EU AI ActAI GovernanceAI Ownership

Name a person before the regulator does: the AI ownership decision

Behzad Motaghi7. juni 202614 min læsetid

Denne artikel er på engelsk. Jeg rådgiver på både dansk og engelsk, så hvis dansk passer dig bedre, så skriv til bm@accelcomply.com.

Two months ago, a CEO I was working with said a version of this: “AI ownership is on our agenda for next quarter.” It was the third time I had heard that sentence from that company. The quarter before, it was “we’re still aligning on the right structure.” The quarter before that, “we’re waiting to see how the market settles.” What none of them said out loud is what a regulator, an insurer, or an enterprise buyer hears when the questionnaire lands and they get the same answer: not that the company is being thoughtful, but that no one is accountable. That gap is documented now. It did not used to be.

The point is simple. AI ownership is a liability question. The answer is not a title, a committee, or a transformation programme. It is a named person, a one-page document, and a reporting line the board has seen. The part most growing companies keep skipping is that mandate, and they keep skipping it right up until the question lands in a buyer’s diligence, an insurer’s renewal, or an audit.

Who owns AI in your organisation?

When someone asks “who owns AI in your organisation,” the instinct is to reach for a job title. CTO. CDO. Head of Digital. Whoever runs the platform team. That answer is fine at a dinner party. It is not fine in an auditor’s questionnaire.

An org chart tells you who reports to whom. It does not tell you who has the authority to approve a new AI vendor, who decides whether a particular use case is acceptable, or who carries the accountability when an AI system produces a result that harms a customer or triggers a regulatory inquiry. Those are governance questions, and the gap between “we have a CTO” and “we have a named AI owner with defined decision rights” is exactly the gap regulators, insurers, and enterprise procurement teams are now probing for.

And AI ownership is not just generic accountability hygiene wearing a new label. Three things make it its own problem: staff adopt AI tools faster than procurement can review them, you cannot audit a model the way you audit a SaaS contract, and the literacy duty attaches to the people using the system, not only the system itself. That is why “we have a CTO” quietly stopped being a sufficient answer.

The EU AI Act makes the ownership gap harder to ignore. EU AI Act Article 4, which has applied since 2 February 2025, requires providers and deployers to take measures, to their best extent, to ensure a sufficient level of AI literacy among their staff and other persons dealing with the operation and use of AI systems on their behalf, proportionate to role and context. National market surveillance authorities start supervising and enforcing from 2 August 2026. The obligation applies to deployers using AI tools in a professional context; for ordinary commercial use, there is no size-based exemption. I wrote about the specific Article 4 compliance questions most growing companies are behind on in more detail. The point here is narrower: Article 4 does not name a job title, but it creates an organisational obligation someone has to own in practice.

That named, mandated person does not exist at most growing companies I work with. Not because the leaders are negligent, but because the question has been framed as an org-chart problem (who should we create a role for, who is the right function) rather than a liability problem (who is on the hook if this goes wrong today). Often the right owner is the person already informally on the hook, frequently the CTO. The fix is not a different person. It is that person, in writing, with decision rights and a reporting line the board has seen.

A Chief AI Officer title is not an AI governance mandate

There is a version of this conversation that ends with a CAIO hire. I have seen it happen in larger organisations, and in the right context -- a much larger enterprise with multiple high-risk AI deployments and a significant regulatory footprint -- it is a reasonable structural response. For the growing companies that make up most of my advisory work, it is not.

The CAIO model has a specific failure mode: it produces a job description before it produces a governance mandate. Companies write the title into the org chart, scope a recruitment process, and operate in the gap for months while they search. During that window, AI adoption continues, vendor contracts are signed, and use cases are deployed without the governance oversight the hire was meant to provide. The title is the plan, and the title does not exist yet, so the plan is not yet in effect. That is a governance gap wearing the costume of governance progress.

A CAIO hire also tends to over-specify what you need and under-specify what they are actually accountable for. The job description covers strategy, culture change, technical vision, and stakeholder communication. By the time the role is defined and filled, it often has no clear mandate for the operational decisions that governance actually requires: which AI tools are approved, what acceptable use looks like, how the organisation responds when something goes wrong.

