AI in business: governance, risk, and compliance – what management forgets to oversee
In businesses, AI is no longer just a technological topic. It's a governance issue. Let's take a closer look.
Artificial intelligence is rapidly advancing in French companies, often faster than executives can manage it. According to INSEE's ICT survey, 10% of French companies with 10 or more employees reported using AI technology in 2024, up from 6% in 2023: a one-year increase that illustrates the acceleration of the phenomenon. Among large companies with 250 or more employees, this rate reaches 33%, meaning that a third of organizations most exposed to governance and compliance challenges already have AI systems to manage. This massive deployment creates a worrying asymmetry: business units experiment, technical teams deploy, but the functions responsible for governance, risk, and compliance are often lagging. Yet, it is precisely here that the most critical issues arise for companies subject to regulatory obligations.
AI in business is not just a matter of productivity or innovation. It is a full-fledged governance issue, with its own risks, increasing regulatory requirements, and direct impacts on cybersecurity posture. CISOs, risk managers, compliance officers: this article is for those tasked with framing what is sometimes deployed without their involvement.
What "AI in business" truly encompasses
Before addressing AI governance challenges, it's useful to distinguish between the forms of AI actually present in businesses, as they do not expose them to the same risks.
AI integrated into business tools is the most widespread and often the most invisible: scoring algorithms in CRMs, anomaly detection in ERPs, automatic suggestions in collaborative tools. Companies use it without necessarily having explicitly chosen or evaluated it.
Generative AI deployed internally (assistants based on models like GPT-4, Claude, or Mistral, code copilots, document generators) is the one that accounts for the most visible uses today, and the most questions regarding data confidentiality.
AI systems developed or commissioned by the company for specific business uses (credit scoring, diagnostic assistance, fraud detection, CV screening) constitute the most exposed category from a regulatory standpoint, particularly with regard to the European AI Act.
This distinction is not academic. It directly determines the level of obligation, risk exposure, and the depth of governance required. A CISO who doesn't know which category their organization's AI tools fall into cannot define a coherent risk posture.
The real risks of AI in business: beyond the rhetoric
The dominant narrative around AI in business largely remains focused on benefits: productivity gains, personalization, decision support. This isn't wrong, but it's incomplete. Risk and compliance functions need a much more granular understanding of the exposure surface that AI truly introduces.
Data-related risks
AI thrives on data. In a business context, this means AI systems can ingest, process, or expose sensitive data, whether it's personal data of employees or customers, confidential business data, or trade secrets. Incidents related to the use of general-purpose LLMs (data entered via public interfaces, contextual memorization, usage logs) illustrate vectors for information leakage that do not align with classic risk models.
Decision Quality Risks
When a decision is AI-assisted or automated, the question of accountability becomes more complex. A biased model, trained on unrepresentative data, can produce discriminatory or erroneous decisions at scale, leading to serious reputational, legal, and operational impacts. In sectors like finance, insurance, or HR, these risks are directly at stake.
Dependency and Resilience Risks
Integrating AI into critical processes creates new dependencies. If a third-party AI tool becomes unavailable, is modified, or compromised, which business processes will halt? Mapping AI dependencies is now part of business continuity planning, and few companies have formalized it yet.
AI-Specific Cyber Risks
AI introduces new attack vectors: prompt injection on generative assistants, data poisoning (data poisoning), adversarial attacks on recognition systems. These threats are not yet included in most organizations' traditional risk frameworks, even though they are already being actively exploited.
The AI Act: What Companies Need to Anticipate Now
TheEuropean AI Act, which has been progressively coming into force since 2024, establishes the benchmark regulatory framework for AI in businesses within the European Union. Its logic is based on a risk-level classification: high-risk AI systems (in areas such as employment, education, credit, justice, and critical infrastructure) are subject to substantial obligations before being placed on the market or deployed.
For affected companies, these obligations notably include: conducting a conformity assessment, implementing risk management systems, technical documentation of systems, implementing human oversight mechanisms, and maintaining records. The prohibition on using AI systems deemed unacceptable (social scoring, certain forms of biometric surveillance) has been applicable since February 2025.
What the AI Act practically introduces is the obligation to govern AI with the same rigor as any other organizational risk. Companies that have already structured their GRC approach have a real advantage: they possess the processes, frameworks, and tools to integrate AI Act requirements into an existing framework, rather than starting from scratch.
AI Governance: What Are We Actually Talking About?
The AI governance in businesses covers a set of practices that remain largely unformalized in most French organizations. It first requires an inventory of AI systems used, developed, or outsourced, which many refer to as the AI register, by analogy with the GDPR processing register. Without this mapping, no governance is possible.
It then involves a risk-based classification, consistent with the criteria of the AI Act as well as internal risk management frameworks. Not all AI uses face the same challenges: an internal support chatbot does not require the same level of control as a scoring system used for service access.
AI governance also requires defining who decides and who is responsible : what role for the CISO, the DPO, the risk manager, and business units? In many companies, this chain of responsibility is not yet established, creating dangerous grey areas in the event of an incident.
