Governance Gaps Undermine AI Compliance Savings as EU Rules Tighten

Two-thirds of technology leaders lack comprehensive control over their artificial intelligence systems, according to an IBM study of 2,000 tech executives. The same research found an average of 54 AI-related incidents per year across organisations, with 37% resulting in data leaks. The findings cast a shadow over the cost-cutting promises of compliance automation, even as companies race to adopt the technology.

Market analysts at Gartner predict that by 2027 roughly 40% of businesses will shut down autonomous AI agents because governance structures are missing. The firm recommends a proportional control model that scales according to each system’s level of autonomy.

Resource crunch drives adoption

Compliance teams are under mounting pressure. A study by NAVEX revealed that 38% of compliance officers cite a growing workload without additional staff as their top challenge. Coordination problems affect 34%, and 32% say they are still bogged down by manual processes. Only 24% of respondents believe their current risk assessments are effective. While 76% of companies have training plans in place, about one-third never measure whether those measures actually work.

Automation has emerged as the go-to solution for cutting manual effort. The DICIS AG offers an AI-driven ISO certification service covering standards 9001, 14001, and 27001, promising to slash time and costs by over 80% through a virtual assistant. In data protection, the provider Validato uses structured open-source intelligence (OSINT) searches to build GDPR-compliant risk profiles for partner and personnel checks, particularly in critical infrastructure and finance.

In the German state of Thuringia, the judiciary launched the Juris-KI-Suite on 1 June. The tool supports legal research using natural language queries, though judges and clerks are free to choose whether to use it.

EU AI Act deadlines shift

Political agreement reached in early May has reshaped the timeline for the EU’s Artificial Intelligence Act. High-risk AI systems must comply by 2 December 2027, but a ban on specific uses — including sexualised deepfakes — takes effect earlier, on 2 December 2026. The European Commission has published guidance on classifying high-risk applications: tools that assess job candidates fall under that category, while pure scheduling software does not.

Industry players such as Comma Soft and the university spin-off Deep-In are developing what they call "trust agents". These aim to enable controllable deployment of autonomous AI in regulated sectors and to embed ethical guardrails that also satisfy the EU AI Act’s technical requirements.

New liability risks from supplier AI

Experts warn that the growing use of AI by subcontractors creates fresh liability and audit exposures. Companies must secure contractual protections, as the compliance obligations under the AI Act may flow through supply chains. The gap between rapid automation adoption and lagging governance remains the central risk — one that, if left unaddressed, could drain the very cost savings the technology was meant to deliver.

en | boerse | 69511177 |