Mind the AI Governance Gap: Why HR Leaders Can't Wait for the Law to Catch Up
Meena Sangar | ACIPD | (C-OKRP)™ OneTrust Responsible AI Professional | Founder & Fractional Chief People Officer
“From where I sit, the real risk isn’t that AI moves too fast – it’s that our people, policies and governance move too slowly. If you’re using AI in your people decisions and you don’t have clear guardrails and proper training in place, you’re not innovating, you’re gambling with your culture and your credibility.”
Organisations are pouring money into AI tools, but many are doing it with almost no guardrails.
New BSI research shows that while 62% of business leaders expect to increase AI investment, less than a quarter (24%) say their organisation has an AI governance programme, only 30% assess the risks introduced by AI, and just 24% monitor how employees are actually using AI tools.
At the same time, the EU AI Act is now in force, with obligations phasing in over the next few years. Article 4 already applies: since 2 February 2025 it has required providers and deployers of AI systems to take measures to ensure a sufficient level of AI literacy among staff and others who operate or use those systems on their behalf. That duty sits alongside wider requirements – particularly for high‑risk AI systems – on risk management, human oversight, record‑keeping and post‑market monitoring.
In November 2025, the European Commission proposed a “Digital Omnibus” to simplify parts of the AI Act. One of its proposals is to shift the general AI literacy obligation in Article 4 away from individual organisations and instead require the Commission and Member States to promote AI literacy across the economy through guidance and programmes, while keeping specific training obligations for deployers of high‑risk AI systems. This is only a proposal at this stage: Article 4 in its current form still applies as law until the EU institutions agree and adopt any changes.
For HR and People leaders, the signal is straightforward. Whether AI literacy remains a direct statutory duty or becomes an indirect expectation, organisations will still be judged on how safely, competently and fairly their people use AI. You cannot realistically meet obligations on risk management, human oversight, documentation or incident response without:
structured AI training and upskilling; and
a clear, enforced internal AI policy and governance framework.
The EU may be looking to simplify how the rules are implemented, but it is not relaxing what you must be able to demonstrate. In a world where most firms are “sleepwalking” into AI, the real differentiator will be those who treat AI governance as a people and culture challenge, not just a technical one.
Next steps
Download our full guide The EU AI Act: A Plain-English Guide for UK Businesses (including The EU AI Act in 60 Seconds summary) and read our marketing lead Susi’s take on why compliance is actually a competitive advantage The EU AI Act Is More Than Compliance – It's An Opportunity.
And if you're not sure where you sit or what to do next, book a call with our team.
Guest post by Meena Sangar | ACIPD | (C-OKRP)™ OneTrust Responsible AI Professional | Founder & Fractional Chief People Officer
Meena Sangar is a People and AI Enablement Consultant and Founder of talonX, helping organisations navigate the intersection of technology and human potential in their HR and people systems. As Interim Co-Chair of GTA Future of Work, she supports organisations to build responsible, future-ready AI and people strategies.
This content is for general information and educational purposes only, not legal or professional advice. General Purpose accepts no liability for decisions made based on this material; please consult a qualified professional for specific guidance.