To be fair to the model: a well-run CAIO process names an interim owner during the search, which is exactly the mandate I am describing. The point is not that you never hire a Chief AI Officer. It is that the mandate, not the title, is what governance and auditors need, and most companies this size never reach the point where the title earns its cost. For them the governance need is simpler than the CAIO frame suggests, and simpler things are faster to put in place, lighter to operate, and easier to defend to an auditor than a senior hire who is still in their first quarter when enforcement begins.

A scapegoat is not an owner

Here is the objection I hear when I suggest naming a person: “Won’t that just make them the target if something goes wrong? We’d be setting someone up.” It is a fair concern, and it points at a real failure mode -- but the failure mode is not the named owner. It is a named owner with no authority.

A scapegoat is what you get when you put a name on an accountability without giving that person the decision rights to act on it. If the “AI owner” cannot approve or block a vendor, cannot set acceptable-use policy, cannot escalate a risk to the board, and cannot say no when a use case crosses a line -- then you have not built governance. You have built a target. That is worth avoiding.

There is a second, fairer version of the worry, and it is about the named person, not the company: does putting my name on a board-seen accountability document expose me personally? A good mandate answers that too. It defines the scope and the limits of the accountability rather than leaving it open-ended, it sits alongside the company’s directors-and-officers cover, and the escalation path moves the genuinely high-risk calls up the line rather than parking them on one desk. Naming an owner with real authority and clear limits protects that person. Naming them with neither is what creates the exposure.

So the solution is not to avoid naming someone. It is to make sure the name comes with a mandate. Real decision rights. A reporting line that carries weight. A documented scope the organisation has agreed to. When those elements exist, the named owner is not a scapegoat. They are the person who makes the governance work, and who has the standing to do it.

This connects to a broader point about how AI governance fails in practice. I wrote separately about why AI governance and data governance are different mandates, and why collapsing them -- assigning the CDO to own AI because data and AI are related -- tends to produce exactly the accountability gap described above. The data team ends up owning AI in name while the AI governance work sits in the gap between their data mandate and the technology decisions the CTO is making. No one is accountable. Everyone is adjacent.

Where the AI ownership vacuum shows up

The accountability gap is not hypothetical. It shows up in three places, and at least one of them is probably already on your radar.

The first is enterprise procurement. If you sell to larger organisations -- in financial services, healthcare, public sector, or any regulated industry -- vendor AI governance questions are appearing on procurement questionnaires. Not as a box-tick at the end, but as a substantive section. “Who in your organisation is accountable for AI governance? What is their mandate? How do they assess AI tools before deployment?” These questions arrived before August 2026. The buyers asking them are not waiting for the regulatory enforcement date.

The second is insurance. Cyber and technology liability underwriters are incorporating AI governance into their assessment process. Earlier in my career, in a PE-backed services group where I held CIO-scope governance responsibility, the insurer’s AI governance questionnaire was the forcing function that made the ownership question concrete. Not a regulator. Not a customer. An underwriter looking at renewal terms. There, an undocumented governance structure became a renewal-discussion and pricing factor. Whether that is your underwriter’s pattern depends on the insurer and the policy, but the direction of travel is consistent: the cost of naming someone is low, and the cost of having no answer when the questionnaire lands is not.

The third is the board. As AI systems take on more operational weight -- in customer service, in hiring, in financial reporting -- boards are starting to ask the questions their governance obligations require them to ask. A Deloitte analysis published on the Harvard Law School Forum on Corporate Governance maps this in detail: AI governance is becoming a board-level accountability question, not only an operational one. When the board asks who owns AI and the answer is “the CTO, sort of, but we’re still defining the mandate,” that is a governance finding at the board level.

In every case, the gap that surfaces is the same one: a name without a mandate, or no name at all. The fix, in every case, is the same.

The one-page scope of mandate -- your Article 4 starting point

The document I build with clients is not a policy. It is not a strategy. It is one page. It has five components, and if any of the five is missing, the document does not do what it needs to do.

The first component is the named owner and their existing role. Not a future hire. Not a committee. One person, by name, in their current position. This can be the CTO, the COO, the CFO, a senior security or compliance lead -- whoever has the standing and the proximity to AI decisions. The role does not need to be AI-specific. It needs to carry authority.

