ENTERPRISE AI CASE STUDY · CASE 2 OF 5
Home > Enterprise AI Solutions > Enterprise AI Case Studies > AI Governance Rollout
AI Governance Under the EU AI Act: From Shadow AI Audit to CoE in 6 Months
Sector: Financial Services · Organisation Size: ~650 employees, 3 offices · Starting Maturity: Level 1 (Exploring) · Engagement Timeline: 6 months · Published: May 2026 · Client: Anonymised
Executive Summary
The governance infrastructure that most organisations treat as a compliance overhead is the same infrastructure that makes every subsequent AI deployment faster, safer, and cheaper to get to production. This engagement demonstrated that directly: by Month 6, the organisation had a pre-cleared pathway for new AI tool deployments that reduced evaluation time from ad hoc weeks to a structured 5-day fast-track process.
The Challenge: 93% Ungoverned, 6 Months to Enforcement
The engagement was triggered by two concurrent events in Q1 2026. The organisation's legal team issued a formal notice that the EU AI Act's Annex III full enforcement date (2 August 2026) created compliance obligations for the organisation's AI use in credit assessment and employment screening — both Annex III categories. Simultaneously, an IT security audit found that 93% of AI tool use across the organisation was occurring through personal, non-corporate accounts, with no data handling controls, no audit trail, and no mechanism for the organisation to know what data was being entered.
The two findings, taken together, constituted a material regulatory and reputational risk. The organisation did not know what data its employees were entering into AI systems. It had no ability to demonstrate to a regulator that it had taken reasonable steps to prevent prohibited or high-risk AI use. And it had no governance infrastructure from which to build a compliant position in the time available.
The Regulatory Context: What the EU AI Act Actually Requires
The EU AI Act applies differently to different types of AI use. For a financial services organisation, the most critical category is HIGH RISK (Annex III): AI used in credit scoring, automated credit decisions, employment screening, and AI used in critical infrastructure. These systems require full Annex IV technical documentation, a named operator, human oversight design, bias testing, and registration in the EU AI database before deployment — none of which the organisation had in place for any of its AI tools, several of which were being used for exactly these purposes.
The maximum EU AI Act penalty for non-compliance with high-risk system obligations is EUR 35 million or 7% of global annual turnover, whichever is higher. For an organisation with EUR 80M+ annual revenue, this was a material board-level risk that could not be addressed through a policy memo.
EU AI ACT TIER
RELEVANCE TO THIS ORGANISATION
UNACCEPTABLE (Prohibited)
No systems in this category identified. Confirmed post-audit.
HIGH RISK (Annex III)
12 tools in active use for credit assessment, employment screening, and client advisory that required Annex IV documentation, human oversight design, and conformity assessment. All 12 prohibited until compliant. EUR 35M / 7% revenue maximum penalty.
LIMITED RISK (Disclosure)
8 tools used for client-facing communication (chatbots, AI-drafted emails) requiring disclosure to clients that they are interacting with AI-assisted content. Disclosure obligations added to AUP.
MINIMAL RISK
27 tools with no regulated data involvement. 8 ultimately approved; 19 not approved for business use (personal productivity tools with no enterprise value proposition).
The Internal Risk: Client Data in Unmonitored AI Systems
Beyond the regulatory risk, the shadow AI audit revealed a more immediate operational risk: client data was being entered into AI systems with no data handling controls and no ability to retroactively audit what had been disclosed. Advisers were drafting client-facing documents with client financial information entered into personal AI accounts. Compliance teams were using AI to summarise regulatory documents that included confidential internal analysis. HR teams were using AI to draft employment screening notes that included protected attribute information.
None of these uses were malicious or reckless. They were the predictable result of a workforce that had discovered AI tools were genuinely useful and had found no official alternative. The fix was not a ban. It was a governed, capable, fast-moving programme that was more useful than the ungoverned alternative.
The AI Governance Approach: Five Phases in Six Months
The governance programme was sequenced to produce compliance assurance on the regulatory priorities first, then staff enablement through the approved programme. The sequence was not driven by what was easiest. It was driven by what reduced legal exposure fastest while building the foundation for a programme that employees would actually use.
Phase 1: Shadow AI Audit (Weeks 1–3)
The shadow AI audit was conducted before any internal communication about the governance programme. This sequencing was deliberate: if the audit was announced before it was conducted, employees who knew they were using unapproved tools would have stopped using them temporarily, understating the true landscape. The audit used a combination of network traffic analysis (IT), voluntary disclosure via an anonymous tool survey, and function-level interviews to produce the most accurate possible baseline.
