From contract analysis to selection in recruiting and all the way to risk assessment — artificial intelligence has long been part of day‑to‑day operations in most companies: AI systems prepare decisions that can directly affect liability and reputation. Precisely because many applications were introduced quickly, clear responsibilities, reliable governance structures and guidelines that provide a safe framework for the use of AI are often lacking.
But that is precisely what is required: the EU AI Act (AI Regulation) shifts the use of AI out of the IT sphere and into the responsibility of corporate management. The use of AI becomes a matter of proper corporate governance and management liability — with direct implications for managing directors, executive boards and supervisory boards. For decision‑makers, the question is therefore no longer whether they need to address AI compliance, but how they can manage AI‑related risks proactively, in a structured, scalable and liability‑conscious manner while leveraging the opportunities that AI offers.
1. Legal framework: EU AI Act
The EU AI Act establishes a risk‑based legal framework for the development, provision and use of AI systems in the EU. It distinguishes in particular between prohibited AI practices, high‑risk AI systems, systems subject to transparency obligations and applications with low risk. The legal assessment therefore does not primarily depend on the technology itself, but on the specific area of application and the company’s responsibility when developing, providing or using the system.
High‑risk AI systems are particularly relevant for companies, for example in HR processes, critical infrastructure, education, creditworthiness assessments, safety components or regulated products. In these areas, requirements apply regarding risk management, data quality, technical documentation, logging, transparency, human oversight and accuracy. In addition, conformity assessment procedures must be integrated into product and liability strategies.
Ensuring an adequate level of AI competence among individuals who operate or use AI systems on behalf of the organisation is also essential. The obligation often referred to as “AI Act training” or “AI Regulation training requirement” is not an annex, but an independent component of effective AI compliance: without training and governance structures, it will be difficult to demonstrate proper organisational arrangements.
At the same time, AI compliance does not end with the EU AI Act. Data protection, trade secret protection, labour and anti‑discrimination law, product liability, information security, ESG compliance and criminal‑law organisational duties remain relevant. The new European product‑liability architecture also broadens the perspective on software, digital products and AI‑supported functions. As a result, technical documentation, vendor assessment and conformity evaluation become more important from a liability‑strategy standpoint as well.
AI compliance should therefore not be understood as an isolated specialist field, but as a cross‑cutting task of overall compliance.
2. Risk landscape and typical errors in the use of AI
The key risks do not arise from “AI as such”, but from its uncontrolled use, lack of governance and incorrect assumptions about responsibilities. In practice, similar patterns can be observed again and again.
A typical mistake is the use of generative AI without a regulated approval process. Employees use freely available tools and enter contract data, customer data or confidential strategy documents without being able to assess the data‑protection and trade‑secret implications. What appear to be efficiency gains quickly turn into compliance violations.
A second risk area is the use of AI in HR processes. AI‑supported applicant selection, performance evaluations or profiling can produce indirect discriminatory effects, even when the system appears formally neutral. Without reliable documentation, explainable AI and human oversight, not only individual‑rights consequences but also regulatory and reputational repercussions may follow.
Lack of documentation and strategic misjudgements
A third mistake lies in the lack of traceability. When business‑critical decisions are based on AI outputs but neither the data basis nor the model logic, weighting or control mechanisms are documented, technological efficiency turns into a liability risk. Management liability and criminal responsibility come into focus as soon as the question arises whether appropriate organisational, selection and supervisory duties have been fulfilled.
Particularly risky are strategic misjudgements: for example, the assumption that AI compliance concerns only providers and developers but not user companies, or the belief that data‑protection compliance covers all AI‑related risks. In reality, topics such as bias, fairness, product safety, explainable AI, governance, internal investigations and criminal‑law preventive advice go far beyond data protection: they affect the entire compliance organisation.
3. Strategic classification: AI governance, management duties and ESG
From a governance perspective, AI compliance is a management decision. The management must determine which AI systems may be used, in which processes they are applied, which data are permissible, how human oversight is structured and which escalation paths apply in the event of a malfunction. These questions affect corporate culture, management duties and liability minimisation in equal measure.
For medium‑sized companies, the key question is how AI governance can be integrated into existing structures without creating a parallel system. A practical approach is to link it to existing compliance management systems, data‑protection processes, procurement approval workflows, IT‑security standards and training programmes. In this way, AI compliance can be established as an independent yet embedded module of overall compliance.