Finally, it involves continuous control mechanisms : regular reviews of model performance, drift monitoring, robustness testing, and procedures for anomalies. AI governance is not a one-time event; it's an ongoing operational process.
Integrating AI into cyber risk management: an operational necessity
For CISOs, AI in businesses is both a tool and a risk factor. A tool, because threat detection, incident response, and behavioral analysis solutions increasingly incorporate AI capabilities. A risk factor, because AI systems deployed within an organization expand the attack surface and introduce new vulnerabilities.
Integrating AI into cyber risk management involves several concrete developments. The risk mapping must now include AI systems as full-fledged assets, with their dependencies, data flows, and specific exposure vectors. The risk scenarios (particularly in the context of an EBIOS RM analysis) must integrate threat sources exploiting AI vectors. The continuity plans must consider scenarios of failure or compromise of critical AI systems.
This evolution is not an additional undertaking to be added to existing ones. It integrates into existing GRC processes, provided they are sufficiently structured and flexible to absorb new risk categories.
What NIS2 and DORA Add to the Equation
AI in business cannot be managed outside the broader regulatory context. For organizations subject to NIS2 or the DORA regulation, AI introduces additional dimensions to manage.
NIS2 mandates robust and documented risk management, including the supply chain. AI tool providers fall within this scope: their security level, development practices, and operational resilience must be assessed. A failing or compromised third-party AI tool can pose a systemic risk vector for the entity using it.
DORA, for financial entities, imposes a risk management framework for information and communication technologies that de facto applies to AI systems. Resilience testing, incident management, and third-party provider oversight apply to AI tools just as they do to other components of the information system.
In this regulatory context, companies that have already structured their risk governance are better positioned to absorb AI-related requirements, not because they anticipated everything, but because they have a management infrastructure that can be extended.
How to Practically Manage AI in Business: Operational Priorities
Given the scope of the topic, risk and compliance functions need clear entry points. Here are the priorities that allow for structuring the approach without starting from scratch.
Conduct an inventory of AI uses. This is foundational to everything else. Without knowing what is deployed, it's impossible to govern. This inventory must cover AI tools integrated into business solutions, AI tools used directly by employees (including unsanctioned uses), and systems developed or commissioned internally.
Classify by risk level. Not all uses are handled the same way. Classification must be based on the criteria of the AI Act, but also on internal frameworks (impact on critical processes, data exposure, decision-making autonomy).
Integrate AI into existing GRC processes. Rather than creating an AI silo, the goal is to extend existing risk management, compliance audit, and third-party oversight processes to incorporate the AI dimension. This is both more efficient and more consistent with regulatory logic.
Define an AI data security policy. What data can be processed by which AI systems, and under what conditions? This policy is the logical complement to the existing Information Systems Security Policy (PSSI); it specifies its application modalities for AI use cases.
Educate and raise awareness. AI governance cannot rely solely on risk and compliance functions. Business units, IT teams, and employees who use these tools daily must understand the challenges and their implications.
Governing AI: an urgent matter that doesn't just concern technical teams
AI in business is an operational reality that goes beyond a mere promise of productivity. For CISOs, risk managers, and compliance officers, it represents a new scope of risks to map, regulatory obligations to anticipate (particularly under the AI Act), and a governance challenge to quickly structure.
Organizations that approach this undertaking with the same rigor already applied to their cyber risk management and regulatory compliance will gain a decisive advantage. Those that wait for an incident or a formal notice will fall behind on a topic that the regulatory environment makes unavoidable.
Do you want to understand how to integrate AI governance into your existing GRC framework? Discover how Egerie enables you to manage your AI risks within a unified framework by requesting a demo.
FAQ on AI in Business
What is AI in business?
AI in business refers to all artificial intelligence systems deployed within an organization: business tools integrating AI, generative assistants used by employees, or systems developed internally for specific uses such as fraud detection or customer scoring. According to INSEE, 10% of French companies with 10 or more employees used AI technology in 2024, a figure that reaches 33% among large enterprises.
What are the main risks of AI in business?
The risks are multifaceted: the confidentiality and quality of processed data, algorithmic biases that can lead to erroneous or discriminatory decisions, AI-specific attack vectors (prompt injection, model poisoning), and the risks of dependency when critical processes rely on unmanaged third-party systems.
What are the regulatory obligations related to AI in business?
The primary framework is the European AI Act, which imposes obligations based on the risk level of the systems: conformity assessment, technical documentation, and human oversight for high-risk systems. Additionally, there's the GDPR for personal data, and sectoral regulations like NIS2 or DORA, which can accumulate depending on the industry.
How to practically govern AI in business?
The approach is based on three key steps: inventorying AI systems used or outsourced, classifying them by risk level in line with the AI Act, and then integrating them into existing GRC processes rather than creating a separate silo. An AI data security policy, complementing the ISMS, then formalizes usage rules.
What is the CISO's role regarding AI in business?
The CISO is involved in two capacities: as a user of AI tools for threat detection, and as the owner of a new risk perimeter. Specifically, this means integrating AI systems into risk mapping, evolving threat scenarios, and ensuring that continuity plans cover potential failures of these systems.
