The AI Act no longer only concerns lawyers. It requires general management, IT departments and business teams to rethink their governance of artificial intelligence and make compliance a competitive advantage.
The AI Act is often presented as a new challenge that will finally force legal, IT, cybersecurity, product and data departments to work together, and break down company silos. This is a misreading. None of this starts with the AI Act. It started in 2016, with the GDPR. Compliance ceased to be the sole concern of lawyers almost ten years ago. The AI Act does not invent this transversal reality, it extends a trajectory that Europe has been methodically building for almost a decade. This is probably the most misunderstood point of this text.
What the GDPR has already changed
Since 2016, GDPR has made compliance profoundly transversal. Impact analyses, processing registers, data protection by design: none of this has ever been the responsibility of lawyers alone. From day one, we had to mobilize the product, engineering, security and data teams. Anyone who has managed a GDPR program immediately recognizes the scenario that is presented today as unprecedented: a new obligation appears, lawyers analyze it, compliance assesses its impacts, the product identifies the necessary developments, the technology develops them, cybersecurity validates them, the risk functions verify their application. This has been the daily life of European companies for years.
The real change in recent years is therefore not the collapse of new silos. It’s maturity. We now have years of EDPS guidelines, a real body of case law from the Court of Justice and national courts, and mature tools. The rules have become readable. The initial panic has calmed down. GDPR today is mainly about making the right decisions upstream, at the product and process level. Once these choices are made, execution is much less painful than before.
The AI Act extends the trajectory, it does not create it
DORA, NIS2, MiCAR, and now the AI Act: each text meets a specific objective, but all are based on the same foundations. Purpose, accountability, transparency, traceability, and coordination between functions. The IA Act also retains a decentralized model, and data protection authorities retain their jurisdiction over the processing of personal data. In fact, it is often the GDPR that already does a lot of the work on AI.
AI governance has not replaced GDPR compliance. It builds on top. For most companies, governing AI means combining GDPR, the AI Act and applicable industry rules, all applied to new processing. AI is a tool, a building block of infrastructure within a processing activity. It is evaluated like any new treatment, which simply includes a few more technical components.
It is about volume and rhythm. The texts multiply, overlap and evolve constantly, and none concerns a single function. Monitor each development by hand, quickly understand the concrete implications for the same activity, then coordinate the teams who must apply it: on the scale of a large institution, all of this has become unmanageable manually. The difficulty is not that a text is new. It’s about keeping the thread in a flow that never stops.
AI must assist experts, not decide for them
This is precisely where artificial intelligence brings the most value. The problem for legal and compliance teams has never been a lack of expertise. This is the time spent searching for information, comparing texts to internal policies, identifying the products concerned, and coordinating actions between departments. These tasks are repetitive and automatable. Freed from this burden, experts can concentrate on what is truly their job: exercising their judgment, arbitrating risks, supporting strategic decisions.
But on one condition: trust. In highly regulated sectors, a recommendation is only valid if it can be explained, justified and linked to the legal text on which it is based. A decision taken today must remain understandable in several years, in the face of an internal audit or control by the regulator. This is why not all stages of a compliance process are intended to be entrusted to a generative model. Some require above all traceability, explainability and deterministic rules. The question is not to use AI everywhere, but to use the most suitable technology at each stage.
Continuity as an advantage
European regulations are often presented as a brake on innovation. This forgets that the GDPR has become the global reference base, the standard that others copy. The companies that will succeed are not those that treat each new text as a shock. They are those which have integrated the sustainable schemes that Europe has been building for ten years: purpose, legal basis, transparency, traceability, coordination between functions. These absorb the next layer with much less friction, and gain agility while reducing their risks.
So we have to go back to basics. We start with the purpose, then with the legal basis. We build cleanly from the start. This is what turns cost center compliance into a real advantage. Not because the AI Act would be a revolution, but precisely because it is not one.
Basically, the real impact of this regulation is not to better regulate artificial intelligence. It confirms what the GDPR had committed to: organizations that have their legal, compliance, product, cybersecurity and engineering teams working together, on solid and sustainable foundations, are those that do the best. The AI Act does not change the trajectory. He confirms it.