Nimbous
NIMBOUS
Back to Index
Security8 minSep 2025

AI Governance Without the Bureaucracy

Enterprise AI governance doesn't need 200-page PDFs. It needs engineering. Here's a practical guide to SOC 2, GDPR, and the EU AI Act.

Ask an enterprise AI team about governance and you'll usually get one of two responses. Either they wave vaguely at a compliance document someone wrote eighteen months ago, or they explain that governance is "on the roadmap" — right after they finish the exciting work.

Both responses mean the same thing: governance hasn't been built into the system. It's been deferred.

This is understandable. Governance sounds bureaucratic. It conjures images of long meetings, tedious checklists, and legal reviews that take longer than the engineering work itself. But the alternative — shipping AI systems to enterprise customers without systematic governance — is increasingly untenable.

Regulations are tightening. The EU AI Act imposes concrete obligations on high-risk AI systems starting in 2026. SOC 2 auditors are asking pointed questions about AI pipelines. GDPR enforcement around automated decision-making is accelerating. And enterprise buyers — particularly in healthcare, financial services, and government — are making governance a procurement requirement.

The question isn't whether you need AI governance. It's whether you're going to build it intentionally or bolt it on in a panic.

What Regulators Actually Care About

The good news: regulators are more practical than most engineers assume. They don't care about your model architecture. They don't care about your training methodology. They care about a short list of concrete things:

Can you explain what the system does? Not in technical detail — in plain language. What data goes in, what decisions come out, and what role does the AI play?

Can you demonstrate it's been tested? Not "we tried it and it worked." Documented evaluation results, against defined benchmarks, with traceable methodology.

Can you show who has access to what? Role-based access controls, audit logs, and clear data governance policies.

Can you prove data is handled lawfully? Consent mechanisms, data minimisation practices, and evidence that personal data is processed in compliance with applicable regulations.

Can you respond when something goes wrong? Incident response procedures, rollback capabilities, and notification processes.

That's essentially it. The specifics vary by regulation, but the core requirements are reasonable and engineering-friendly. The problem isn't that governance is impossible — it's that nobody treats it as an engineering problem.

SOC 2 for AI Systems

SOC 2 was designed for cloud services, not AI systems. But auditors have adapted, and AI pipelines are increasingly in scope. Here's what matters:

Data handling controls. Your AI system ingests, processes, and stores data. SOC 2 requires you to demonstrate that this data is protected throughout its lifecycle — encrypted at rest, encrypted in transit, access-controlled, and auditable.

Change management. When you update a model, change a prompt, or modify a pipeline, SOC 2 wants to see that the change was authorised, tested, and documented. For AI systems, this means your evaluation framework needs to be part of your change management process — not a separate, informal step.

Monitoring and incident response. You need to demonstrate that you're monitoring your AI system for issues and that you have a defined process for responding to incidents. Semantic drift detection, quality threshold alerts, and rollback procedures all contribute to this.

"Governance isn't a document you write once. It's infrastructure you build and maintain — exactly like the rest of your system."

The non-obvious requirement: SOC 2 auditors increasingly ask about data lineage — can you trace a specific output back to the specific data that produced it? For AI systems, this means maintaining provenance records: which data was used, which model version processed it, and what evaluation scores applied at the time.

GDPR and AI

GDPR has several provisions that directly affect AI systems, and most teams underestimate their scope.

Right of explanation. Under Article 22, individuals have the right to request meaningful information about the logic involved in automated decision-making. If your AI system makes or influences decisions about people — hiring, credit scoring, medical triage, customer segmentation — you need to be able to explain how.

This doesn't mean you need to open-source your model. It means you need to provide a clear, non-technical explanation of what factors influenced the decision and how the system works in general terms. For most enterprises, this requires logging the inputs, the model's reasoning (where available), and the output for every decision.

Data minimisation. GDPR requires that you process only the data necessary for the stated purpose. This directly conflicts with the AI instinct to "ingest everything and let the model figure it out." If you're building a document search system, you probably don't need to ingest and embed personal data that's irrelevant to the search use case.

Right to deletion. If a user requests deletion of their data under GDPR, you need to remove it not just from your database, but from your vector stores, knowledge bases, and any cached representations. For RAG-based systems, this means having the ability to identify and purge specific documents from your retrieval pipeline — including embeddings, chunks, and any derived content. The practical requirement: maintain clear data lineage so you can trace every piece of content back to its source and remove it completely when required.

The EU AI Act: What Changes in 2026

The EU AI Act introduces a risk-based classification system for AI. Most enterprise AI systems will fall into the "high-risk" category, particularly those used in:

  • Healthcare and medical devices
  • Employment and worker management
  • Financial services and creditworthiness assessment
  • Essential public services

For high-risk systems, the Act requires:

  • Risk management systems that identify and mitigate risks throughout the AI lifecycle
  • Data governance requirements specifying that training and evaluation data must be relevant, representative, and free from errors
  • Technical documentation that describes the system's purpose, capabilities, and limitations
  • Record-keeping that enables traceability of the system's operations
  • Human oversight mechanisms that allow humans to understand and override AI decisions
  • Accuracy, robustness, and cybersecurity standards appropriate to the system's purpose

The operational deadline for most of these requirements is August 2026. Teams that haven't started governance engineering by now are behind.

Building Governance Into the Architecture

The mistake most teams make is treating governance as a layer — something you add on top of a working system. This is expensive, fragile, and usually incomplete.

The better approach is to build governance into the architecture from the start:

Access controls at the data layer, not the application layer. Every data source, every pipeline stage, every vector store should enforce role-based access independently. A compromised application shouldn't grant access to data the user isn't authorised to see.

Audit logging as a pipeline stage, not an afterthought. Every data transformation, every model inference, every evaluation result should produce an audit record. When an auditor asks "what happened to this data?", the answer should be queryable, not reconstructed from memory.

Evaluation as governance infrastructure. Your evaluation framework isn't just engineering tooling — it's governance evidence. Documented test results, regression reports, and quality scores are exactly what regulators and auditors want to see.

Data lineage by default. Every output should be traceable to its inputs. Every model decision should reference the data that informed it. This isn't optional for high-risk AI systems under the EU AI Act — and it's good engineering practice regardless.

A Practical Checklist

For teams starting their governance journey, focus on these first:

  • Document what your AI system does, in plain language, including its limitations
  • Implement role-based access controls at every layer (data, pipeline, application)
  • Enable audit logging for all data processing and model inference
  • Maintain a golden dataset and run automated evaluations on every change
  • Establish data lineage — trace outputs to inputs
  • Define and document your incident response process for AI-specific issues
  • Review personal data flows and ensure GDPR compliance (minimisation, consent, deletion)
  • Determine your EU AI Act risk classification and begin addressing the requirements

None of these require a massive compliance programme. They require treating governance as engineering work — which is exactly what it is. Learn more about our security infrastructure →

Newsletter

Intelligence Delivered.

Technical deep-dives on AI infrastructure, evaluation frameworks, and production operations. No spam, unsubscribe anytime.

Zero spam · Unsubscribe anytime