AI governance: from optional to mandatory
In 2022, AI governance was a nice-to-have for responsible tech companies. In 2026, it's a legal obligation in the EU, a procurement requirement for enterprise customers, and an increasingly expected element of SOC 2 and ISO 27001 trust frameworks.
The EU AI Act is in full force. GDPR Art. 22 on automated decision-making has been actively enforced for years. Enterprise procurement teams now routinely include AI governance questions in security questionnaires. Investors are asking about AI risk management in due diligence.
If your SaaS product uses AI — even a single OpenAI API call — you need a governance framework. This guide explains what that framework looks like and what documentation you need to produce.
The EU AI Act in 2026: where things stand
Here's the timeline as of mid-2026:
| Date | What became applicable |
|---|---|
| 1 August 2024 | Act entered into force |
| 2 February 2025 | Prohibition on unacceptable-risk AI (Art. 5) + AI literacy obligations (Art. 4) |
| 2 August 2025 | GPAI model obligations (Art. 51-55) + governance and penalties (Art. 56-95) + EU AI Office operational |
| 2 August 2026 | Full applicability — high-risk AI system obligations (Art. 6-50) + all other provisions |
| 2 August 2027 | High-risk systems already on the market must be brought into compliance; Annex I safety component systems |
We are now at full applicability. GPAI model obligations have been live for a year. High-risk system obligations are fully in effect. The EU AI Office is operational and conducting its first market surveillance activities.
The four-tier risk framework: where does your SaaS sit?
Tier 1: Unacceptable risk — prohibited
Banned AI practices under Art. 5. These have been prohibited since February 2025. They include: social scoring by public authorities, real-time remote biometric identification in public spaces (narrow law enforcement exceptions), emotion recognition in workplaces and educational institutions, AI that exploits vulnerabilities of persons with disabilities or children, and subliminal manipulation techniques.
If your SaaS is anywhere near these categories, you have a problem that goes beyond governance documentation.
Tier 2: High-risk (Annex III)
AI systems used in: biometric identification, critical infrastructure management, education and training, employment (CV screening, hiring, performance evaluation), essential private services (credit, insurance), law enforcement, migration and border control, justice administration, democratic processes.
For most SaaS companies, the relevant high-risk category is employment. If your product uses AI to screen CVs, rank job applicants, evaluate employee performance, or make recommendations about hiring and firing, you are in the high-risk tier. The compliance obligations are substantial.
Obligations for high-risk providers include: risk management system, data governance, technical documentation, automatic logging, transparency to users, human oversight design, accuracy/robustness/cybersecurity standards, conformity assessment, registration in EU database, and CE marking.
Tier 3: Limited risk (Art. 50)
AI systems subject to transparency obligations. This covers:
- Chatbots and conversational AI: Users must be informed they are interacting with AI (unless obvious from context)
- Emotion recognition systems: Must inform persons being subject to emotion recognition
- Biometric categorisation systems: Must inform persons exposed to the system
- AI-generated content (deepfakes, synthetic media): Must be marked as artificially generated, except for legitimate artistic works
This is where most SaaS AI features sit. If you have a chatbot or AI assistant, you need an Art. 50 disclosure. If you generate synthetic content, it must be marked. This is already enforceable.
Tier 4: Minimal risk
No specific EU AI Act obligations. Spam filters, AI in games, simple recommendation systems without high stakes, etc. However, best practice governance is still advisable — enterprise customers will ask.
GPAI models: a separate framework
If you are a provider of a GPAI model (meaning you trained it and offer it to others), Art. 51-55 applies with specific documentation requirements. If you are a deployer using OpenAI, Anthropic, Mistral, or another provider's GPAI model via API, the primary GPAI obligations fall on that provider. Your obligations as a deployer are set by the risk tier of your specific use case.
