The EU AI Act is moving AI governance into the operating layer
The European Commission has clarified how providers of general-purpose AI models are expected to comply with the AI Act. Its guidance says obligations for providers of GPAI models entered into application on 2 August 2025, and that the Commission’s enforcement powers enter into application from 2 August 2026, including fines.
The Commission and the AI Board also confirmed that the General-Purpose AI Code of Practice is an adequate voluntary tool for GPAI providers to demonstrate compliance. In plain terms: the regulatory discussion is no longer abstract. AI governance is becoming executable work.
Why this matters beyond model providers
Most companies reading this are not training frontier models. They are deploying AI in customer service, document processing, sales operations, compliance, finance, engineering or internal knowledge work. That does not make the governance question disappear. It changes where the work sits.
If AI is only a side-window chatbot, governance can look like procurement and acceptable-use policy. Once AI starts reading dossiers, summarising e-mails, drafting decisions, enriching tickets or preparing actions in business systems, governance becomes operational architecture.
The weak pattern: policy without runtime control
The common failure mode is familiar: a company writes an AI policy, approves a few tools, runs pilots and assumes control has been created. It has not. Policy does not tell you which source was used, which user had permission, which model handled the task, whether a human approved the output, or how to reconstruct the decision path afterwards.
That is the gap companies need to close before AI scales. Governance has to show up in the system: identity, permissions, source boundaries, model routing, evaluation, audit trails, escalation paths and clear limits on what AI may prepare versus execute.
The practical operating model
For Laava, this is the useful frame: companies need an AI operating layer. Not a slide deck. Not another isolated assistant. An operating layer connects data, methods, tools, governance, channels and agents so AI can work inside the business without losing control.
That starts with basic questions:
- Which data sources may an AI workflow use, and under which permissions?
- Which tasks are low-risk enough for automation, and which require human approval?
- Which models are allowed for which data classes and cost profiles?
- What evidence, citations, logs and review steps are required?
- Who owns the workflow after the first pilot ships?
Those questions sound less exciting than a new model announcement. They are also the difference between an AI experiment and a system that can run in production.
What companies should do now
Do not start with a compliance panic. Start with an inventory of real AI workflows: where sensitive data enters, where output influences a decision, where a tool writes back to another system, and where a human needs to remain accountable.
Then design the controls into the workflow. For document-heavy and process-heavy organisations, that means permission-aware retrieval, source citations, controlled model selection, action boundaries, logging and human-in-the-loop review. Governance becomes lighter when it is engineered into the flow instead of bolted on afterwards.
The EU AI Act is a regulatory signal, but the business point is broader. Companies that want AI-native operations need more than access to strong models. They need operating discipline around how AI uses knowledge, prepares work and connects to the systems people already rely on.