Laava LogoLaava
Back to news
News & analysis

The EU AI Act turns AI governance from policy into operating work

The European Commission says GPAI obligations are already in application and its enforcement powers apply from 2 August 2026. For companies using AI in real workflows, the practical lesson is simple: governance cannot live in a PDF. It needs to be part of data access, model choice, workflow design, logging and human approval.

Why this matters

News only becomes relevant when you can translate what it means for process, risk, investment, and decision-making in your own organization.

The EU AI Act is moving AI governance into the operating layer

The European Commission has clarified how providers of general-purpose AI models are expected to comply with the AI Act. Its guidance says obligations for providers of GPAI models entered into application on 2 August 2025, and that the Commission’s enforcement powers enter into application from 2 August 2026, including fines.

The Commission and the AI Board also confirmed that the General-Purpose AI Code of Practice is an adequate voluntary tool for GPAI providers to demonstrate compliance. In plain terms: the regulatory discussion is no longer abstract. AI governance is becoming executable work.

Why this matters beyond model providers

Most companies reading this are not training frontier models. They are deploying AI in customer service, document processing, sales operations, compliance, finance, engineering or internal knowledge work. That does not make the governance question disappear. It changes where the work sits.

If AI is only a side-window chatbot, governance can look like procurement and acceptable-use policy. Once AI starts reading dossiers, summarising e-mails, drafting decisions, enriching tickets or preparing actions in business systems, governance becomes operational architecture.

The weak pattern: policy without runtime control

The common failure mode is familiar: a company writes an AI policy, approves a few tools, runs pilots and assumes control has been created. It has not. Policy does not tell you which source was used, which user had permission, which model handled the task, whether a human approved the output, or how to reconstruct the decision path afterwards.

That is the gap companies need to close before AI scales. Governance has to show up in the system: identity, permissions, source boundaries, model routing, evaluation, audit trails, escalation paths and clear limits on what AI may prepare versus execute.

The practical operating model

For Laava, this is the useful frame: companies need an AI operating layer. Not a slide deck. Not another isolated assistant. An operating layer connects data, methods, tools, governance, channels and agents so AI can work inside the business without losing control.

That starts with basic questions:

  • Which data sources may an AI workflow use, and under which permissions?
  • Which tasks are low-risk enough for automation, and which require human approval?
  • Which models are allowed for which data classes and cost profiles?
  • What evidence, citations, logs and review steps are required?
  • Who owns the workflow after the first pilot ships?

Those questions sound less exciting than a new model announcement. They are also the difference between an AI experiment and a system that can run in production.

What companies should do now

Do not start with a compliance panic. Start with an inventory of real AI workflows: where sensitive data enters, where output influences a decision, where a tool writes back to another system, and where a human needs to remain accountable.

Then design the controls into the workflow. For document-heavy and process-heavy organisations, that means permission-aware retrieval, source citations, controlled model selection, action boundaries, logging and human-in-the-loop review. Governance becomes lighter when it is engineered into the flow instead of bolted on afterwards.

The EU AI Act is a regulatory signal, but the business point is broader. Companies that want AI-native operations need more than access to strong models. They need operating discipline around how AI uses knowledge, prepares work and connects to the systems people already rely on.

Translate this to your operation

Determine where this affects you first for real

The practical question is not whether this news is interesting, but where it directly changes your process, tooling, risk, or commercial approach.

Related Laava approach: AI integration gateways

First serious step

From news to a concrete first route

Use market developments as context, but make decisions based on your own operation, systems, and risk trade-offs.

No commitment to build. You get a concrete route, risk readout, and an honest view of where AI is not needed.

Included in the first conversation

Assess operational impactSeparate relevant risks from noiseDefine the first route
Start with one process. Leave with a sharper first route.
The EU AI Act turns AI governance from policy into operating work | Laava News