Case 07 · Governance

Governance by design.

How AI governance and EU AI Act readiness fit into the first ninety days as Head of AI. A designer's view of governance, grounded in seven years of regulated-industry work at Roche, ING and Philips, and two years of running production AI with responsible-AI principles built into the architecture.

Role: Head of AI, governance lead
Duration: First ninety days, then continuous
Team: Head of AI, plus legal, security and one product representative
Vertical: Any organisation operating AI in the EU after 2 August 2026

AI governance map: Inventory on the left, Risk classification in the middle, Human oversight and audit on the right, with a continuous compliance band connecting the three.

The deadline

On 2 August 2026 the EU AI Act becomes fully applicable. High-risk AI systems will need documented controls, designed human oversight, audit trails, and a compliance posture that survives scrutiny. Most scale-ups are not ready, and many do not yet have a clear picture of what AI is running inside their own organisation.

This is the governance program I lead in the first ninety days, in parallel with the rollout in Case 03. Governance is a design problem, and it belongs at the centre of an AI program rather than at the edge.

Three blind spots

No AI inventory. Most organisations cannot list, on a single page, what AI is running, what data each system touches, who owns it, and what the failure mode is. Without that inventory, classification is impossible. Without classification, compliance is impossible.
Human oversight as a disclaimer. A footer that says "AI-generated, please review" is not oversight. Real oversight is a design pattern. Defined review points, designed approval interfaces, documented override paths, a working escalation when the system is uncertain.
Training mistaken for compliance. A one-hour module does not survive an audit, and it does not survive the moment an employee misuses an AI system. Training is a program, not a slide deck.

The first ninety days

Days 1 to 30. Inventory and classification. Working with engineering, product and legal, I map every AI system running in the organisation. Internal tooling, customer-facing features, vendor integrations, the AI inside the SaaS the team already uses. Each gets a record. What it does, what data goes in, what decision comes out, who owns it.

Each system is classified against the Act. Minimal, limited, high-risk, prohibited. The high-risk ones are the ones we design around carefully.

Days 31 to 60. Designed human oversight and documentation. For every high-risk system, I design the oversight layer with the team. Where does a human see the AI's output before it acts. What can they override, and what happens when they do. How is the decision logged. How does the system fall back when confidence is too low.

This is design work, not legal work. It is the same kind of work I did at Roche, designing for pharmaceutical workflows where a wrong UI had safety consequences. Get the interaction right and the audit trail follows.

Documentation in this phase is the part teams forget. Technical documentation, instructions for use, records of design decisions. The Act requires this for every high-risk system. The cost of writing it later is many times the cost of writing it now.

Days 61 to 90. Training and continuous compliance. AI literacy is a program. I design it the same way I designed paired training in Case 04. Role-based, anchored in real flows. Engineers learn the technical and design constraints. Customer-facing teams learn what they can and cannot promise. Leadership learns the regulatory posture and what is at stake.

Continuous compliance is the other half. The inventory is a living document. Every new feature gets classified before it ships. Every vendor integration gets a fresh look. Every model swap gets a sign-off.

Five non-negotiables

Governance is a design problem. It cannot be bolted on after a system is live.
Human oversight is real or it is nothing. Disclaimers do not count.
Data residency and minimisation are architectural choices, not afterthoughts.
Responsible AI is a product principle. At Memortium "identity is paramount, if in doubt do not deliver" is enforced in code with ArcFace validation. Not a poster, a gate in the pipeline.
Compliance on its own is not a competitive advantage, but losing it is a liability. Act-ready companies in August 2026 will sell into regulated buyers without months of friction.

Where this comes from

The methodology comes from regulated work I have done before. Roche, where every UI decision had compliance implications. ING, where regulatory constraints were not optional. Philips, where data handling was first-order. And Memortium, where the responsible-AI principle is in the architecture rather than the marketing copy.

Governance and the rollout in Case 05 are not separate. A rollout that ignores governance produces a system that needs expensive retrofitting in August 2026. A governance program not anchored in real product work produces paperwork that nobody respects. The Head of AI seat is where both are held together.