--- title: AI Governance date: 2026-06-01T17:19:00+02:00 author: Hannes Heckel canonical_url: "https://www.fast-lta.de//en/glossary/ai-governance" section: Glossar --- With the proliferation of AI tools in the enterprise environment, a new governance problem emerges: employees use AI tools productively, often without the IT or legal department having visibility into what data is being transferred where. This uncontrolled growth of AI usage is known as Shadow AI. AI governance typically encompasses: an AI usage policy (which tools are permitted for which data?), an inventory of all deployed AI systems and their data flows, a risk classification under the EU AI Act, data protection impact assessments (GDPR Art. 35) for high-risk AI systems, monitoring of AI outputs for quality and compliance, and clear accountability (AI officer, CISO). The EU AI Act makes AI governance mandatory for many organizations: high-risk systems require complete documentation, logging and human oversight. The Act also requires registration of certain AI systems in an EU database. On-premises AI significantly simplifies AI governance: data flows are transparent and controllable, there are no external providers whose data protection practices need to be audited, and complete logging of all queries is possible within the system itself. ### GDPR The GDPR (General Data Protection Regulation, EU 2016/679) is the European regulation for the protection of personal data — particularly relevant for IT infrastructure in Art. 5 (principles), Art. 17 (right to erasure), Art. 28 (processors) and Art. 32 (security of processing). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/gdpr) ## Frequently asked questions #### What is the difference between AI governance and data protection? Data protection (GDPR) is one component of AI governance. AI governance is broader: in addition to data protection, it encompasses quality assurance of AI outputs, traceability of decisions, protection of trade secrets, EU AI Act compliance and organizational accountability. #### Who is responsible for AI governance in an organization? Depending on company size and structure, responsibility lies with the CISO, the data protection officer or a newly created AI officer. The EU AI Act explicitly requires named responsible parties for high-risk systems. A sensible combination: IT/Security for technical controls, data protection for legal compliance, management for strategic AI policies.