Over the last months, much of the discussion around Artificial Intelligence has focused on models, copilots, productivity gains and experimentation. Organisations rushed to identify AI use cases, launch pilots and explore potential efficiency gains.
However, as AI adoption matures, a second challenge is emerging rapidly:
How can organisations govern AI systematically across the enterprise?
This question becomes particularly relevant in Europe with the introduction of the EU AI Act — the first comprehensive horizontal AI regulation globally. The regulation introduces a risk-based framework covering prohibited systems, high-risk applications, transparency obligations and governance requirements for providers and deployers of AI systems. (Digital Strategy)
The consequence is significant:
AI initiatives can no longer be treated purely as isolated innovation projects. They increasingly become regulated operational capabilities requiring classification, documentation, oversight and ongoing governance.
This development formed the basis for extending the BICon AI Portfolio Steering platform with a dedicated EU AI Act module.
From Portfolio Prioritisation to AI Governance
The original platform idea was comparatively straightforward:
manage AI initiatives more like an investment portfolio.
Instead of fragmented pilot discussions, organisations should be able to evaluate initiatives across consistent dimensions such as:
- strategic value
- scalability
- operational feasibility
- explainability
- governance readiness
- implementation risk
The platform therefore evolved around the concept of portfolio steering rather than isolated project management. (bicon.digital)
Over time, however, it became apparent that regulatory governance would increasingly become part of portfolio management itself.
Especially under the EU AI Act, organisations must determine:
- whether an AI system falls under Annex III high-risk classifications
- which actor role applies (provider, deployer, importer, distributor)
- whether transparency obligations under Article 50 apply
- whether General Purpose AI (GPAI) obligations become relevant
- whether prohibited use cases under Article 5 could be triggered
- which governance and documentation requirements become necessary (Artificial Intelligence Act)
This creates a fundamentally different operational challenge compared to earlier digital initiatives.
The Structure of the EU AI Act Module
The newly implemented module attempts to operationalise these requirements directly inside portfolio governance workflows.
The module currently consists of four integrated perspectives.
1. AI Act Explanation Layer
The first tab explains the regulation in comparatively simple operational language:
- scope of applicability
- risk classes
- Annex III logic
- GPAI concepts
- transparency obligations
- core provider obligations
- timelines and staged applicability
The intention is not to replace legal interpretation, but to create management-level accessibility.
One of the practical problems surrounding the AI Act is that many business stakeholders understand neither the terminology nor the regulatory structure sufficiently to participate meaningfully in governance discussions.
The module therefore attempts to translate regulation into operational governance language.
2. Portfolio Readiness Perspective
The second perspective evaluates AI initiatives across the entire portfolio.
Rather than analysing initiatives individually in isolation, the module creates a consolidated readiness and governance view across all AI initiatives.
This includes dimensions such as:
- governance maturity
- oversight capability
- explainability readiness
- documentation readiness
- transparency exposure
- operational control structures
This perspective becomes increasingly relevant because many organisations already operate dozens or even hundreds of AI-related initiatives simultaneously — often without consolidated visibility.
3. Formal Classification Logic
A central element of the module is the introduction of a structured AI Act classification block within initiative evaluation.
Each initiative can now be formally assessed across dimensions such as:
- organisational role
- Annex III applicability
- prohibited practice exposure
- Article 50 transparency relevance
- GPAI relevance
- governance implications
In addition, the platform introduces soft-sync warnings where regulatory classifications contradict internally assigned risk tiers.
This may sound like a small feature, but operationally it is highly relevant:
many organisations currently classify AI initiatives informally based on business perception rather than regulatory interpretation.
The result is often inconsistent governance treatment.
4. Timeline & Applicability Layer
Another practical challenge of the EU AI Act lies in its staggered applicability structure extending into 2027.
The module therefore integrates a timeline view visualising:
- phased applicability
- upcoming obligations
- governance preparation windows
- future compliance milestones
This helps transform the regulation from an abstract legal framework into a manageable operational roadmap.
Governance Becomes the New Bottleneck
Perhaps the most interesting observation from building the module was not the regulation itself, but what it reveals about the future direction of AI operating models.
The dominant bottleneck increasingly no longer appears to be:
“How do we build AI?”
Instead, the emerging bottleneck becomes:
“How do we govern AI systematically at scale?”
This includes:
- portfolio transparency
- risk classification
- evidence management
- human oversight
- documentation structures
- conformity processes
- incident management
- auditability
In other words:
AI governance increasingly starts resembling enterprise operating infrastructure rather than experimental innovation management.
The Next Development Phase
Several additional capabilities are already planned:
- article-level evidence repositories
- automated conformity assessment checklists
- incident reporting workflows aligned with Article 73
- exportable audit reports for regulators and auditors
- stronger linkage between governance scoring and operational portfolio steering
Over time, this may gradually transform AI portfolio management from a prioritisation exercise into a broader governance operating layer for enterprise AI systems.
And perhaps this is ultimately one of the most important implications of the EU AI Act:
The regulation may not primarily slow down AI adoption.
Instead, it may accelerate the professionalisation of AI governance itself. (Digital Strategy)