Why AI governance fails at the organisational layer, not the legal layer.

Strip away the legal language and the AI Act is asking deployers to do something deceptively simple: know what your AI systems are doing, make sure a human can override them, keep records of why decisions were made, and review all of it continuously.

None of that is a technology problem. Every item is an organisational design problem. It requires clear authority, functioning knowledge systems, and governance that survives contact with how people actually work.

Most compliance efforts start at the wrong layer. They interpret the regulation, map it to internal policy, produce documentation that demonstrates awareness. This is the layer that gets funded first because it is the layer leadership understands.

But the Act does not test whether you understood the rules. It tests whether your organisation can do what the rules require, sustainably, under real operating conditions.

Three assumptions that do not survive contact

Every compliance framework sits on assumptions about the organisation that will implement it. These three are load-bearing. In practice, all three are false.

01 — Decision authority is clear.

The Act requires human oversight of high-risk AI. But who, specifically, is overseeing AI-assisted decisions in your organisation right now? Not in the policy document. In practice. In most companies, the answer is nobody.

AI-informed decisions happen in the gaps between roles, in the shortcuts people build to get work done, in the places where "someone should probably check this" quietly became "nobody checks this."

This is the Governance Gap: the missing structural layer between AI tools and the business decisions they influence. It is not a policy failure. It is an architecture failure. The layer was never built.

02 — Knowledge stays where you put it.

The Act requires documentation, logging, and data governance. But organisational knowledge does not sit in the filing system waiting to be audited. It migrates into vendor platforms. It fragments across tools. It gets trapped in systems you cannot audit, export, or even see clearly.

If a regulator asks how a decision was made, can you reconstruct the reasoning? If a key system disappears tomorrow, what breaks?

The question is not whether you have a documentation policy. It is whether your knowledge infrastructure is governable at all.

03 — Intent survives implementation.

Leadership signs off on a governance policy. That policy becomes procedures. The procedures get interpreted by managers. The managers hand them to teams. The teams build workarounds because the procedures do not fit how their work actually flows.

By the time governance intent reaches the operational layer, it has been diluted, reinterpreted, or quietly set aside.

Not through malice. Through the ordinary physics of organisational complexity. Everyone followed the process. The process just did not survive the distance between the boardroom and the workflow.