The second component is decision rights: what this person can approve, what they can block, and what they escalate and to whom. Approve a new AI vendor entering the approved-tools list. Block a use case that does not pass the acceptable-use criteria. Escalate a high-risk system to the CEO or board before deployment. Without explicit decision rights, the ownership is nominal.

The third component is the reporting line. Who does the AI owner report to on governance matters? The CEO directly? The board audit committee? A risk committee? The reporting line determines whether the AI owner has the standing to raise an issue that crosses functions, and whether their escalation will be heard. Write it down. Make sure the person at the top of that line has seen the document.

The fourth component is the sign-off scope: which AI systems, vendors, and use cases fall under this mandate. You do not need to list every tool in the company on day one. You need to define the categories: all externally procured AI tools above a certain data exposure threshold; all use cases involving customer data or automated decision-making; all AI systems embedded in products delivered to external parties. Where a use case involves automated decisions on personal data, it also sits under GDPR (Article 22) and your DPO; the AI owner coordinates with that existing accountability, it does not replace it. The scope is the boundary of accountability. Where the scope ends, the mandate ends.

The fifth component is the review cadence and trigger. A quarterly review of the approved- tools list. An annual review of the mandate itself. An out-of-cycle review triggered by a material incident, a significant new deployment, or a regulatory change. The cadence keeps the governance alive. The trigger keeps it honest.

One caveat belongs on the page alongside those five: a named owner with no allocated time is a slower version of no owner. The mandate should name the time the role actually gets, and where needed a deputy who does the legwork, not only the authority it carries.

Be clear about what this document does and does not do. It is the accountability layer that makes Article 4 governance auditable. It does not, on its own, make you Article 4 compliant. That still needs the actual measures: an AI inventory, a role-based literacy plan, training or briefing records, and a review basis. The one-page mandate is what those hang from, the document that says who is accountable for producing and maintaining them. The EU AI Act and the Commission’s AI Literacy Q&A place the obligation on the deployer as an organisation. Article 4 does not require a named owner; the Act does not say that. A named owner is simply the practical mechanism that makes the rest auditable and defensible.

One note on timing: a provisional political agreement on the Digital Omnibus on AI, reached on 7 May 2026, would soften Article 4’s wording from “ensure” to “take measures to support the development of” AI literacy (see the Council compromise text). That text is not yet adopted or published in the Official Journal, and the exact final wording can still move, so the current obligation stands as written. Even under the softened standard, the question of who is accountable for literacy governance does not disappear, it just becomes easier to defend at the margin. I would not build a wait-and-see strategy on a text that is not yet law. I wrote about how growing companies should approach AI Act readiness in more detail for those who want a fuller picture of the compliance scope.

The test is whether you could hand it to an auditor tomorrow

Here is the practical test I run before I consider the governance work done. Imagine an auditor, an insurer, or an enterprise procurement lead calls you tomorrow and asks: who in your organisation owns AI governance, what is their mandate, and how does your organisation meet its Article 4 obligations? Could you answer that question clearly, from a document that already exists, with a name and a scope attached?

If the answer is “we have a CTO,” that is not a sufficient answer. If the answer is “we’re in the process of defining this,” that is an answer that documents the gap. If the answer is “yes, here is the one-page mandate, here is the reporting line, here is the sign-off scope,” that is a governance posture.

The gap between the first two answers and the third is not a six-month CAIO recruitment process. The decision to name an owner takes an afternoon. Getting the decision rights, the reporting line, and the sign-off scope right enough to survive an insurer’s questionnaire is the part that usually needs a second pair of eyes. Neither is a transformation programme. That is why it keeps getting deferred: it looks too small to be the answer to a question that feels large. But the question a regulator is asking is not “what is your AI strategy?” It is closer to “what measures did you take, why were they proportionate, and who can explain the basis?” Those require very different answers, and all of them start with a name.

In my experience across mandates at companies up to 6,000+ staff, the companies that are best positioned at audit are not the ones with the most sophisticated AI programmes. They are the ones who can answer the accountability question immediately, without having to call three people to find out.