In corporate groups, AI risks are often more widely dispersed. Here, questions regarding group‑wide minimum standards, an AI inventory, risk classifications, AI audits and group‑wide reporting and escalation paths come to the forefront. Interfaces with Legal, Compliance, Data Protection, HR, IT Security, Internal Audit and ESG must be defined and implemented operationally. An AI management system based on standards such as ISO/IEC 42001 can help structure responsibilities, processes, risk management and continuous improvement – but it does not replace legal and criminal‑law preventive advice.
AI deployment as an ESG criterion and the role of concrete guidelines
From an ESG perspective, the use of AI has long been a governance and social issue. Questions of fairness, non‑discrimination, transparency, accountability and the environmental impact of AI systems are becoming increasingly relevant in ESG ratings, reporting and stakeholder dialogues. Companies that use AI without governance structures and ethical guidelines risk failing to meet not only legal but also ESG‑related expectations of investors, supervisory authorities and the public.
AI guidelines should therefore not only formulate abstract values, but provide concrete decision‑making guidance: Which data may not be used? In which processes is a purely automated decision excluded? When is human review mandatory? Which uses of AI contradict the corporate culture, even if they would be technically possible? Only once these questions are answered operationally do ethical guidelines become an effective governance instrument.
4. Recommendations for action: preventive advice as a steering instrument
Companies should not view AI compliance as a one‑off legal review, but as an ongoing prevention and steering project. Two points are particularly suitable for clear prioritisation:
Establishing structural foundations
- Systematic collection of an AI inventory: Which AI systems are used where, which data are processed, which decisions are made or prepared?
- Risk classification according to the deployment context and the AI Act risk categories, with particular attention to prohibited practices, high‑risk AI systems and transparency obligations.
- Festlegung von Rollen, Verantwortlichkeiten und Freigabeprozessen – einschließlich klarer Zuständigkeiten in Geschäftsleitung, Fachbereichen, Compliance und IT.
- Development of a company‑wide AI policy that regulates the use of generative AI, permissible data categories, human oversight, documentation and escalation paths.
- Development of a training concept that integrates the requirements of the AI Regulation with existing compliance training structures and addresses target groups according to function and risk.
Linking prevention, response and investigative capability
- Integration of AI compliance into existing risk‑management and compliance‑management systems.
- Anchoring AI‑related aspects in supplier and service‑provider management, particularly in the selection and contractual integration of AI providers.
- Implementation of a response and crisis‑management concept for AI‑related incidents – from erroneous decisions to data‑protection breaches to discriminatory outcomes.
- Establishing clear processes for internal investigations in cases of suspicion, in order to clarify the facts quickly, in a legally sound manner and with an open outcome.
- Regular review and adjustment of AI governance and ethical guidelines to technological, regulatory and corporate‑strategic developments.
For small and medium‑sized enterprises, a focused entry via an AI compliance check with an inventory, risk prioritisation, immediate measures and a lean but binding AI policy is recommended. Larger companies should additionally implement a formal AI governance system with audit mechanisms, reporting lines and consistent group‑wide standards.
5. Why preventive advice and why Pragal Rechtsanwälte?
Experience from compliance, internal investigations and business criminal law shows: the biggest mistake in dealing with AI lies in involving compliance only once a tool is already in productive use or the incident has already occurred. Preventive advice creates the basis for designing AI use in a legally sustainable, organisationally manageable and criminal‑law‑secured manner – before supervisory or criminal proceedings restrict the room for manoeuvre.
Pragal Rechtsanwälte combines several perspectives for this purpose: the firm advises companies comprehensively in the area of compliance and corporate governance, with a focus on the structural design and review of compliance‑management systems as well as the integration of regulatory requirements – for example in connection with ESG or the use of artificial intelligence. In addition, Pragal Rechtsanwälte has particular experience in the conception and conduct of internal investigations, criminal due diligences and in crisis management, especially in compliance and criminal‑law crises.
Lawyer Kristina Konrad is not only a certified compliance officer (Univ.) but also a certified AI compliance officer. She brings many years of in‑house experience in the legal, compliance and corporate‑governance departments of large and mid‑sized companies and knows the decision‑making and operational logics on the corporate side first‑hand. Her focus lies on the establishment, implementation and further development of compliance‑management systems, corporate‑governance structures and internal investigations – including the integration of AI compliance into existing structures.
