What it confirmed is more useful than what it revealed:

This week's session with HiveEngage brought together board members, general counsel, and senior risk officers to examine what a regulatory investigation under the EU AI Act actually requires from a board, and specifically why the preparation most organisations have done is designed to satisfy the wrong examination.

Five patterns emerged. None of them were surprises. All of them were more widespread than the organisations in the room expected.

Before any governance question can be answered, the inventory must be complete. Most organisations believe it is. The session confirmed what the data consistently shows: most are wrong, typically by 30 to 50 per cent.

The gaps are predictable. Vendor-embedded AI features activated by default in enterprise software. Departmental tools deployed without central IT oversight. AI capabilities built into procurement, HR, or finance platforms that nobody in the governance team has examined. The organisation that has constructed a detailed governance framework for its known systems has often done so while an equal number of ungoverned systems operate in parallel.

This is not a technology failure. It is a scoping failure. The board that has not asked for a complete inventory of every AI system currently making or influencing material decisions has not begun the governance task. It has begun a partial version of it. And a partial inventory makes every downstream governance action speculative, because the most significant exposure may sit in the systems nobody has counted.

The most repeated pattern in the session was not ignorance. It was a confident belief that compliance work and board accountability were the same exercise. They are not.

Compliance teams are doing exactly the right things. Risk assessments are being completed. AI registers are being built. Governance frameworks are being documented. The gap is not the effort. It is the layer those efforts operate at.

Compliance builds what can be audited: the architecture as designed, the processes as approved, the controls as documented. Boards are accountable for what can be investigated: what happened, at a specific moment, in relation to a specific decision, and what can be proved about it now.

A regulatory investigation under Article 65 of the EU AI Act does not audit the governance architecture. It investigates the decision. The authority arrives with a specific output in scope and asks for the record of it. Not the policy. Not the framework. Not the committee terms of reference. The record: what the system was at that moment, what it received, what it returned, and who reviewed it.

The organisation that has built a compliance programme and treated it as board accountability has prepared for one examination. The regulator will conduct the other.

Article 14 of the EU AI Act mandates effective human oversight of high-risk AI systems. The emphasis belongs on effective.

The session surfaced what the written frameworks do not: in high-volume systems processing thousands of decisions per hour, the governance documentation frequently describes a human review process that is structurally impossible at the speed the system operates. A policy that states "a human reviews each output before the decision is finalised" is not a governance control in a system that produces 5,000 outputs per minute. It is a governance liability.

The most instructive exchange came from a question about a widely deployed enterprise AI tool that nobody in the organisation had configured correctly, because nobody had been told they needed to. The board had approved the deployment. Nobody had defined what the system was actually authorised to do, or what it was not. The oversight record described a review process. The system had been running, largely unmonitored, since it was switched on.

An investigation would not examine the review process description. It would examine whether any named human had contemporaneously recorded what they assessed, when, and on what basis. For this organisation, that record did not exist.

The gap between a documented oversight architecture and a functioning one is where Article 14 exposure accumulates. The boards most at risk are not those without oversight documentation. They are those whose documentation describes something that cannot physically happen.

Every governance framework assigns accountability. Most assign it to a committee, a function, or a role. None of these is a person.

When a regulatory investigation requests the accountability chain for a specific AI-assisted decision, it is not asking for the committee structure. It is asking for the individual whose name was on the record before the decision was made: who was accountable for this specific AI system, with what documented mandate, and from what date.

For UK-regulated financial services organisations, the Senior Managers and Certification Regime makes this personal. The SM&CR requires a named Senior Manager to have taken documented, reasonable steps to prevent regulatory breaches within their area of responsibility. If the EU AI Act establishes that a breach occurred and the accountability chain cannot be traced to a named individual with a dated mandate that preceded the challenged decision, both regimes are broken simultaneously.

