AI Governance in 2026: Navigating the EU AI Act, GDPR, and SOC 2 Compliance

The regulatory environment for enterprise AI has become materially more complex in the past twelve months. The EU AI Act's requirements for high-risk AI systems are now enforceable. GDPR's Article 22 — the right not to be subject to solely automated decisions — is being interpreted more broadly by EU data protection authorities. And SOC 2 frameworks are evolving to include AI-specific controls. Organisations that treated AI governance as a future concern now face active audit exposure.

EU AI Act: What High-Risk Means in Practice

The Act defines high-risk AI systems across eight domains including employment, credit scoring, and critical infrastructure. If your AI system makes or meaningfully influences a decision that affects a person's employment, creditworthiness, or access to essential services, it likely qualifies. The obligations include: maintaining technical documentation, implementing human oversight mechanisms, ensuring logging of system activity, and conducting conformity assessments before deployment.

GDPR and Automated Decision-Making

Article 22 gives EU data subjects the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Most enterprise AI systems are designed to support human decisions, not replace them — but the documentation of that human oversight needs to be robust. 'A human reviewed it' is no longer sufficient; regulators want to see that the human had meaningful agency to override the system, and that overrides actually happen at a non-trivial rate.

Model Cards and the Documentation Standard

Model cards — structured documentation describing a model's intended use, training data, performance characteristics, and known limitations — have moved from best practice to regulatory requirement. The EU AI Act's technical documentation requirements map closely to the model card format. A well-maintained model card for a high-risk AI system should document: the business purpose and decision it informs, the training data sources and any known biases, performance metrics across demographic subgroups, the conditions under which performance degrades, and the human oversight mechanisms in place. For organisations deploying multiple AI systems, a centralised model registry that houses these cards and tracks version history is no longer optional.

The Practical Audit Trail

When a SOC 2 auditor or data protection authority requests evidence about your AI system, they are looking for proof that the controls you claim to have are actually operating. The evidence set they expect to see:

• Decision logs: every AI-informed decision with the input data, model output, confidence score, and any human override recorded
• Model versioning: a complete record of which model version was in production at every point in time
• Incident records: documentation of any instances where the model produced incorrect or harmful outputs, and the remediation steps taken
• Oversight evidence: records showing that human review is genuinely happening — override rates, review timestamps, and reviewer identities, not just a checkbox

A 90-Day Governance Readiness Sprint

Organisations approaching their first AI-related regulatory audit typically have 60–90 days to close material gaps. The sprint follows a predictable sequence: inventory all AI systems in production in week one; assess each against the EU AI Act risk tiers and GDPR Article 22 obligations in weeks two and three; prioritise the highest-risk systems for documentation remediation in weeks four through eight; and implement monitoring and human oversight mechanisms for any system that lacks them by week twelve. The goal is not perfection — it is defensible compliance: the ability to demonstrate that material risks are identified, controlled, and monitored.