The audit found 47 distinct AI tools in active use. These were classified against the three-tier shadow AI risk framework: TIER 1 (HIGH RISK — regulated data involved, remediate within 30 days), TIER 2 (MEDIUM RISK — proprietary or confidential data, remediate within 60 days), and TIER 3 (LOW RISK — no organisational data, monitor and evaluate). Twelve tools fell into TIER 1. All twelve were in active daily use within the finance, HR, and compliance teams.
The Shadow AI Problem covers the full five-step Shadow AI containment playbook and the risk triage framework used in this audit.
Phase 2: Risk Classification (Weeks 4–6)
Each of the 47 tools was assessed against the EU AI Act risk classification framework. The classification was documented in the AI Risk Register — a new governance artefact that became the master record for all AI tool use in the organisation. The 12 TIER 1 tools were immediately prohibited pending compliant alternatives. Employees using these tools were notified directly by the CoE Director (interim: the CTO), with an explicit explanation of the regulatory basis for prohibition and the timeline for a governed alternative.
The prohibition communications were paired with a ‘Fast Track’ tool approval process: any tool submitted for approval would receive an assessment within 5 business days. This removed the most common objection to governance programmes — that the official process is too slow to be useful — before it was raised.
Phase 3: Governance Policy and Acceptable Use Policy (Weeks 5–8)
The Acceptable Use Policy was drafted using the Expert AI Prompts AI Governance Framework Template as the structural foundation, adapted for the financial services regulatory context (EU AI Act + Australian Privacy Act APP 1.7 + APRA CPS 234). The policy covered: approved tool categories, prohibited behaviours, data handling requirements by tool category, the fast-track approval process for new tools, and the incident reporting protocol.
The Board reviewed and approved the AUP in Week 6 — two weeks after it was submitted. This timeline is achievable when the policy is submitted as a pre-structured, compliance-mapped document with clear rationale for each provision, rather than as a draft requiring the Board to assess regulatory interpretation from scratch. The AI Governance Framework Template provides the structural foundation that makes this timeline realistic.
The AI Governance Framework Template — the structural foundation used in this engagement — is available for download. It includes the AUP, risk classification framework, four-layer governance model, and EU AI Act, APP 1.7, and SOC 2 compliance mapping.
Phase 4: AI Centre of Excellence Establishment (Weeks 6–12)
The CoE was structured using the four-layer governance model: Layer 1 (Strategic) — AI Governance Committee chartered with the Board's AI Risk mandate; Layer 2 (Operational) — CoE staffed with the CTO as interim director, two AI architects appointed from existing technical staff, and an external Governance and Compliance Lead engaged for 12 weeks; Layer 3 (Product) — AI Product Manager responsibilities defined and assigned to the heads of the three most AI-active functions; Layer 4 (Embedded) — Champion Network seed of three Champions, one per office, appointed and enrolled in the Tier 3 AI Skills Programme.
The CoE became operationally capable — with charter published, approved tool register active, and fast-track assessment process running — in Week 12. The total time from engagement start to operational CoE was 3 months. This was achieved by using the governance template as the starting point rather than building from a blank document.
The full four-layer CoE architecture, role descriptions, operating models, and transition timeline from centralised to federated is in the AI Centre of Excellence guide.
Phase 5: Staff Programme and Champion Network (Weeks 8–24)
The Tier 1 AI Literacy programme was launched in Week 8 — before the CoE was fully operational, but after the AUP was Board-approved. Launching the programme before the prohibited list was communicated organisation-wide turned out to be a sequencing error (covered in 'What Would Be Done Differently'). The programme was self-paced, 4 hours, delivered via the existing learning management system, and tracked centrally with business unit completion dashboards.
The three Champion Network members completed the Tier 3 AI Skills Programme (40 hours over 8 weeks) from Weeks 8-16. By Week 20, the Champion Network was providing peer-level AI proficiency support in all three offices. The combination of the approved tool register, the literacy programme, and peer demonstration through Champions produced the adoption pattern that reduced shadow AI use from 93% to below 20% by Day 90.
Implementation Decisions: What Was Chosen and Why
Using the Governance Framework Template as the Structural Foundation
The AI Governance Framework Template was used as the structural starting point for the AUP, the Risk Register, the four-layer governance charter, and the incident response protocol. This decision reduced the governance documentation build from an estimated 8-10 weeks of original drafting to 3-4 weeks of template adaptation and compliance mapping.
The template's value in a time-constrained compliance engagement is not primarily in the content it provides — it is in the structure it imposes. Organisations building governance documentation from scratch consistently produce documents with gaps in the regulatory cross-mapping, ambiguity in the incident classification, and missing provisions that only become visible when a real incident triggers a response. A template built to the Expert AI Prompts governance methodology covers these gaps by design.
