What is AI governance and why now?
AI governance is how an organisation decides who may deploy which AI, under what conditions, with what oversight and what accountability afterwards. It answers four questions: which AI do we use, who is responsible, which risks do we accept, and how do we demonstrate that we are in control. Where data governance is about the quality of your data, AI governance is about the decisions you automate with that data.
The topic is urgent now for three concrete reasons. First, the EU AI Act (Regulation (EU) 2024/1689) has been in force since 1 August 2024, with the first binding obligations since 2 February 2025. Second, the renewed Dutch Corporate Governance Code (opens in new window), published on 20 March 2025, forces boards via the In-Control Statement to make an explicit statement about their risk management. Third, shareholders, via the VEB's 2025 priority letter (opens in new window), have named AI as a theme on which they critically question boards.
What I see at the boardroom table: in two years the question has shifted from "are we allowed to use AI?" to "can we demonstrate that we use it in a controlled way?". That is a fundamentally different question. The first is about permission, the second about burden of proof. And burden of proof forces structure: an inventory, a responsible person, a file. Organisations that get this in order now will have a head start. Organisations that wait for an incident build their governance under pressure, after the fact.
AI governance is therefore not an abstraction. It is the bridge between what your organisation technically does with AI and what the board signs for legally and strategically.
Why AI governance belongs at the boardroom table
For years AI was an experiment run by the IT or innovation department. That is over. The difference between AI as an IT project and AI as a board matter lies in accountability: an IT project can fail without a board member being held personally accountable; a board matter cannot.
| Characteristic | AI as an IT project (old) | AI as a board matter (2026) |
|---|---|---|
| Owner | IT or innovation department | Management board, overseen by the supervisory board |
| Core question | Does the technology work? | Are we demonstrably in control? |
| Risk | Project risk, budget | Director liability, reputation |
| Accountability | Internal reporting | Management report, shareholder meeting |
| Time horizon | Per project | Ongoing, accounted for annually |
Two developments explain that shift. The In-Control Statement makes risk management a public board statement rather than an internal effort. And shareholders demand insight into how AI creates or threatens value. The VEB explicitly asks boards to map the strengths, weaknesses, opportunities and threats around generative AI with a SWOT analysis in the management report. That puts AI next to finance and strategy on the boardroom agenda.
The consequence is that AI governance cannot be delegated to a technical layer. A board that does not sufficiently understand how its own algorithms decide cannot provide the required accountability. The role of the supervisory director changes accordingly, and the need for technological knowledge on the supervisory board increases. I develop this further in the post on the blind spot in the boardroom and in open source AI as a governance necessity.
The legal framework: the AI Act, the In-Control Statement and the Corporate Governance Code 2025
Three frameworks together determine what AI governance legally means in the Netherlands. You cannot view them separately: the In-Control Statement forces accountability, the AI Act sets the substantive requirements, and the Corporate Governance Code anchors the whole in the management report.
The EU AI Act and the revised timeline
The EU AI Act takes a risk-based approach. The greater the risk a system poses to health, safety or fundamental rights, the stricter the rules. The law has four categories: unacceptable risk (prohibited), high risk, transparency risk and minimal risk.
Important for 2026: the timeline has changed. Through the so-called Digital Omnibus, a package of targeted amendments proposed by the European Commission on 19 November 2025, the heaviest high-risk obligations have been postponed. The political agreement was reached on 7 May 2026 (opens in new window), the European Parliament approved the text on 16 June 2026 (opens in new window), and the Council gave the green light in late June 2026. Publication in the Official Journal follows in the summer of 2026, after which the amendments take effect three days later. Until that publication the original text remains formally binding, but the new dates are the planning basis that lawyers and regulators now use.
| Obligation | Original | After Digital Omnibus |
|---|---|---|
| Prohibited practices + AI literacy (Art. 4) | 2 February 2025 | Unchanged: in force since 2 February 2025 |
| GPAI obligations (general-purpose AI models) | 2 August 2025 | Unchanged: in force since 2 August 2025 |
| Transparency (Art. 50, mostly) | 2 August 2026 | Unchanged: 2 August 2026 |
| Watermarking legacy systems (Art. 50(2)) | 2 August 2026 | Postponed to 2 December 2026 |
| New ban on NCII and CSAM generation | n/a | New: from 2 December 2026 |
| High risk, standalone (Annex III) | 2 August 2026 | Postponed to 2 December 2027 |
| High risk, embedded in products (Annex I) | 2 August 2027 | Postponed to 2 August 2028 |
| National AI sandboxes | 2 August 2026 | Postponed to 2 August 2027 |
Source for the revised dates: Consilium (opens in new window) and analyses by, among others, Gibson Dunn (opens in new window) and Hogan Lovells (opens in new window).