The session produced an observation worth preserving: every organisation present had a committee responsible for AI governance. None had immediately been able to name the individual within that committee whose personal mandate covered the specific AI system under discussion. The committee existed. The accountability did not.

The fifth gap emerged not in a finding but in a question. A board member had absorbed the May 2026 Omnibus agreement and was applying it as permission to reduce the urgency of governance work.

The Omnibus postponed the Annex III high-risk compliance deadline from 2 August 2026 to 2 December 2027. It is being read by some boards as a sixteen-month reprieve. It is not.

The transparency obligations under Articles 50 to 55 remain live from 2 August 2026. The SM&CR framework is UK law and is not amended by an EU Omnibus agreement. The Companies Act 2006 section 174 duty of care applies today and has always applied.

And the forensic evidence standard that a market surveillance authority will apply when it opens an investigation after December 2027 is identical to the standard it would have applied after August 2026. The investigation will arrive with a specific decision in scope. It will ask for the log. The absence of the log will be the same finding in 2027 as it would have been in 2026.

The board that uses the Omnibus extension to stand down its governance work will arrive at December 2027 in precisely the same position it occupies today. It will have the same evidence gap. It will have spent sixteen months not closing it. And it will have sixteen months less of credible justification for not having acted.

The extension created a window. The window is not a reprieve. It is the interval in which boards that understood the problem can build the evidence infrastructure properly rather than urgently, and boards that misunderstood it can confirm their misunderstanding at scale.

In the seventy-two hours after this session took place, a Derbyshire police officer was placed under criminal investigation for allegedly using AI to create evidential material in multiple cases. The Crown Prosecution Service is now working through affected proceedings, engaging with defence teams and courts on potentially impacted cases. This is the first known case of its kind in the UK criminal justice system.

The five gaps above address the governance of AI systems that assist decisions. The Derbyshire case introduces a prior question: what is the governance of an AI system used to produce the evidence on which a decision is based? If the oversight record, the accountability chain, and the information picture cannot be verified, not because the system was poorly governed but because the output was fabricated, the evidentiary chain is not merely weak. It does not exist.

Boards deploying AI in material decisions face a version of this question with every output the system produces. The governance task is not to trust the output. It is to be able to prove, at the moment of any subsequent investigation, what the output was, who reviewed it, and what authority they had to act on it. That is not a compliance question. It is an evidentiary one. The Derbyshire case makes that distinction impossible to ignore.

In the same week, the US government withdrew access to the world's most capable AI models from every non-US national with a single letter, delivered at 5:21pm on a Friday. The UK government had already invested in sovereign AI infrastructure precisely because this risk was foreseeable. The state is moving to govern AI at the sovereign layer. The question for boards is whether they have governed their own AI dependency at the enterprise layer, and whether anyone in the accountability chain owns that question.

None of the five gaps is a compliance failure in the conventional sense. All five are visible in organisations with governance programmes, board-level AI oversight, and documented risk frameworks. They are not gaps in effort. They are gaps in the translation between what governance produces and what an investigation requires.

The Compliance Clock maps your organisation's position across the August 2026 transparency obligations and the December 2027 high-risk enforcement deadline.

The board readiness framework from this week's HiveEngage session is structured across the five governance dimensions that correspond to each of these gaps. It takes fifteen minutes to complete and produces a self-assessment your board can use immediately. It is available free HERE

The Governance Classification Briefing establishes which of the five dimensions is most urgent for your specific organisation, sector, and regulatory position. It is a 45-minute commitment with no obligation beyond the session itself.

The deadline for Annex III high-risk systems has moved. The standard has not. The only variable is how much of the window your board intends to use.

Dr Ivan Roche FRSS FRSA MInstP is the Founder of Otopoetic Limited, an AI governance advisory practice based in Belfast. The Roche-Review is published weekly on AI governance, board accountability, and the intersection of regulatory enforcement and executive decision-making.

Previous issues: Week 8 — The NED Obligation | Week 9 — What Regulators Actually Ask When Incidents Occur