Why the Board AUP Approval Came Before the CoE Charter
The conventional sequencing advice is to establish governance infrastructure (CoE, charter, risk classification) before publishing the policy that references it. This was deliberately reversed: the AUP was submitted to the Board in Week 5 and approved in Week 6, before the CoE was fully chartered in Week 12.
The rationale was risk sequencing, not governance orthodoxy. The 12 TIER 1 tools created an active, increasing regulatory risk with every day of continued use. A Board-approved AUP that prohibited those tools provided the legal basis for mandatory cessation. Waiting for the CoE to be fully chartered before obtaining that authority would have meant 6 additional weeks of TIER 1 risk exposure. The AUP approval and CoE establishment were run in parallel, with the AUP providing immediate authority and the CoE providing ongoing governance infrastructure.
The governance policy is the legal authority. The CoE is the operational infrastructure. They can be built in parallel. The policy provides the mandate; the CoE executes it. Running them sequentially adds weeks of risk exposure without adding governance quality.
Measured Results
All results measured against the pre-engagement baseline (Q1 2026 audit). Figures reflect the state at Month 6 (end of engagement scope) unless otherwise noted.
MEASUREMENT AREA
BEFORE (Baseline)
AFTER (Month 6)
Shadow AI tool inventory
47 tools in active use across organisation; 0 on approved register; no risk classification
8 tools on approved register; 12 HIGH RISK prohibited; 27 others not approved but monitored
AI Acceptable Use Policy
None
Board-approved AUP. Published Week 6. Covering all 4 EU AI Act risk tiers + APP 1.7 + APRA CPS 234.
AI Risk Register
None
All 47 tools classified. 12 HIGH RISK case files created with Annex IV documentation started.
AI Centre of Excellence
None
Fully operational Week 12. CoE Director (interim CTO). 2 AI Architects. Governance Lead. 3 Champions.
Shadow AI use rate
93% of AI use through personal, non-corporate accounts
<20% personal account use at Day 90 of staff programme launch
Staff AI Literacy
None (no baseline)
94% Tier 1 AI Literacy programme completion in 12 weeks
EU AI Act compliance posture
No compliance posture. Annex III tools in use with no documentation, oversight design, or registration.
Full compliance posture documented Month 5. 1 month ahead of programme deadline. Board-ready compliance report produced.
The Shadow AI Audit: What Was Found
The shadow AI audit produced the most important input to the entire governance programme: a baseline that was uncontaminated by the announcement effect. The 47 tools found across the three offices represented the true state of AI use in the organisation — not the state as reported by employees after they had been told their AI use was being assessed.
SHADOW AI TIER
TOOLS FOUND
DATA TYPES INVOLVED
REMEDIATION TIMELINE
TIER 1 — HIGH RISK
12
Client financial data. Employment screening notes with protected attributes. Credit assessment inputs. Annex III EU AI Act trigger conditions in all 12 cases.
Immediate prohibition on receipt of classification. Governed alternative identified within 30 days.
TIER 2 — MEDIUM RISK
16
Internal strategy documents. Client meeting summaries (no personal data). Compliance team research (internal analysis). Proprietary IP and business information.
Migration to approved alternatives within 60 days. Use continued under interim controls pending migration.
TIER 3 — LOW RISK
19
No organisational data. Personal productivity use (grammar checking, general research, personal content creation). No direct regulatory or IP exposure identified.
Added to approved tool evaluation queue. 8 subsequently approved; 11 declined (no enterprise use case).
The most common TIER 1 finding: financial advisers drafting client recommendation documents by entering client portfolio data and objectives into personal ChatGPT accounts. No data was intentionally disclosed to third parties. But the act of entering regulated financial data into an ungoverned AI system with no data processing agreement created an APRA CPS 234 information security obligation the organisation could not meet.
'Why banning personal AI use is not the right response to TIER 1 shadow AI findings — and what is — is covered in Banning ChatGPT Is Not Working: The Enterprise AI Response That Actually Works.
Strategic Implications for Enterprise AI Leaders
The governance engagement documented in this case study produces three strategic findings that are generalisable beyond the financial services context. These are the principles that appear consistently across governance engagements regardless of industry or regulatory framework.
Principle 1: Governance Documentation Enables Speed — It Does Not Block It
The most consistent objection to AI governance programmes is that they slow deployment. This engagement demonstrated the opposite: by Month 6, the organisation had a governance infrastructure that reduced new AI tool evaluation from a weeks-long ad hoc process to a structured 5-business-day fast-track. Pre-cleared deployment pathways — the direct output of having an approved tool register and a risk classification framework — made the official programme faster to use than the shadow alternative for the first time.