The question will come

“We are still figuring that out” is a sentence worth reading in the voice of the person who will write it into an audit report. It does not record ambiguity. It records absence. One person. One page. A reporting line the board has seen. That is the difference between a governance gap and a governance posture -- and the gap is smaller than every consultancy that sells CAIO transformation programmes wants you to believe.

If a buyer questionnaire, an insurer renewal, or a board review is already on your desk and your ownership answer would not survive it, that is the work I do with growing companies. A short conversation is usually enough to tell you whether what you have is defensible. The AI governance advisory services page has the detail, or get in touch.

Frequently asked

Does my company need a Chief AI Officer to comply with the EU AI Act?

No. The EU AI Act, including Article 4 on AI literacy, does not require a Chief AI Officer or any specific job title. What it requires is proportionate AI-literacy measures, and someone accountable who can show a regulator or auditor how your organisation meets them. A named owner with a one-page scope of mandate is the right first control for the ownership question at most growing companies. It does not replace the rest of the Article 4 evidence (an AI inventory, a role-based literacy plan, training records). It is the accountability layer the others hang from.

What should be in a one-page AI scope of mandate for a growing company?

Five things: a named owner and their existing role; decision rights covering what they can approve, block, or escalate; a reporting line the board or CEO has seen; a defined sign-off scope listing which AI systems, vendors, and use cases fall under their mandate; and a review cadence with a trigger for out-of-cycle reviews. The document should fit on one page. If it does not, it is too abstract to be useful. The test is whether you could hand it to an auditor tomorrow and they would know exactly who is accountable for what.

What does EU AI Act Article 4 actually require, and who is responsible for it?

Article 4 requires providers and deployers to take measures, to their best extent, to ensure a sufficient level of AI literacy among their staff and other persons dealing with the operation and use of AI systems on their behalf, proportionate to role and context. It has applied since 2 February 2025, and national market surveillance authorities start supervising and enforcing from 2 August 2026. A provisional political agreement on the Digital Omnibus on AI (7 May 2026) would soften the wording, but the compromise text is not yet adopted or published in the Official Journal, so the current obligation stands. Article 4 does not require a named owner or any title; a named owner is a practical way to coordinate and evidence those measures.

How is AI ownership different from data ownership -- can the CDO or data team own it?

Data governance and AI governance overlap but are not the same thing. A Chief Data Officer owns the quality, lineage, and use of data. AI governance covers the systems that act on that data: which AI tools are approved, who decides what use cases are acceptable, how vendor risks are assessed, how AI outputs are reviewed before decisions are made. In the companies I have worked with where data and AI ownership were merged, the AI governance work tended to fall behind the data work. One caveat: where a use case involves automated decisions on personal data, it also sits under GDPR (Article 22) and your DPO. The AI owner coordinates with that existing accountability; it does not replace it.

What happens if no one is named as AI owner and a regulator or insurer asks?

The absence of a named owner is itself the finding. When a regulator, auditor, or insurer asks who is accountable for AI governance and the answer is a committee, a future hire, or "we are still working on that," the response documents the gap rather than filling it. For insurers assessing cyber or technology liability, an undocumented governance structure can become a renewal-discussion or pricing factor. For enterprise buyers running procurement diligence, it is a risk flag that can hold up a contract. The cost of naming someone is low. The cost of not having an answer is not.

Chief AI Officer vs named owner: when does a dedicated AI governance role make sense?

In the mandates I have run, a dedicated role with headcount and a reporting line of its own only makes sense when AI governance decisions are frequent enough to crowd out the existing owner's primary work -- typically when the organisation is running multiple high-risk AI systems, has a significant regulatory footprint, and is well above mid-size. Below that, and especially at growing companies, the overhead of a dedicated role outweighs the governance gain. A named owner with a clear mandate and real decision rights delivers the accountability a regulator needs without the structure an organisation of that size cannot yet support.

Næste skridt

Lad os finde ud af, hvad du reelt har brug for.

30 minutters afklaringssamtale. Gratis og uforpligtende. Er det ikke et match, siger jeg det og henviser til nogen, det er.

Book en afklaringssamtale