Board checklist

EU AI Act readiness: the questions boards should be asking now.

EU AI Act readiness is not only a legal exercise. It is an operating question: can the organisation prove where AI is used, who owns it, what risk it creates and what evidence supports the controls?

1. Can we identify our AI systems?

Boards should expect a current AI system register that covers internal systems, vendor AI, embedded SaaS AI, copilots and agentic workflows. Each entry should have an owner, purpose, user group, lifecycle state and business context.

2. Can we classify risk consistently?

Risk classification should consider intended purpose, impact on people, autonomy, data exposure, external effect, regulated context and supplier dependency. A static spreadsheet is usually not enough once systems change or new AI use cases are introduced.

3. Can we evidence governance decisions?

Policy alone is not assurance. Boards should ask whether the organisation can show approval records, risk tiering, evidence requests, evidence quality review, control testing, findings and remediation history.

4. Can we show human oversight and monitoring?

For material AI systems, organisations need to define oversight points, monitoring expectations, incident escalation routes and review cadence. Agentic workflows also need clear boundaries for tool use, data access and external action.

5. Can we brief leadership clearly?

A board-ready view should show the top AI risks, highest priority gaps, accountable owners, open remediation, residual risk and investment decisions needed.