Two nuances that are often missed. The AI literacy obligation (Article 4) has not been scrapped: it still rests on providers and deployers, but the wording has been softened from "ensuring a sufficient level" to "taking measures to support the development of AI literacy". It is now a best-efforts obligation, not a results obligation (Stibbe (opens in new window)). And the transparency obligations have not been postponed: they still largely apply from 2 August 2026. The postponement mainly affects high-risk systems, not the whole law. The fines under the AI Act remain steep: up to 35 million euros or 7% of worldwide annual turnover for the most serious breaches.
I work out the full timeline and whether the AI Act applies to your organisation in the hub EU AI Act and in does the AI Act apply to my organisation. Supervision and enforcement are covered in AI supervision: ten regulators and, for the financial sector, in AI supervision and the division of tasks at insurers.
The In-Control Statement (VOR)
The In-Control Statement is the biggest governance change of 2025. The new Monitoring Committee for the Corporate Governance Code (opens in new window), appointed on 17 March 2025 under chair Rob van Wingerden, updated the Code and included the In-Control Statement. The provisions apply to financial years starting on or after 1 January 2025, with the first statement covering financial year 2025 (to be published in 2026). By early 2026 the Code is legally anchored: on 2 February 2026 the decree amending the Decree on the Content of the Management Report was published in the Government Gazette, and the Code was designated via an Order in Council (accountant.nl (opens in new window)).
What changes in practice? The board states in the management report the level of assurance that its internal risk-management and control systems provide, and not only for financial reporting risks (as before), but also for operational and compliance risks. A failing AI system falls under the latter two categories. A nuance from practice: for financial year 2025, listed companies often still choose a legally cautious, "double-negative" phrased statement, so the bar is being raised step by step in practice.
The link is therefore direct: if you do not control your AI risks, you cannot credibly sign the In-Control Statement. AI governance thereby becomes part of your Enterprise Risk Management.
The Corporate Governance Code and shareholder pressure
The Code works on a comply-or-explain basis: you either apply the provisions, or you explain in the management report, with reasons, why you deviate. Deviating is allowed, but shareholders and proxy advisors judge weak statements critically. And on AI specifically, shareholders set the bar high: the VEB asks for an AI SWOT in the annual report. This means AI governance must be accounted for not only defensively (managing risk) but also offensively (demonstrating value).
The building blocks of an AI governance framework
An AI governance framework is not a document but an operating system. It consists of six building blocks that interact. The order is deliberate: you cannot control what you have not mapped.
Inventory
Classification
Policy and decision rules
Oversight and roles
Data and bias
Monitoring and accountability
1. Inventory. Map every AI system, including the tools employees purchase themselves. Without full visibility you cannot take responsibility.
2. Classification. Sort every system according to the AI Act's risk categories. A CV filter or credit assessment quickly falls into the high-risk category; a spam filter does not.
3. Policy and decision rules. Set out which AI use is allowed, which data may and may not go in, and who approves a new application. Concrete policy beats a thick principles document.
4. Oversight and roles. Explicitly assign responsibility. Many organisations set up a multidisciplinary AI committee with IT, Legal, HR, Risk and the business, which vets new initiatives in advance.
5. Data and bias. AI is only as good as the data underneath it. Set up processes to check training data for bias, intellectual property and sensitive personal data, and document this with explainability in mind.
6. Monitoring and accountability. Structurally include AI risks in your risk management and anchor the judgement in the In-Control Statement. This is ongoing work, not an annual exercise.
Use the self-check below to see where you stand. If you score a "no" on any of these points, you know where your governance still has a gap.
Governance self-check
- Is there an up-to-date inventory of all AI systems, including self-purchased tools?
- Is every system classified according to the AI Act's risk categories?
- Is there policy that sets out which data may and may not go into AI tools?