Governance documentation built before scale is an architecture decision. Governance documentation built at scale in response to an enforcement event is an emergency response. The architecture decision produces pre-cleared pathways. The emergency response produces compliance theatre. The difference in deployment velocity between the two is not marginal — it is the difference between a programme that accelerates AI adoption and one that is always catching up to it.
Implication: The business case for AI governance is not regulatory risk avoidance alone. It is deployment velocity. An organisation with governance infrastructure deploys faster than one without it. Make this case explicitly to the board when requesting governance programme budget.
'The three commercial mechanisms through which AI governance produces competitive advantage — pre-cleared deployment pathways, enterprise deal velocity, and AI talent acquisition — are covered in Governance as Competitive Advantage.'
Principle 2: The Shadow AI Audit Is the First Governance Action, Not the Last
The conventional governance programme sequence puts the shadow AI audit at the end of the policy process — audit what employees are actually doing after the policy is already published. This produces a governance programme that is designed around the AI landscape that leadership imagined, not the one that actually exists.
The shadow AI audit is the first governance action because it is the only way to understand the true risk landscape before designing the governance response. An AUP written without a shadow AI audit baseline produces prohibited lists that miss the most common actual uses, and approved tool registers that do not match employee needs. The engagement documented here had a shadow AI landscape that was dramatically different from what leadership assumed: advisers using AI for client documentation was not on any pre-audit risk register. It was the single largest TIER 1 risk category.
Implication: Run the shadow AI audit before communicating the governance programme. Announce the governance programme after you have the baseline. The announcement changes behaviour. Do not let it change the behaviour before you have the baseline.
Principle 3: The Approved Tool Register Is More Important Than the Prohibited List
Shadow AI governance programmes that lead with the prohibited list — 'here are the tools you cannot use' — produce one reliable outcome: employees find alternative workarounds to the same need that has not been addressed. They do not stop using AI. They find different ungoverned tools to use.
The approved tool register is the governance asset that enables compliance. When employees know what they can use — and can use it easily, with clear guidance — the motivation to use ungoverned alternatives drops dramatically. In this engagement, the shadow AI rate dropped from 93% to below 20% within 90 days of the approved tool register being published and the Tier 1 literacy programme making those tools accessible. The prohibition created the boundary. The approved register created the reason to stay within it.
Implication: Publish the approved tool register and the Acceptable Use Policy in the same communication, not sequentially. Employees should learn what is approved and what is prohibited in the same moment. A communication that only prohibits, without providing an approved alternative, creates enforcement pressure without providing a governed path forward.
The governance programme that employees use is the governance programme that protects the organisation. The governance programme they ignore is compliance theatre that provides no regulatory protection at the moment it is needed.
What Would Be Done Differently
• Announce after audit, not before. The governance programme announcement was made organisation-wide in Week 2 — before the shadow AI audit was complete. This caused approximately 15% of employees to stop using the tools they had been using, which understated the true audit baseline. In hindsight: complete the audit before any announcement. Announce the governance programme with the audit findings, the risk classification, the approved tool register, and the literacy programme all ready to launch simultaneously. The compressed 2-week announcement-to-programme timeline created confusion that required additional communication to resolve.
• Appoint Champions before publishing the AUP. The AUP was published before the Champion Network members were appointed and trained. This meant the first 6 weeks of the policy's operation had no peer-level advocates available to answer questions, demonstrate approved tools, or address the resistance that inevitably follows a governance policy communication. Champions should be identified, briefed (not fully trained — that takes 8 weeks), and visible before the policy is published.
• Build the approved tool register before the AUP, not after. The AUP was approved by the Board in Week 6. The approved tool register was published in Week 9. This created a 3-week period where employees knew what was prohibited but not what was approved — the worst possible governance communication state. The approved tool register should be built in parallel with the AUP so both can be published simultaneously.
The one decision that would be made exactly the same: running the Board AUP approval before the CoE was fully chartered. The 6 weeks of TIER 1 risk reduction that decision enabled was the
Matthew Bulat — CAIO / AI Strategy Leader / Founder, Expert AI Prompts
The governance methodology documented in this case study is the Expert AI Prompts AI Governance Framework, applied to a financial services context. All governance artefacts — AUP, risk classification framework, four-layer model, CoE charter, Champion Network design — are available as the Enterprise AI Governance Framework Template.
MACS CP · M.Eng.Tech · Former CTO · Federal Government Technical Operations Manager · CQUniversity Lecturer 8+ yrs |
View Full Profile: /matthew-bulat-ai-leader