly visualizations. All of this topped off with a digital lick of paint which should attract the visitor’s attention to take action.

One of the interesting aspects of this field I find the effects that small tweaks, both textual and visual, can have on conversion. The psychological impact that a simple background color of a CTA button has on our behavior is huge. After all, that color can determine whether or not you are going to buy that product.

What we see and how our brains process and interpret this information fascinates me. The possibilities of subconsciously pointing potential customers in your chosen direction are endless. I hope to apply my expertise more often within our solutions in the future.

This piece was written by Vera van der Plas, working as a UX/UI Designer at Pegamento.

Fouad Rahaoui-Finance Pegamento

Fouad Rahaoui

Financial Controller

A Financial Controller within a company should not only be an expert in Finance. You must also have knowledge of the latest IT developments. Because these are also moving very quickly in the world of Finance.

At Pegamento, I can learn all about the latest IT developments. Like the latest development in the field of Machine learning and deep learning.

Through these application areas, as Financial Controller, I can further automate the financial business processes within Pegamento and implement improvements for the automatic processing of financial data.

This piece was written by Fouad Rahaoui, working as a Financial Controller at Pegamento.

Ernst Vegter-Business consultant Pegamento

Ernst Vegter

Business Consultant

Hospitality is one of my deepest motivations.
Not surprisingly, of course, customer service is a common thread in my career. Aspects of hospitality is being able to connect, to facilitate but mainly to make someone feel genuinely welcome. My intuition is my greatest asset to be able to put myself in the shoes of a guest. A customer is my guest.

Fed by various senses, an image forms around the client. I listen to what is being said, watch facial expressions, taste the underlying tone and get a feel for the challenge to be addressed. An image literally forms on my retina. I have to be able to see it. If I can see it, I can create it.

In this, the trick is to pursue simplicity, give the client a warm feeling that the problem is understood, receive good advice, facilitated and carefully guided to the solution. Trust, connect and unburden.

The feeling when a guest arrives at your hotel after a long tiring journey, can sit in front of the fireplace, be handed a good glass of wine and stare carefree at the fire. My guest knows it will be okay.

This piece was written by Ernst Vegter, working as a Business Consultant at Pegamento.

Gunisch-AI developer Pegamento

Gunish Alag

AI Developer

A picture is worth a thousand words, is an expression most of us have heard. We see a lot of things around us on a daily basis and subconciously have the ability to recognize and understand them. This ability of humans to me seems bizarre.

As a computer vision developer at Pegamento that is what I do, break down complex problems and turn them into solutions using images by meticulously extracting useful data.
With the world moving forward and new technologies emerging, complicated problems which were difficult to solve a decade earlier suddenly seem possible and viable. The future is full of new challenges and I look forward to them.

This story is written by Gunish, working as an AI developer at Pegamento.

Ewold Jansen-Service engineer Pegamento

Ewold Jansen

Service & Support Engineer

Hearing the wishes a customer has or the problems a customer is facing is important in order to then be able to help them properly. In both cases, I help find the right solution.

When the customer comes to us with a desire, they don’t know what all the options are. In this I advise them to make the right choices. When problems arise, listening to them is important. For example, a problem arises from a wrong action. By communicating well in this, many problems can be solved quickly by explaining it well. Through poor communication, a small problem can become very big.

This piece was written by Ewold Jansen, working as a Service & Support Engineer at Pegamento.

Andre Glasbergen-Scrum master Pegamento

Andre Glasbergen

Scrum Master

After completing my studies, I started working as a developer at a young Pegamento with a lot of ambition and enthusiasm. In the first years I learned all about process automation, now better known as RPA. I often had to rack my brains to convert the work instruction into a logical function, with not too many If-statements, so that the robot could perform the work.

I developed further and went to work as a consultant. Listening well to the customer and supporting in the pre-sales phase of projects. Executing projects and listening suited me very well. It was a small, but logical, step to now work as a Scrum Master and Project Manager. I have been supervising projects for a few years now. Such as RPA, Cloud applications and AI, according to the Human lead agile approach, We build this with a large team of specialists.

This piece was written by André Glasbergen, working as a Scrum Master at Pegamento.

Ensar Ari-IT engineer Pegamento

Ensar Ari

IT Engineer

Good communication between customer and organization is very important. As an organization, you naturally want to be easily accessible to your customers. Either via social media channels or via the old familiar telephone. Often organizations do not know exactly how they want their telephone line set up. That is why I like to help them think along and give them ideas. I believe there is a solution to every problem. But sometimes you just need someone who looks at the situation a little differently.

This piece was written by Ensar Ari, working as an IT Engineer at Pegamento.

Nini Heerings-Chief Happiness Officer Pegamento

Nini Heerings

Chief Happiness Officer

“You get to know someone better by playing for an hour than by talking for a year.”

This quote from Plato is totally hitting home for me. That’s why I like to connect people through play. Because while playing, you are totally on, all your senses at work.
In my great role as Chief Happiness Officer, I want to do that by connecting colleagues with each other and with the organization. In a creative and playful way that suits Pegamento.

When I’m not at work, I also enjoy connecting people. I do this by organizing The Playground, where adults play games you used to play in the schoolyard, gymnasium or neighborhood playground. The pure feeling of fun, total relaxation and no thoughts of anything but playing. That feeling is the goal.

