Latest news 10 hours ago

Why the EU AI Act Matters Even If You’re Not an AI Company

Many organisations already use AI through everyday software. Learn why the EU AI Act matters and the governance, compliance, and risk issues leaders should address.

When many organisations hear “ EU AI Act “, their first reaction is often the same:

“We’re not an AI company.”

The assumption is understandable. The legislation sounds like it is aimed at organisations developing advanced AI models, building intelligent systems, or creating the next generation of AI products.

Yet for many organisations, the more relevant question is not whether they build AI.

It is whether they use it.

And increasingly, the answer is yes.

  • Microsoft Copilot
  • ChatGPT
  • Gemini
  • AI-enabled HR platforms
  • Customer service tools
  • Intelligent CRM systems
  • Recruitment software
  • Analytics platforms, and
  • Workflow automation solutions

are becoming part of everyday business operations. Many organisations are already using AI without necessarily considering themselves AI organisations.

That is why the EU AI Act matters.

The organisations most affected by AI regulation may not be the organisations building AI. They may be the organisations buying it.

AI Has Already Entered the Organisation

AI adoption rarely begins with a major transformation programme.

More often, it arrives through software updates, new platform capabilities, departmental initiatives, or individual experimentation.

  • A marketing team uses generative AI to create content.
  • HR adopts an AI-assisted recruitment platform.
  • Customer service teams begin using AI-powered support tools.
  • Sales teams embrace AI-driven CRM functionality.

Before long, AI is influencing decisions, processing information, and shaping business outcomes across multiple functions.

The challenge is that governance does not always arrive at the same speed as adoption.

Many organisations have spent years developing mature approaches to cybersecurity, privacy, procurement, and information governance. AI introduces another layer of responsibility that is still evolving for many businesses.

The Real Challenge Is Not Technology

Much of the discussion surrounding AI focuses on models, algorithms, and technical capabilities.

For most organisations, however, the more important questions are organisational.

Who is responsible for AI governance?

  • What AI tools are currently being used across the business?
  • What policies exist to guide employees?
  • How are AI-generated outputs reviewed and validated?
  • What happens when an AI-driven recommendation influences an important business decision?

These questions sit far beyond the IT department.

They touch procurement, legal, compliance, HR, risk management, operations, and executive leadership.

As AI becomes embedded within everyday processes, organisations need clarity around accountability, oversight, and decision-making.

Software Procurement Now Includes AI Governance Considerations

Historically, software procurement has focused on areas such as functionality, security, commercial terms, support arrangements, and cost.

AI introduces a new set of considerations.

When evaluating software publishers, organisations increasingly need to understand:

  • What AI functionality exists within the platform?
  • How is organisational data being used?
  • What safeguards and controls are in place?
  • What transparency is provided around AI-generated outputs?
  • What responsibilities sit with the publisher, and which remain with the customer?
  • How will future AI capabilities be introduced into the service?

These are not simply technical questions.

They are commercial, contractual, governance, and risk-management questions.

Organisations that understand these issues early will be better positioned to make informed purchasing decisions and avoid unexpected challenges later.

Publisher Due Diligence Is Becoming Important

One of the most significant shifts created by AI is that risk increasingly enters the organisation through third-party suppliers.

Many businesses will never develop their own AI systems. Instead, they will access AI capabilities through the software and services they already use.

This makes publisher due diligence increasingly important.

Understanding how software publishers develop, govern, test, and deploy AI capabilities is becoming a critical part of technology governance. Organisations may also need to consider how contractual protections, transparency obligations, and accountability frameworks evolve as AI becomes more deeply embedded within enterprise software.

The conversation is moving beyond:

“What does this software do?”

Towards:

“How does this software make decisions, and what responsibilities do we have when using it?”

 Clear Ownership Matters

Perhaps the most important principle underpinning the EU AI Act is that accountability remains a human responsibility.

AI may assist with analysis, recommendations, automation, and decision-making, but organisations remain responsible for outcomes.

Without clear ownership, AI adoption can create uncertainty around governance, risk management, and accountability.

Leading organisations are beginning to establish clear frameworks that define:

  • Roles and responsibilities
  • Governance processes
  • Risk ownership
  • Review and monitoring activities
  • Escalation procedures
  • Employee guidance and training

These foundations help ensure AI can be adopted confidently while remaining aligned with organisational objectives, values, and regulatory expectations.

A Governance challenge, Not Just A Compliance Challenge

It is tempting to view the EU AI Act purely through the lens of compliance.

That would be a mistake.

The legislation is also prompting organisations to ask broader questions about how AI is governed, how decisions are made, and who is accountable for outcomes.

In many respects, these are questions organisations should already be asking as AI adoption accelerates.

The businesses that gain the greatest value from AI are unlikely to be those that simply deploy the most tools.

They will be the organisations that establish clear governance, understand risk, define ownership, and create the structures needed to support responsible AI adoption at scale.

Learn More

Understanding the EU AI Act is about more than compliance. It is about understanding how AI is entering organisations, where responsibility sits, and how governance frameworks need to evolve as adoption increases.

For organisations looking for a practical overview of the legislation, Alan King and the team at ITAA.ai have developed a comprehensive interactive guide explaining the EU AI Act, who it affects, and the actions organisations should consider.

Explore the EU AI Act Guide and learn what the regulation could mean for your organisation.

Steve Narey, Services Director

Steve is a proven business development leader with over a decade of global experience in software licensing and cloud optimization. He excels at driving strategic growth, optimizing vendor relationships, and securing cost savings through effective SAM programs, contract negotiations, and multi-vendor license management across complex enterprise environments.

Get in touch today

This field is for validation purposes and should be left unchanged.
GDPR Data*

Related Insights

AI Integration: Five Practical Considerations for Organizations

Read more

Software Audit Defense: How to Take Back Control Early

Read more

Software Audit Risk: Signs you are exposed or may be audited

Read more

AI Strategy Advisory: Why ITAA Co-Founded ITAA.ai

Read more

AI and Organizational Logic: The Thinking Behind ITAA.ai

Read more

AI Strategy Leadership: ITAA’s Partnership with Alan King

Read more

Find out how we can help

Please fill out the form and we’ll be in touch.

This field is for validation purposes and should be left unchanged.
Consent
Talk to us today