More than just another regulatory box to tick, the EU AI Act demands that enterprises fundamentally rethink their data governance strategies to successfully navigate its complexities.
Some organisations physically based outside the EU or without a direct EU market presence might think that they’ve dodged this regulatory bullet and it’s not something that needs to be on their radar – but they’d be mistaken.
With Japan and Australia developing similar guardrails and comparable US legislation on the way, the EU AI Act is fast becoming the “gold standard” blueprint for how data needs to be handled in the AI era. To comply with this new legislation while successfully taking advantage of all that AI has to offer, a robust data governance framework is essential.
The New Rules
It’s worth pausing here to examine what exactly the EU AI Act requires of an organisation. It classifies AI systems into four risk categories—Unacceptable, High, Limited, and Minimal—and imposes stricter rules as the risk level increases.
If an AI system falls into the “High-Risk” category – for example, a system used in hiring, lending, healthcare, or law enforcement, as opposed to a “low-stakes” system like a customer support chatbot – an enterprise will need to meet rigorous data governance requirements.
That starts with training data transparency. Organisations must clearly document where their training data comes from, how it was collected, and whether it’s representative of the real-world populations their AI will affect. Synthetic data? Demographic gaps? Bias risks? All of it needs to be disclosed and addressed.
Additionally, enterprises must address bias detection and monitoring. Put simply, it’s not enough to test a model once. There needs to be ongoing bias testing and performance monitoring to ensure data quality, integrity, and security. That means setting up systems to detect drift, flag anomalies, and correct issues before they cause harm.
A final important aspect of the EU AI Act revolves around incident response protocols. If something goes wrong – say, the AI system makes a discriminatory decision – the enterprise must have a documented plan for responding. Who gets notified? What gets fixed? How do they prevent it from happening again? Regulators want to see that an organisation is prepared to handle this scenario.
Eliminate Data Blind Spots
All of the above can best be dealt with through effective data governance. However, enterprises need to get a handle on their data before they can govern data. For many organisations, this remains a blind spot. Legacy systems, cloud silos, personal drives, and sprawling collaboration platforms have created fragmented ecosystems where visibility into data is compromised, and accountability is elusive.
Mapping the full data landscape is an important start. Without it, companies are left guessing about what they hold, and worse, what they shouldn’t.
Once visibility is established, the next step is triage. Organisations must distinguish between operational data – like sales figures or inventory logs – and sensitive Personally Identifiable Information (PII), such as scanned passport images or email addresses.
There should also be clear retention policies around the different data types. How long should it be retained for, and when (and how) should it be disposed of? These policies need to be embedded into workflows, surfaced in daily operations, and understood across departments.
Consolidation and accountability
When data is scattered, enforcement is patchy. Centralisation enables consistent access controls, simplifies audits, and accelerates incident response.
A centralised repository built with a zero-trust framework is advisable for any AI system, but particularly for High-Risk AI systems. This combination of resilience and security lays a data governance foundation that puts organisations in a strong position to meet the EU AI Act’s compliance requirements.
This data centralisation approach also enables enterprises to readily provide training data summaries, which are an essential aspect of compliance with the EU AI Act, given that organisations must disclose the origin, composition, and limitations of the datasets used to train their models. Without transparency and visibility into the data, the risk of embedding bias into decision-making systems grows exponentially.
Ultimately, AI accountability comes down to data, and strong data governance practices will underpin the ethical AI that the EU AI Act mandates.
Enterprises that govern data today will lead tomorrow
In the AI-driven economy, data needs to be governed with precision, foresight, and integrity.
The message from the EU AI Act is clear: responsible AI starts with responsible data. That means the time to build a strong data governance foundation is now. Enterprises that invest in data governance infrastructure today will be better positioned to scale AI responsibly tomorrow, giving them the competitive advantage they seek in today’s fast-evolving business landscape.
Manuel Sanchez is Information Security & Compliance Specialist at iManage with extensive professional experience in information security, governance, and compliance.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.