- Is there one responsible person or committee that vets new AI initiatives in advance?
- Are employees who work with AI demonstrably trained (AI literacy)?
- Are the AI risks included in risk management and the In-Control Statement?
Shadow AI: why policy alone does not work
Shadow AI is the use of AI tools outside the view of IT and the board: employees who set up their own chatbot, transcription tool or code assistant. This is the blind spot that trips up most frameworks. You can write a beautiful policy, but if half your organisation is also using its own tools, you are not in control of anything.
The reflex to simply block shadow AI backfires. Employees switch to personal accounts and phones, so you lose even more visibility. Why a ban does not work, and what does, is described in blocking shadow AI does not work.
It is more effective to understand who in your organisation uses AI and for what. Roughly speaking there are four types of users, from the critical power user to the employee who unknowingly pastes customer data into a free tool. That breakdown helps you target your policy, and I work it out in the four AI users in your organisation. A concrete and common risk is uploading customer or company data to public AI tools, covered further in uploading customer data to AI and, on the risks of blindly adopting external AI instructions, in why you should never just download an AI skill.
What I see in practice: the gap is rarely technical and almost always human. I have seen teams with a neat AI policy on paper, while in daily practice confidential information ended up in a free tool simply because that was faster. Governance that does not address that behaviour is a document, not a control. The gain lies in offering usable, safe alternatives, not in banning.
Shadow AI shows why AI governance is a behavioural issue, not a purely legal one. Policy without attention to the shop floor is a paper tiger.
Who is liable when AI fails?
If an AI system causes harm, a data breach, a discriminatory decision or a misleading output, in 2026 responsibility points to the boardroom table. The In-Control Statement reinforces this: by publicly committing to a judgement about its own risk management, a board can more quickly be held to account for improper governance or misleading reporting in the event of a major incident. Under Dutch law, among others Article 2:249 of the Civil Code provides grounds for liability in the case of a misleading representation in the annual accounts or the management report.
The roles divide as follows:
| Body | Role in AI governance | Core question |
|---|---|---|
| Management board | Ultimately responsible for policy and execution | Are we demonstrably in control of our AI? |
| Supervisory board | Oversight and sounding board, challenges the management board | Does the board base its statement on real evidence? |
| AI committee or Risk | Vets initiatives, safeguards policy | Does this system meet our requirements? |
| Business and employees | Responsible use in practice | Am I using this within the agreed rules? |
The supervisory board must not sit back passively here. A supervisory board that ignores AI fails its statutory oversight duty. The practical consequence is a growing need for technological knowledge on the board, the so-called tech-savvy supervisory director, so there is substantive counterbalance to the choices made by the management board. Critical questions a supervisory board should ask, and the broader strategic choices around AI at board level, are covered in the OpenClaw strategy for the CEO and AI due diligence in acquisitions, because especially in mergers and acquisitions the AI maturity of a target becomes a valuation factor.
Liability is therefore not abstract. It is the reason AI governance is no longer a choice but a necessity, and why the judgement ultimately rests in the name of the board.
AI governance through an insurance lens
Governance theory only becomes tangible once you apply it to real processes. In insurance, a sector that runs entirely on risk assessment, fraud detection, claims handling and customer trust, AI governance is easy to illustrate. The stakes are high: a poorly tuned model directly hits customers' wallets and trust.
Take fraud detection. A model that scores claims for fraud is a classic high-risk system: it co-decides on an individual's rights. Without governance such a model can unintentionally and structurally disadvantage certain customer groups, resulting in discrimination and reputational damage. With governance you record how you check for bias, how human oversight is arranged, and how you can explain a decision to a customer or regulator. How fraud detection is changing with synthetic media is described in SynthID, C2PA and stopping insurance fraud and template farms and insurance fraud.
My lens from insurance: the insurance business is a governance exercise avant la lettre. We have been calculating with risk, burden of proof and duty of care for decades. AI changes the scale, not the principle. Anyone who approaches AI governance as a completely new field misses that existing risk frameworks are largely transferable. The real new question is explainability: can you explain to a customer, a complaints body or a regulator why the model made this decision? That is where most organisations still have work to do.