This piece was written by Nini, working as Chief Happiness Officer at Pegamento.

Ger Koedam-Communication & Marketing Pegamento

Ger Koedam

Marketing & Communications

How can I help you? That’s pretty much the first question I ask when talking to people who are curious about our services. In such a conversation, the use of senses is very important. Because not everyone is the same. One person thinks in images, while for another words are important or how something feels. For me, sight and hearing are the most beautiful senses, because both eyes and ears absorb information and can convey or process emotions.

Why hearing? Because listening is essential in contact. And it’s the key to unlocking valuable insights.

I developed this skill early on. As a child, I enjoyed radio plays on the radio, bringing the stories to life in my head.

Pim Ritmijer-Software developer Pegamento

Pim Ritmeijer

Software Developer

Programming is more than just “code knocking. For me, listening to what the customer wants and visualizing that is an important part of software development.

Actively listening to a customer to understand the customer’s full story is crucial before building a solution. When you understand a customer’s story, you can think together about a solution that truly helps the customer.

Visualizing solutions is the next step for me. What will be the route we will climb to get to a solution? What challenges are we going to face to get to the top?

Like climbing, good preparation is valuable. Even though you can’t prepare for everything, preparation helps make the application fit the client’s needs as well as possible.

What a beautiful and fascinating profession programming is.

This piece was written by Pim Ritmeijer, working as a Software Developer at Pegamento.

Denise Verhoef-Software developer Pegamento

Denise Verhoef

Software Developer

Hearing is something you do a lot of as a programmer but also thinking, for example, when you are tasked with putting together a customer need. If the customer wants a function for his application, it is important that as a programmer you think carefully about which functions are functional and which functions are not. In this way, you will put together the most functional application possible and the customer will have a good end product. Turning needs into code into functionality is something I find interesting.

I am currently doing an internship at Pegamento and studying Software Developer. I get a lot of information that you have to process and apply. The nice thing about this is that you can learn new things but also that you can experience how it works in real business. I started this training last year and knew nothing about programming beforehand. Now I can find my own way with programming and I enjoy working with it. That you can get from a blank page to a functional application through code is cool!

This piece was written by Denise Verhoef, working as a Software Developer intern at Pegamento.

Remco Pabst-Business consultant Pegamento

Remco Pabst

Computer Vision & AI Lead

Using innovative software technology for people or business to make “things” easier and smarter is really a driving force. That’s why the connection between the senses appeals to me the most. Our brains connect the senses just like a business process connects people, systems (data) and logic. They register and trigger an action, exactly how it should be in an optimal workflow. Very cool what is already possible today when we add a lot of computational power to that as well.

Hearing also means a lot. Not because I like to listen to Jazz, Soul, Deep House or Focus-like music every day AND have to be able to listen well to interpret a wish or pain point, but more because not everyone can have all the senses at their disposal. Think of him or her with a visual impairment. The fact that in close cooperation we were able to apply AI, TTS/STT technology (which is still in development) for this often underserved group of people in today’s digital world and to improve the interaction and experience with it gives me a lot of energy and meaning to what I try to do with technology; create value.

This piece was written by Remco, working as a Business Consultant at Pegamento.

Thomas de Wolf-Vision Engineer Pegamento

Thomas de Wolf

R&D Director

Once when I had to choose which study I was going to do, I had a hard time making that choice. I was interested in engineering, but what I most wanted to do was just work with a team toward a common goal.

To this day, that is still what I love doing most. The technology has become image recognition and the team the computer vision department of Pegamento. So it’s logical that in terms of sense, I end up with “seeing. By using our image recognition solutions to see things in the real world, our entire team solves relevant problems for our customers. And because of the variation in customers, the places where our solutions end up are never the same. For example, one moment I am in the control room of a bridge and the next day I am on a production line for sandwiches or between the fences of a TBS clinic.

This piece was written by Thomas de Wolf, working as a Computer Vision & AI Lead at Pegamento.

Rob Roode-Research Development

Rob Roode

Research & Development

Recognizing and automating patterns. Tasks we are constantly working on when implementing our robots at Pegamento. My 2 Drentsche Patrijshonden are hunting dogs and certainly not robots. The hunting instinct and intuition is basically in their genes. Continuing to offer new forms of training has taught them to recognize and act independently in hunting situations. Even “unsupervised,” even if I’m not around.

But when you try to teach a brain something, it also starts to see things you don’t expect. Dogs pick up on the slightest deviation in your voice or directions. To start recognizing that and correcting it again is perhaps the most complex challenge. But in our work, for the wonderful clients for whom we get to work, it often yields the most beautiful new insights!

This piece was written by Rob, founder of Pegamento and in charge of Marketing and R&D.

Serge Poppes-CEO Pegamento

Serge Poppes

CEO

Feeling. That’s the best thing Pegamento stands for. Feeling for technology in the broadest sense of the word. Not only feeling for the exciting stuff like AI, but also for the basics of communication.

The very best part of my job is selling, listening, translating and thinking about what really matters. We bring the digital transformation with a great team!
The diversity of our team, how sharp we are, but especially the wonderful things we get to make makes me feel extremely good. Hence, I intuitively chose the sense of “feeling.

Feeling gives life and differentiation!