Dr Oliver Pragal complements this governance and compliance perspective with recognised expertise in business and tax criminal law, in corporate defence, in cross‑border investigations and in strategic crisis management. For companies, this combination is practically relevant because AI compliance is assessed not only from a regulatory perspective but also in terms of potential investigation risks, management liability and criminal‑law prevention. This results in advice that links prevention, investigations readiness and the ESG perspective and provides decision‑makers with reliable guidance.
6. Conclusion: AI requires leadership – preventive advice makes the difference
AI compliance & AI Act are not specialist topics for the technically inclined, but core issues of modern corporate management. Anyone who uses AI in a company must be able to explain in a comprehensible manner which systems are used, on what data basis they operate, who bears responsibility and how misdevelopments are prevented or clarified. Governance structures, ethical guidelines and effective preventive advice form the basis for this.
The decisive question is therefore no longer whether the AI Regulation applies to one’s own company. What matters is which AI governance structure is necessary to use innovation in an economically meaningful and at the same time legally compliant manner – and how management‑liability and criminal‑liability risks can be minimised in advance.
Those who structure AI compliance at an early stage do not only gain regulatory certainty. They create decision‑making capability: vis‑à‑vis supervisory authorities, business partners, investors and their own corporate bodies. Preventive advice is therefore not a brake on AI innovation, but its legal and organisational prerequisite.
FAQ on AI compliance, AI Act and preventive advice
AI compliance refers to the legally compliant, transparent and responsible use of AI systems within a company. It includes in particular risk assessment, data protection, protection of trade secrets, documentation, human oversight, training, ethical guidelines and clear responsibilities. The aim is to align the use of AI with legal requirements, governance demands and the company’s internal values.
The AI Act regulates the development, provision and use of AI systems on the basis of a risk‑based approach. Prohibited practices and high‑risk AI systems are subject to particularly strict requirements; in addition, there are transparency, documentation and training obligations. For companies, this means that they must clearly determine their role in the AI lifecycle and the context in which the systems are used, and must implement the resulting obligations in a structured manner.
Even companies that solely apply AI can be subject to obligations as operators of AI systems. What matters are the role, area of application and risk profile of the respective system. Anyone who uses AI, for example in HR, creditworthiness assessment, critical infrastructure or safety‑relevant products, quickly enters the area of high‑risk AI with corresponding requirements for governance, documentation and human oversight.
As soon as AI influences business‑critical processes, dealing with it becomes part of the organisational and supervisory duties of management and supervisory bodies. It is not sufficient to simply “let AI applications run”. What is required are deliberate decisions on areas of application, approval processes, controls, escalation paths and responsibilities. If these duties are neglected, management liability and criminal responsibility may arise in the event of a crisis.
Ethical guidelines concretise legal and governance requirements and make expectations regarding fairness, non‑discrimination, transparency and accountability tangible for employees and service providers. They are therefore a central component of AI governance and ESG compliance. Without clearly formulated guidelines, the use of AI in practice risks fragmenting into individual assessments, which significantly complicates controllability and liability minimisation.
Criminal‑law‑oriented preventive advice analyses whether the organisation, selection and supervision of AI use are structured in such a way that business‑criminal‑law risks are minimised. It particularly includes questions of corporate defence, internal investigations and dealing with investigative authorities. Especially for AI systems with interfaces to regulated areas or critical infrastructure, this perspective can be decisive in preventing crises or at least keeping them controllable.
Companies should first create transparency about their actual use of AI. The starting point is an AI inventory that records which systems are used in which departments, which data is processed and whether AI makes or prepares decisions. Building on this, risk classes, responsibilities, approval processes, training needs and requirements for the use of generative AI should be defined. Especially for mid‑sized companies, a pragmatic AI compliance check is recommended, which prioritises immediate measures and creates a lean but binding governance structure.
AI audits help companies to regularly review and make the use of AI systems documentable. They can in particular clarify whether risk classifications are up to date, provider obligations have been sufficiently taken into account, technical documentation is available, human oversight is functioning and ethical guidelines are actually being complied with. An AI audit does not replace a legal assessment of individual cases, but it can be an important component of a robust compliance‑management system and support management bodies in demonstrably fulfilling organisational and supervisory duties.