Governance also plays out on the customer side. Think of AI in customer service, where the AI Act's transparency rules require that a customer knows they are talking to a machine, or the design of cancellation and customer processes. The human side of AI in customer service is covered in voice AI that makes customer service more human than a human. The financial sector also has its own regulators tracking AI use, which sharpens governance requirements further, see AI supervision and the division of tasks at insurers.
The biggest misconceptions about AI governance
Persistent misconceptions surround AI governance. They are dangerous because they give a board a false sense of security.
Misconception: AI governance is a job for the IT department. In reality it is a board responsibility. The In-Control Statement and the AI Act place the judgement with the board, not with IT. IT executes, the board signs.
Misconception: because the AI Act is postponed, we have until the end of 2027. In reality the prohibited practices, the AI literacy duty and most transparency rules already apply. Only the heaviest high-risk obligations are postponed. Moreover, the inventory work does not get easier by waiting, only the deadline moves.
Misconception: if we write an AI policy, we are compliant. In reality a document is not a control. Without an inventory, oversight and monitoring, policy is a paper tiger, especially with shadow AI in the organisation.
Misconception: AI governance is purely defensive and slows innovation. In reality shareholders specifically ask about the upside. The VEB wants a SWOT, including strengths and opportunities. Good governance enables responsible acceleration.
Misconception: "we didn't know that system used AI" protects us. In reality ignorance is no longer a defence. The obligation to have your AI mapped rests with the organisation itself.
Misconception: a privacy check (GDPR) already covers the AI risks. In reality the GDPR and the AI Act partly overlap, but the AI Act sets its own requirements for risk classification, human oversight and transparency that go beyond privacy.
How do you approach AI governance? (step-by-step plan)
Setting up AI governance does not have to be overwhelming. Seven steps take you from nothing to demonstrably in control. Start with the inventory, because everything else builds on it.
- Inventory all AI, including shadow AI. Ask every department which AI tools they use, including free and self-purchased ones. Do this as an inquiry, not a control action, otherwise half of it disappears from view. What you don't know, you can't control.
- Classify each system by risk. Sort every system according to the AI Act categories. Focus your attention on the high-risk systems (recruitment, credit assessment, fraud detection) and on prohibited practices you must exclude immediately.
- Appoint one responsible person or committee. Explicitly assign AI governance, preferably multidisciplinary. Do not do this as a non-committal "working group", but with a mandate to block or approve initiatives.
- Draw up concrete policy and decision rules. Record which data may and may not go into AI, which use is allowed, and who approves new applications. Avoid a thick principles document; choose usable rules the shop floor will actually follow.
- Arrange AI literacy. Train not only developers, but especially end users and the board itself. This has been a statutory best-efforts obligation since February 2025, and it is the cheapest risk reduction there is.
- Set up data and bias controls. Check training data for bias and sensitive data, and make sure you can explain your decisions. Do this as an ongoing process, not a one-off audit.
- Anchor it in risk management and the In-Control Statement. Include the AI risks in your Enterprise Risk Management and let the judgement come back in the In-Control Statement. Here the circle closes: from inventory to board accountability.
The cost side of AI deserves separate attention here, because governance without cost control leads to surprises on the bill. See getting a grip on AI costs and, on the risk of depending on a single supplier, AI vendor lock-in and the kill switch.
Frequently asked questions
What is AI governance in short?
AI governance is the collection of policy, roles, processes and controls with which an organisation steers towards responsible, safe and valuable AI use. It determines who may deploy which AI, under what conditions, with what oversight and what accountability afterwards. In 2026 it is primarily a board responsibility, not an IT task.
Is AI governance legally required in the Netherlands?
There is no separate law titled 'AI governance', but in practice it is mandatory. The EU AI Act sets requirements for risk classification, human oversight and AI literacy, and the Corporate Governance Code 2025 forces boards, via the In-Control Statement, to account for their risk management, including AI. Together they make governance unavoidable for larger and listed organisations.
What is the In-Control Statement (VOR)?
The In-Control Statement is a statement in the management report in which the board indicates the level of assurance its internal risk-management and control systems provide for operational, compliance and reporting risks. It is included in the renewed Corporate Governance Code (March 2025) and applies to financial years starting on or after 1 January 2025, with the first statement covering financial year 2025.
Does the EU AI Act still apply from August 2026?