GDPR intersection: the forgotten dimension
The EU AI Act doesn't replace GDPR — they overlap and compound each other.
| GDPR Provision | AI Relevance | Action Required |
|---|---|---|
| Art. 5 — Data minimisation | Training data and inference data must be limited to what's necessary | Review data pipelines for AI features; document in privacy notice |
| Art. 13/14 — Transparency | Must inform users when their data is processed by AI, including automated decisions | Update privacy notice with AI processing activities |
| Art. 22 — Automated decision-making | Solely automated decisions with legal or significant effects require: legal basis (consent or contract necessity), right to human review, right to explanation, right to contest | Identify Art. 22 processing; ensure appropriate basis and safeguards |
| Art. 25 — Privacy by design | AI systems must be designed with data minimisation and pseudonymisation where possible | Document PbD decisions in DPIA or technical documentation |
| Art. 35 — DPIA | AI processing involving systematic profiling, large-scale special category data, or novel technology triggering one of the EDPB 9 criteria likely requires a DPIA | Conduct DPIA for high-risk AI processing activities |
The AI governance documentation stack
Here's what a complete AI governance documentation stack looks like for a typical AI-powered SaaS product in 2026:
| Document | Purpose | Required for | Generator |
|---|---|---|---|
| AI/ML Model Card | Technical documentation of model capabilities, limitations, training data, and safety | EU AI Act Art. 53 (GPAI providers); high-risk Art. 11; best practice for all | AI Model Card Generator |
| EU AI Act Transparency Declaration | Art. 50 user-facing disclosure + provider/deployer obligations checklist | All AI systems with limited-risk or above; chatbots; synthetic content | EU AI Act Declaration Generator |
| DPIA (AI-focused) | GDPR Art. 35 impact assessment for high-risk AI processing of personal data | AI systems involving profiling, automated decisions, large-scale processing, new technology | DPIA Template Generator |
| Updated Privacy Notice | Art. 13/14 disclosure of AI processing activities to data subjects | Any AI processing involving personal data | Privacy Policy Generator |
| AI Acceptable Use Policy | Define how users may and may not use your AI features | Best practice; reduces liability for misuse | AUP Generator |
| Information Security Policy (AI section) | Security controls for AI systems: model versioning, access control to models, adversarial testing | SOC 2, ISO 27001 — enterprise sales | InfoSec Policy Generator |
AI literacy requirements (Art. 4) — now in force
Often overlooked: Art. 4 requires providers and deployers to take measures to ensure their staff have sufficient AI literacy — the skills and knowledge to understand how AI systems work, the risks they present, and the legal obligations that apply.
This doesn't require formal certification. It means: training your team on the EU AI Act basics, documenting that training was conducted, and ensuring the people working with AI systems understand the relevant risk classifications and documentation requirements.
Enterprise procurement: what customers will ask
If you sell to enterprises — particularly in regulated industries (financial services, healthcare, legal, HR tech) — your sales process will increasingly include AI governance questions. Common requests:
- Do you have a model card or technical documentation for your AI features?
- What data is used to train or fine-tune your models?
- Is customer data used for training? (If yes: what's the legal basis?)
- How do you handle GDPR Art. 22 (automated decisions)?
- What is your EU AI Act risk classification?
- What human oversight is in place for AI-generated outputs?
- Do you conduct adversarial testing on your AI systems?
- How do you handle AI-related incidents?
Having a model card and EU AI Act declaration ready dramatically shortens the enterprise sales cycle on AI governance questions.
Build your AI governance stack now
- AI/ML Model Card Generator — technical documentation for your AI system
- EU AI Act Transparency Declaration Generator — Art. 50 compliance and obligations checklist
- DPIA Template Generator — GDPR Art. 35 for AI processing activities
- Privacy Policy Generator — update with AI processing disclosures
- EU AI Act for SaaS Founders 2026
- EU AI Act Compliance Checklist 2026
⚠️ This guide is for informational purposes only and does not constitute legal advice. EU AI Act interpretation and enforcement practice is evolving rapidly. Consult qualified legal counsel for specific advice on your AI system.