.png)
Picture this: It’s August 2, 2026, and the AI Act's transparency requirements have taken effect.
Legal is sitting in a meeting with Tech and IT to plan the implementation of controls to ensure labelling of AI content, among other things. Governance of those controls is discussed, and the obvious questions come up.
"Do we have an AI policy? Who owns it? Who owns AI governance?
Everyone looks at Legal.
Legal looks back at Tech and IT.
And then comes the sentence no one wants to hear:
“I thought it was you.”
Legal – or Legal/Compliance, depending on how your organization is structured – often becomes the natural starting point for AI governance.
After all, AI governance involves regulation, risk, documentation, and accountability. But AI also touches products, data flows, security controls, suppliers, and technical implementation.
That means that Legal may be central to AI governance – but it cannot own it alone.
The real question is not whether Tech, Legal/Compliance, or IT should own governance alone. The question is how they can share the responsibility in a way that works in practice.
In this article, I will give you what I believe is the most practical answer.
Although many view AI as a new technology, governance is nothing new.
That is why the same mindset should be applied to AI as before the major AI breakthrough in 2022.
Business as usual, you might say.
Governance in the AI domain requires various elements that (perhaps) already exist in your organization.
Typically, you will already have a governance structure in place, complete with policies, procedures, controls, and documentation.
This structure and its underlying principles are technology-neutral.
Therefore, you should use them as a guide in the same way when it comes to AI systems.
In practice, this means that you do not necessarily need to create a separate AI governance setup from scratch. Start by looking at the governance processes you already have – and assess how they should apply to AI.
The approval, procurement, and implementation of AI systems fall under supplier management.
This process is often owned by Legal/Compliance, with advice and support from IT. Together, they handle internal requests to use new AI systems, assess the relevant risks, and ensure the necessary approvals are in place.
Depending on the organization, this process may involve reporting to senior stakeholders, such as the CTO.
In practice, this means that AI systems should go through the same approval routes as other critical vendors or tools – with the necessary AI-specific risk questions added to the process.
When AI systems use personal data or internal business data, the same guidelines should apply as for any other processing of such data.
In other words, AI systems should be governed as part of the organization’s overall information security framework.
This includes risk management, such as:
These sub-disciplines are often shared between Tech, Compliance, and IT. They require insight into operational and business needs, as well as IT security and existing governance in this area.
Risk management may include supplier risks, supply chain risks, IT contingency risks under the CRA, business continuity risks, personal data risks under the GDPR, societal risks under NIS2, information risks, and others.
In practice, this means that the assessment should not stop once an AI system has been approved. The identified risks, controls, and mitigation measures should be followed up on and documented throughout the system’s lifecycle.
Tech is responsible for product security and determines how the product should be designed.
In practice, this means that Tech translates the requirements identified by Legal/Compliance into specific compliance measures.
Legal/Compliance monitors whether those measures are effective and support legal compliance, while IT may review the security aspects.
Of course, the responsibilities will vary from organization to organization. But based on my own experience, a practical starting point could look like this:
.png)
The point is not to create a fixed template for every organization, but to make sure that ownership is clear and collaboration is built into the process.
AI governance should not live a life of its own, disconnected from the organization’s existing governance structure.
But the answer is not to place the full responsibility with one department either. And it’s not to divide AI governance so rigidly that it becomes a set of small satellites with limited collaboration between them.
Instead, AI governance should be embedded into existing structures and responsibilities. To get started, organizations can focus on three practical steps:
As a minimum, Tech, Legal/Compliance, and IT need to meet in the AI intersection. Together, they should design, measure, improve, and put AI governance into practice.

.png)
Sign up for a regular dose of news and updates from the legal landscape.
.png)
Get the latest updates about legal and privacy from experts in the field.