Partly. Through the Digital Omnibus, the heaviest high-risk obligations have been postponed: Annex III systems to 2 December 2027 and Annex I systems to 2 August 2028. But the prohibited practices and the AI literacy duty have applied since February 2025, and most transparency obligations still apply from 2 August 2026. So the postponement does not affect the whole law.
Who is liable if an AI system causes harm?
Ultimate responsibility lies with the management board, overseen by the supervisory board. Through the In-Control Statement, the board publicly commits to a judgement about its own risk management, which increases the chance of director liability in the event of a major incident. Not knowing about your own AI systems is no longer a viable defence.
What is shadow AI and why is it a governance risk?
Shadow AI is the use of AI tools outside the view of IT and the board, such as employees setting up their own chatbot or code assistant. It is a risk because you cannot govern systems you do not know about. Simply blocking it backfires, because employees then switch to personal accounts. Visibility and safe alternatives work better.
What is the difference between AI governance and the AI Act?
The AI Act is a European law with concrete requirements for AI systems. AI governance is broader: it is how an organisation governs AI, with the AI Act as one of the inputs, alongside the Corporate Governance Code, the In-Control Statement, shareholder demands and the organisation's own risk policy. The AI Act tells you what must happen; governance arranges how you secure and account for that.
How do I start with AI governance in my organisation?
Start with an inventory of all AI systems, including self-purchased tools. Classify them by risk according to the AI Act, appoint one responsible person or committee, draw up concrete policy, arrange AI literacy, set up data and bias controls, and anchor the whole in your risk management and the In-Control Statement. The inventory is the foundation everything else rests on.
Go deeper
The hub-and-spoke around AI governance consists of these articles. Together they form the deeper dive into the themes in this guide.
Board and boardroom - The blind spot in the boardroom: why boards structurally underestimate AI. - AI due diligence in acquisitions: AI maturity as a valuation factor in M&A. - Open source AI as a governance necessity: the strategic choice against dependency. - The OpenClaw strategy for the CEO: AI strategy at the highest level.
Shadow AI and use within the organisation - Blocking shadow AI does not work: why a ban backfires. - The four AI users in your organisation: targeting your policy at real behaviour. - Uploading customer data to AI: the most common data-breach risk. - Why you should never just download an AI skill: the risks of external AI instructions.
Regulation and supervision - EU AI Act: the complete hub on the law itself. - Does the AI Act apply to my organisation?: the scope question answered. - AI supervision: ten regulators: the fragmented supervisory landscape. - The AI training obligation of 2026: AI literacy in practice. - AI supervision and the division of tasks at insurers: sector-specific supervision.
Costs and risk - Getting a grip on AI costs: governance without cost control gets stuck. - AI vendor lock-in and the kill switch: dependency as a board risk.
Insurance and fraud - SynthID, C2PA and stopping insurance fraud: governance in fraud practice. - Voice AI that makes customer service more human: transparency on the customer side.
About Marc Diks
Marc Diks writes about AI, governance and the practice of responsible AI use, with a background of more than 25 years in insurance and a seat at the boardroom table. He builds AI applications himself and looks at AI through the lens of risk, liability and customer trust. More about his background is on the about page.
Want my view on AI and governance in your inbox every week? Subscribe to the newsletter. Not sure whether the AI Act applies to you? Use the AI Act Impact Scanner.
Sources
- Regulation (EU) 2024/1689 (EU AI Act), EUR-Lex: eur-lex.europa.eu (opens in new window)
- Corporate Governance Code 2025, Monitoring Committee: mccg.nl (opens in new window)
- 2025 priority letter, VEB: veb.net (opens in new window)
- Political agreement on the Digital Omnibus (7 May 2026), Consilium: consilium.europa.eu (opens in new window)
- Digital Omnibus on AI, legislative train, European Parliament: europarl.europa.eu (opens in new window)
- EU AI Act Omnibus Agreement, analysis of postponed deadlines, Gibson Dunn: gibsondunn.com (opens in new window)
- EU legislators agree to delay for high-risk AI rules, Hogan Lovells: hoganlovells.com (opens in new window)
- AI Act reloaded, Stibbe: stibbe.com (opens in new window)
- Updated Corporate Governance Code 2025 and new Monitoring Committee, Governance-web: governance-web.nl (opens in new window)
- Corporate Governance Code 2025 and In-Control Statement legally anchored, Accountant.nl: accountant.nl (opens in new window)