# AI governance: the complete guide for boards and organisations

AI governance is the collection of policy, roles and controls with which an organisation steers towards responsible, safe and valuable AI use. In 2026 it is no longer an IT project but a board responsibility. Through the EU AI Act, the renewed Corporate Governance Code and the In-Control Statement, boards now personally sign for the control of their AI systems.

Last updated: 8 July 2026. Author: Marc Diks.

## TL;DR

- AI governance shifted in 2026 from the IT department to the boardroom table: boards are now demonstrably responsible for the risks of their AI systems.
- Three forces drive this: the EU AI Act, the In-Control Statement (VOR) in the Corporate Governance Code 2025, and shareholders who, via the VEB, demand an AI SWOT in the annual report.
- The AI Act timeline has shifted: high-risk obligations (Annex III) apply from 2 December 2027, but prohibited practices and the AI literacy duty have applied since 2 February 2025.
- Most important action: map all AI systems (including shadow AI), classify by risk, explicitly assign oversight.
- Biggest pitfall: treating AI governance as a one-off compliance document instead of an ongoing process.

## Key facts (with source)

- The EU AI Act (Regulation (EU) 2024/1689) has been in force since 1 August 2024; prohibited practices and the AI literacy duty (Art. 4) have applied since 2 February 2025. Source: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
- Through the Digital Omnibus, high-risk obligations are postponed: Annex III to 2 December 2027, Annex I to 2 August 2028. Political agreement 7 May 2026, European Parliament approval 16 June 2026. Source: https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/
- The AI literacy duty remains but has been softened to a best-efforts obligation. Source: https://www.stibbe.com/publications-and-insights/ai-act-reloaded-what-the-latest-ai-act-changes-mean-in-practice
- Watermarking duty (Art. 50(2)) for existing systems postponed to 2 December 2026; new ban on NCII and CSAM generation from 2 December 2026. Source: https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/
- Fines under the AI Act: up to 35 million euros or 7% of worldwide annual turnover for the most serious breaches. Source: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
- The Dutch Corporate Governance Code was updated on 20 March 2025 with the In-Control Statement (VOR); new Monitoring Committee appointed 17 March 2025 under Rob van Wingerden. Source: https://www.mccg.nl/documenten/2025/03/corporate-governance-code-2025
- The In-Control Statement applies to financial years starting on or after 1 January 2025, with the first statement covering financial year 2025. Source: https://governance-web.nl/nieuws/geupdatete-nederlandse-corporate-governance-code-2025-en-nieuwe-monitoring-commissie-benoemd/
- The Code was legally anchored via a decree in early 2026; on 2 February 2026 the decree amending the Decree on the Content of the Management Report was published. Source: https://www.accountant.nl/nieuws/2026/2/corporate-governance-code-2025-en-vor-wettelijk-verankerd/
- The VEB named "impact of generative artificial intelligence (AI)" as a priority in its 2025 priority letter and asks for an AI SWOT in the management report. Source: https://www.veb.net/artikel/09715/veb-speerpuntenbrief-2025-waardecreatie-ai-en-livestreams

## What is AI governance and why now?

AI governance is how an organisation decides who may deploy which AI, under what conditions, with what oversight and what accountability afterwards. It answers four questions: which AI do we use, who is responsible, which risks do we accept, and how do we demonstrate that we are in control.

It is urgent now for three reasons: the EU AI Act is in force with binding obligations since February 2025; the renewed Corporate Governance Code forces an explicit board statement on risk management via the In-Control Statement; and shareholders, via the VEB, demand an AI SWOT in the annual report.

## Why AI governance belongs at the boardroom table

AI has shifted from an IT experiment to a board matter. The difference lies in accountability: an IT project can fail without personal consequences, a board matter cannot. The In-Control Statement makes risk management a public board statement, and shareholders demand insight into how AI creates or threatens value. AI governance is therefore not delegable to a technical layer. A board that does not understand how its own algorithms decide cannot provide the required accountability.

IT project versus board matter:

| Characteristic | AI as an IT project (old) | AI as a board matter (2026) |
|---|---|---|
| Owner | IT or innovation department | Management board, overseen by the supervisory board |
| Core question | Does the technology work? | Are we demonstrably in control? |
| Risk | Project risk, budget | Director liability, reputation |
| Accountability | Internal reporting | Management report, shareholder meeting |
| Time horizon | Per project | Ongoing, accounted for annually |

## The legal framework: the AI Act, the In-Control Statement and the Corporate Governance Code 2025

Three frameworks together determine what AI governance legally means in the Netherlands: the In-Control Statement forces accountability, the AI Act sets the substantive requirements, and the Corporate Governance Code anchors the whole in the management report.

The EU AI Act takes a risk-based approach with four categories: unacceptable risk (prohibited), high risk, transparency risk and minimal risk. Through the Digital Omnibus (Commission proposal 19 November 2025, political agreement 7 May 2026, European Parliament approval 16 June 2026), the heaviest high-risk obligations have been postponed.

Revised AI Act timeline:

| Obligation | Original | After Digital Omnibus |
|---|---|---|
| Prohibited practices + AI literacy (Art. 4) | 2 February 2025 | Unchanged: since 2 February 2025 |
| GPAI obligations | 2 August 2025 | Unchanged: since 2 August 2025 |
| Transparency (Art. 50, mostly) | 2 August 2026 | Unchanged: 2 August 2026 |
| Watermarking legacy systems (Art. 50(2)) | 2 August 2026 | Postponed to 2 December 2026 |
| New ban on NCII and CSAM generation | n/a | New: from 2 December 2026 |
| High risk, standalone (Annex III) | 2 August 2026 | Postponed to 2 December 2027 |
| High risk, embedded (Annex I) | 2 August 2027 | Postponed to 2 August 2028 |
| National AI sandboxes | 2 August 2026 | Postponed to 2 August 2027 |

The AI literacy duty (Art. 4) has not been scrapped but softened to a best-efforts obligation. Transparency obligations have not been postponed. Fines: up to 35 million euros or 7% of worldwide annual turnover.

The In-Control Statement is included in the Corporate Governance Code updated on 20 March 2025. The board states in the management report the level of assurance its internal risk-management and control systems provide for operational, compliance and reporting risks. A failing AI system falls under the operational and compliance risks. The In-Control Statement applies to financial years from 1 January 2025.

The Code works on a comply-or-explain basis. Shareholders judge weak statements critically, and the VEB explicitly asks for an AI SWOT in the annual report.

## The building blocks of an AI-governance framework

An AI-governance framework consists of six building blocks that interact:

1. Inventory: map every AI system, including self-purchased tools.
2. Classification: sort every system according to the AI Act's risk categories.
3. Policy and decision rules: set out which use and which data are allowed, and who approves.
4. Oversight and roles: assign responsibility, often via a multidisciplinary AI committee.
5. Data and bias: check training data for bias and sensitive data, document with explainability in mind.
6. Monitoring and accountability: include AI risks in risk management and anchor the judgement in the In-Control Statement.

Governance self-check:
- Is there an up-to-date inventory of all AI systems, including self-purchased tools?
- Is every system classified according to the AI Act's risk categories?
- Is there policy that sets out which data may and may not go into AI tools?
- Is there one responsible person or committee that vets new AI initiatives in advance?
- Are employees who work with AI demonstrably trained (AI literacy)?
- Are the AI risks included in risk management and the In-Control Statement?

## Shadow AI: why policy alone does not work

Shadow AI is the use of AI tools outside the view of IT and the board. It is the blind spot that trips up most frameworks: you cannot govern systems you do not know about. Simply blocking it backfires, because employees switch to personal accounts. It is more effective to understand who uses AI and for what, and to offer safe alternatives. AI governance is therefore also a behavioural issue, not only a legal one.

## Who is liable if AI fails?

Ultimate responsibility lies with the management board, overseen by the supervisory board. The In-Control Statement reinforces this: by publicly committing to a judgement about its own risk management, a board can more quickly be held to account for improper governance or misleading reporting in the event of a major incident (among others Article 2:249 of the Dutch Civil Code). Not knowing about your own AI systems is no longer a viable defence.

Division of roles:

| Body | Role in AI governance | Core question |
|---|---|---|
| Management board | Ultimately responsible for policy and execution | Are we demonstrably in control of our AI? |
| Supervisory board | Oversight and sounding board | Does the board base its statement on real evidence? |
| AI committee or Risk | Vets initiatives, safeguards policy | Does this system meet our requirements? |
| Business and employees | Responsible use in practice | Am I using this within the agreed rules? |

The supervisory board must not sit back passively. The need for technological knowledge on the board (the tech-savvy supervisory director) is increasing.

## AI governance through an insurance lens

In insurance, which runs on risk assessment, fraud detection, claims handling and customer trust, governance becomes tangible. A fraud-detection model is a classic high-risk system: it co-decides on an individual's rights. Without governance such a model can disadvantage customer groups, resulting in discrimination and reputational damage. With governance you record how you check for bias, how human oversight is arranged, and how you explain a decision. The core of the new requirement is explainability: can you explain to a customer or regulator why the model made this decision?

## The biggest misconceptions about AI governance

- Misconception: AI governance is a job for the IT department. In reality it is a board responsibility.
- Misconception: because of the AI Act postponement we have until the end of 2027. In reality prohibited practices, AI literacy and most transparency rules already apply.
- Misconception: if we write an AI policy, we are compliant. In reality a document is not a control.
- Misconception: AI governance is purely defensive. In reality shareholders specifically ask about the upside.
- Misconception: "we didn't know that system used AI" protects us. In reality ignorance is no longer a defence.
- Misconception: a privacy check (GDPR) already covers the AI risks. In reality the AI Act sets its own requirements that go beyond privacy.

## How do you approach AI governance? (step-by-step plan)

1. Inventory all AI, including shadow AI.
2. Classify each system by risk.
3. Appoint one responsible person or committee, with a mandate.
4. Draw up concrete policy and decision rules.
5. Arrange AI literacy, also for end users and the board.
6. Set up data and bias controls as an ongoing process.
7. Anchor it in risk management and the In-Control Statement.

## Frequently asked questions

What is AI governance in short?
AI governance is the collection of policy, roles, processes and controls with which an organisation steers towards responsible, safe and valuable AI use. In 2026 it is primarily a board responsibility.

Is AI governance legally required in the Netherlands?
There is no separate law with that title, but in practice it is mandatory via the EU AI Act and the Corporate Governance Code 2025 (In-Control Statement).

What is the In-Control Statement (VOR)?
A statement in the management report about the level of assurance the internal risk-management and control systems provide for operational, compliance and reporting risks. Applies to financial years from 1 January 2025.

Does the EU AI Act still apply from August 2026?
Partly. High-risk obligations are postponed (Annex III to 2 December 2027, Annex I to 2 August 2028), but prohibited practices, AI literacy and most transparency rules already apply or remain on 2 August 2026.

Who is liable if an AI system causes harm?
The management board, overseen by the supervisory board. The In-Control Statement increases the chance of director liability. Ignorance is no defence.

What is shadow AI and why is it a governance risk?
The use of AI tools outside the view of IT and the board. You cannot govern systems you do not know about; blocking backfires.

What is the difference between AI governance and the AI Act?
The AI Act is a law with concrete requirements. AI governance is broader: how an organisation governs AI, with the AI Act as one input alongside the Code, the In-Control Statement and shareholder demands.

How do I start with AI governance in my organisation?
Start with an inventory of all AI systems, classify by risk, appoint a responsible person, draw up policy, arrange AI literacy, set up data and bias controls, and anchor it in risk management and the In-Control Statement.

## Sources

- EU AI Act, Regulation (EU) 2024/1689: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
- Consilium, Digital Omnibus AI agreement (7 May 2026): https://www.consilium.europa.eu/en/press/press-releases/2026/05/07/artificial-intelligence-council-and-parliament-agree-to-simplify-and-streamline-rules/
- European Parliament, Digital Omnibus on AI (legislative train): https://www.europarl.europa.eu/legislative-train/package-digital-package/file-digital-omnibus-on-ai
- Gibson Dunn, Omnibus postponed high-risk deadlines: https://www.gibsondunn.com/eu-ai-act-omnibus-agreement-postponed-high-risk-deadlines-and-other-key-changes/
- Hogan Lovells, delay for high-risk AI rules: https://www.hoganlovells.com/en/publications/eu-legislators-agree-to-delay-for-highrisk-ai-rules
- Stibbe, AI Act reloaded (AI literacy): https://www.stibbe.com/publications-and-insights/ai-act-reloaded-what-the-latest-ai-act-changes-mean-in-practice
- Monitoring Committee, Corporate Governance Code 2025: https://www.mccg.nl/documenten/2025/03/corporate-governance-code-2025
- Governance-web, updated Code 2025 and In-Control Statement: https://governance-web.nl/nieuws/geupdatete-nederlandse-corporate-governance-code-2025-en-nieuwe-monitoring-commissie-benoemd/
- Accountant.nl, Code 2025 and In-Control Statement legally anchored: https://www.accountant.nl/nieuws/2026/2/corporate-governance-code-2025-en-vor-wettelijk-verankerd/
- VEB, 2025 priority letter: https://www.veb.net/artikel/09715/veb-speerpuntenbrief-2025-waardecreatie-ai-en-livestreams

Canonical: https://www.marcdiks.nl/ai-governance
Author: Marc Diks