AI Governance & Documentation

Defensible governance starts with a real risk-management system: a working process for identifying, assessing, and mitigating AI risk across the product lifecycle — not a one-page policy. For systems that fall in the AI Act’s high-risk category, a risk-management system is a specific legal requirement (Article 9), and it’s expected to operate continuously rather than as a one-off sign-off.

High-risk systems must be designed so that people can effectively oversee them (Article 14). In practice that means writing down who reviews what, when, and how — the oversight has to be real and documented to the standard high-risk systems require, not asserted.

• Define the oversight points across the workflow and who is accountable at each.
• Specify what a reviewer can see and do — including the ability to intervene or stop the system.
• Record how oversight is exercised, so it can be evidenced rather than merely claimed.

Article 50 sets transparency obligations that apply more broadly than just high-risk systems. Two situations matter for most products:

• AI interactions — telling people when they’re interacting with an AI system, unless it’s obvious from the context.
• AI-generated or manipulated content — marking or disclosing synthetic content (the deepfake / generated-media obligations).

These disclosures should be written to fit your product rather than dropped in as generic banners. (Note the timing nuance in step 05: the marking obligation for AI-generated content was given a short grace period under the Digital Omnibus, while other Article 50 duties remain on the original schedule.)

Governance becomes real in the documentation your team can produce and maintain:

• Technical documentation and record-keeping — for high-risk systems, the AI Act requires technical documentation (Article 11 and Annex IV) and logging/record-keeping (Article 12). Templates your team can actually keep current beat a perfect one-off document.
• Model / GPAI documentation — if you build or fine-tune models, general-purpose AI model providers have their own obligations (Chapter V, Articles 53–55), including technical documentation, information for downstream providers, a copyright policy, and a summary of training content; models presenting systemic risk carry additional duties under Article 55. Practical artifacts here include model cards and training-data governance records.

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and applies in phases:

• Prohibited practices and AI-literacy duties — since 2 February 2025.
• General-purpose AI model obligations and the governance framework — since 2 August 2025 (these GPAI provisions, Articles 51–55, were not changed by the Digital Omnibus).
• High-risk obligations and Article 50 transparency — originally 2 August 2026.

That last date is the one in flux. As part of the Digital Omnibus (Commission proposal 19 November 2025), the Parliament and Council reached a provisional agreement on 7 May 2026 — not yet formally adopted at the time of writing — that, if adopted as agreed, would:

• defer high-risk Annex III (use-based) obligations from 2 August 2026 to 2 December 2027;
• defer high-risk Annex I (product-regulated) obligations from 2 August 2027 to 2 August 2028;
• give the Article 50(2) marking obligation for AI-generated content a grace period to 2 December 2026, while other Article 50 transparency duties continue from 2 August 2026.

Until the amendments are formally adopted and published in the Official Journal, the original dates remain the legal baseline.