This website uses cookies

Read our Privacy policy and Terms of use for more information.

Most boards deploying AI in material decisions have a governance framework. Some have an AI ethics committee. Many have approved a responsible AI policy. A small number have invested in external governance reviews. Almost none have asked the question that the EU AI Act will force regulators to ask after 2 August: at the moment a specific AI-assisted decision was made, what does the record show?

That question is not answered by a framework. It is answered by a log.

Sixty-eight days is not enough time to build logging infrastructure from nothing. It is enough time to determine whether the infrastructure that exists can produce what the regulation requires, and what the exposure is if it cannot. That assessment is the most important governance action available to any board deploying high-risk AI before the summer.

The Governance Illusion

The most dangerous position for a board to be in on 3 August is not ignorance. It is false confidence.

A board that knows it has no AI governance framework knows it is exposed. It can take immediate steps, document the gap, commission the work, and begin building the record. Its exposure is real but its position is intellectually honest.

A board that believes it is governed, because it has a policy, a committee, and an approved framework, but cannot produce a forensically reconstructible record of any specific AI-assisted decision, is in a worse position. It has the confidence of compliance without the substance of control. When a regulator asks for the record, the framework is irrelevant. The log is what is examined.

This is the governance illusion: the belief that the existence of a governance process is evidence that governance has occurred. The EU AI Act does not share that belief.

What the Act Is Actually Testing

Articles 9, 12, 13, 14 and 19 of the EU AI Act are not primarily concerned with whether an organisation has a governance process. They are concerned with whether that process produced a continuous, verifiable record of the system's operation at the level of individual decisions.

Article 12 is the most precise. It requires logging capability sufficient to enable post-hoc reconstruction of the system's operation. The phrase post-hoc reconstruction is the operative standard. It means an external auditor, unfamiliar with the system, unfamiliar with the organisation, and with no access to the memory of any individual who was involved, should be able to reconstruct what happened at a specific decision moment from the record alone.

Most governance frameworks are not designed to produce this. They are designed to demonstrate that governance was considered, structured, and approved. Those are different objectives, and only one of them the EU AI Act enforces.

The Four Questions That Determine Exposure

An honest assessment of exposure before 2 August has four questions. They are not technical questions. They are governance questions, and they belong on the board agenda before June ends.

First: can the organisation identify every AI system it currently deploys that falls within the Act's high-risk categories? The categories include credit scoring, employment screening, benefits eligibility, access to essential services, critical infrastructure management, and educational assessment. If the answer to this identification question is uncertain, everything that follows is speculative.

Second: for each identified system, does a continuous log exist that captures the inputs present at the time of each decision, the transformation steps applied, the model output produced, and the human oversight action taken? A log that captures outputs but not inputs, or inputs but not oversight actions, does not meet the Article 12 standard.

Third: is that log forensically reconstructible? This means could an external auditor reconstruct a specific decision from the record alone, without any assistance from the organisation's staff? If the answer requires qualified by statements, "yes, but you would need to speak to the data team" or "yes, but the logs are held across three systems", the answer is no.

Fourth: has the board seen this record as a live output, not as a summary prepared for a governance committee? A board that has approved a governance framework has exercised governance intent. A board that has reviewed a live decision log has exercised governance control. Only the latter is defensible under Articles 14 and 19.

What 68 Days Is For

Sixty-eight days is not a remediation window. It is a diagnostic window.

The boards that will be in the most defensible position after 2 August are not those that completed the most governance work before the deadline. They are those that conducted the most honest assessment of their actual position and documented that assessment with specificity.

A board that completes the four-question audit before the end of June and produces a written record of its findings, including gaps identified, actions commissioned, and timelines established, has created something that did not exist before: a contemporaneous board-level record of governance awareness at a specific point in time. That record does not solve the underlying problem, but it demonstrates that the board understood its obligations and acted on them within the available window.

That distinction, between a board that knew and acted and a board that knew and did not, is precisely where director liability under Companies Act 2006 section 174 is assessed.

The question the EU AI Act poses is not whether your board intended to govern its AI systems. It is whether your board can prove what those systems did.

Sixty-eight days is enough time to find out which of those two positions your organisation is in. It is not enough time to pretend the question has not been asked.

* * *

Dr. Ivan Roche FRSS FRSA MInstP
Founder and Principal Advisor · Otopoetic Limited · Belfast

Keep Reading

© 2026 The Roche Review.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv