Artificial intelligence has entered a new phase.
It is no longer a subject of exploration, but a subject of strategic decisions, often made under tension, between the injunction to move fast, the need to identify the right use cases and a rapidly evolving regulatory framework. The European AI regulation has been applying progressively since August 1, 2024, and the next structuring milestone remains, at this stage, August 2, 2026, the date on which the majority of the rules will come into application, including the transparency obligations provided for in Article 50.
For CDOs, this profoundly changes the nature of the subject. AI governance can no longer be approached as a simple compliance project, nor as a purely technical subject. It becomes a steering capability in its own right: a way to arbitrate a portfolio of use cases, to align data, business, IT and risk, and to scale AI without losing control.
Three realities that require organizations to act now
1. AI is now becoming central in enterprise transformation arbitrations
Organizations no longer only ask whether to experiment, but where to invest, on which uses to position themselves, how to industrialize and under what conditions of control. This acceleration puts companies under tension: they must move fast to capture value, while avoiding deploying systems that are poorly understood, poorly framed or insufficiently secured.
The challenge is therefore no longer only technological. It is now strategic, because decisions related to AI directly impact operating models, critical processes, interactions with customers, dependence on suppliers and the organization’s ability to demonstrate that it remains in control.
2. Preparation for the AI Act must start now
Even if discussions are ongoing within the framework of the Digital Omnibus, the European Commission continues to indicate that August 2, 2026 remains a central milestone for the entry into application of the majority of provisions, while regulatory support and standardization work continue.
One point is already clear: at this deadline, the transparency obligations of Article 50 will notably target generative AI, interactive systems and deepfakes. The Commission indicates that these obligations notably cover informing individuals when they interact with an AI system, marking generated or manipulated content in a machine-readable format, as well as informing the public when artificial or manipulated content is disseminated. It also specifies that the solutions implemented must be, as far as technically possible, reliable, effective, interoperable and robust.
For a CDO, this means that regulation must not be treated downstream, once use cases have already been launched. It must be integrated from the scoping phase, in the same way as data, target architecture, supplier dependencies, human oversight and traceability requirements. Organizations that wait until the last moment will take the risk of suffering regulation instead of steering it.
3. Exposure to risks is expanding and requires continuous governance
As uses spread, the company’s exposure also expands. Risks are not only regulatory. They are also cyber, operational, reputational and sometimes directly business-related, when AI influences sensitive processes, decision-making or externally visible interactions. The risk is also to see, over the course of projects, an AI portfolio being built that is difficult to read, difficult to compare, difficult to prioritize and therefore difficult to industrialize sustainably.
In this context, AI governance can no longer be treated as a one-off subject, nor as a simple documentation of the existing. It must become continuous, structured and proportionate steering, capable of accompanying the evolution of uses, obligations, suppliers and real risks over time.
The 3 fundamentals of AI governance
In this context, three fundamentals are essential:
1. Mapping AI systems and actually deployed use cases
The first fundamental consists in knowing precisely which AIs are used in the organization. This includes systems developed internally, components integrated into business tools, assistants, supplier solutions and external services based on AI models.
Without a reliable inventory, it becomes impossible to determine which systems are actually at stake, what functions they perform, which flows they mobilize, to which suppliers they expose the organization and which obligations may apply. AI governance therefore begins with visibility.
This mapping is not an administrative inventory: it is the basic condition for credible steering. Without a consolidated view, it becomes impossible to arbitrate priorities, compare uses, anticipate applicable obligations or understand where the real points of dependency and fragility lie.
2. Qualifying the real risks associated with each system
The second fundamental consists in qualifying real risks, and not only applying a theoretical reading of texts. It is about assessing, for each system, regulatory risks, but also technological, cyber, contractual, business and reputational risks.
Useful governance is not abstract. It must make it possible to distinguish the most sensitive systems, to prioritize, to identify concrete points of vigilance and to direct efforts where exposure is real. It is this qualification capability that makes it possible to move from a logic of listing to a logic of steering.
3. Steering over time the necessary actions
The third fundamental consists in organizing the monitoring over time of the necessary actions. The responses to be provided are not only legal. They can be contractual, technological, organizational or related to cybersecurity.
This implies tracking, over time, applicable requirements, measures to be implemented, supplier dependencies, documentation to be produced, remediation plans, internal controls and cost arbitrations. The objective is not to multiply layers of governance, but to have a readable, sustainable and truly operational framework.
A tooled governance to maintain control
It is precisely to address these challenges that we have developed Naaia, a centralized AI governance solution.
It makes it possible to build a single repository of AI systems, to automatically qualify risk levels, to identify applicable obligations and to generate associated action plans, including vis-à-vis suppliers. Regulatory evolutions are integrated continuously, in order to secure steering and free teams from monitoring and coordination burdens.
For a CDO, the challenge is clear: to have a consolidated view to arbitrate faster, industrialize more smoothly and maintain control over the systems actually deployed in the organization.
Conclusion
In AI, the difficulty is no longer only to innovate. It is to choose the right uses, to scale them and to decide quickly without losing control.
And this control relies neither on a purely documentary approach, nor on an isolated reading of regulatory risk. It relies on governance capable of linking use cases, data, risks, obligations, suppliers and action plans within a readable, tooled and sustainable framework over time.