As the EU AI Act’s August 2026 enforcement date approaches, most enterprises are still fixated on the obvious question: how much will compliance cost? For Dr Lee Schlenker, that is the wrong place to start. The Professor of Business Analytics and Director of the Business Analytics Institute has spent the last decade advising regulated organisations on how to turn AI governance from a necessary overhead into a durable source of advantage.
Schlenker is the architect of the Governance Arc, a three‑move framework for regulated enterprises navigating the EU AI Act, co‑developed with Kore.ai’s Cathal McCarthy and set out in a new white paper aimed squarely at C‑suites and boards. Rather than treating Articles 9, 12 and 14 as a checklist, the Governance Arc asks leaders to design governance architecture — the way an organisation decides, learns and adapts — so that it compounds over time, enabling faster, safer deployment of successive agentic use cases.
In our interview, Schlenker argues that governance maturity behaves more like capital adequacy under Basel III than a one‑off compliance project: once built, it depreciates slowly and can be leveraged repeatedly, from pricing decisions to new product launches. He explains why “The Reckoning” begins with an unflinching view of your true governance position before regulators force the issue, why “The Crossing” is about closing structural gaps exposed by agentic AI rather than adding more policy slides, and how “The Advantage” is reached when your governance architecture becomes a barrier to entry for competitors who treated the Act as a box‑ticking exercise.
You’ve framed the Governance Arc as a three‑move strategic sequence that treats the EU AI Act as an opening for durable advantage rather than a compliance tax. If you had to explain that mindset shift to a sceptical CFO in two minutes, what would you say?
Let’s start with what a CFO already knows: Basel III. When capital adequacy rules arrived, every bank paid the same compliance cost. Some of them built risk architectures that went beyond the minimum — and those institutions compounded that investment over the following decade into pricing advantages, faster credit decisions, and the ability to move into new product categories their competitors couldn’t access. The regulation was identical. The strategic outcome was not.
The EU AI Act creates the same fork in the road. Every organisation subject to Annex III faces the same compliance floor: document your systems, log your decisions, build human oversight mechanisms, manage your risk. The CFO is right to ask what that costs. The better question is: what does it compound into?
Governance architecture — the way an organisation decides, learns, and adapts — is separable from governance policy, which is simply what rules it follows. Two organisations can be identically compliant with Articles 9, 12, and 14, and one of them will be able to deploy the next agentic use case in six weeks while the other takes six months. That speed differential is not a technical advantage. It is a governance advantage. It was built before the use case arrived, and it depreciates slowly. That is the definition of a compounding asset.
ALSO READ: Rethink Governance Not as a Defensive Mechanism, But as a Strategic Lever
The Governance Arc’s three moves — The Reckoning, The Crossing, The Advantage — are not a compliance checklist. They are a sequenced capability strategy. The Reckoning is knowing your real governance position before a regulator or an incident forces the question. The Crossing is closing the structural gaps that agentic AI reveals. The Advantage is the point at which your governance architecture becomes a barrier to entry for competitors who skipped steps one and two. That logic holds whether an organisation is subject to the EU AI Act, the UK’s principles-based AI framework, or the emerging US federal guidelines — the architecture is jurisdiction-portable because it is built around governance fundamentals, not regulatory specifics.
In your series on the Governance Arc, the first move — “The Reckoning” — is about knowing your real governance position before regulators or auditors force the question. What have you learned about the most common blind spots in that reckoning for enterprises that already have agentic systems in production?
The most dangerous blind spot is scope drift. An organisation deploys an Annex III system, documents it carefully, and files the Article 9 risk assessment. Eighteen months later, three things have changed: the system has new data inputs, it has been extended from internal decision-support to customer-facing output, and the original risk boundary no longer describes what the system actually does. None of those changes triggered a new assessment, because no one was assigned the policy layer question: what operational change constitutes a lifecycle event?
That role — the person who owns the boundary between what the system currently does and what the risk documentation says it does — is the most frequently unassigned governance role we encounter. It is not a technical role. It is not a legal role. It is a governance design decision, and in most organisations it has been borrowed from whoever built the system or approved the budget. That borrowing arrangement ends at examination.
The second blind spot is monitoring cadence. Organisations calibrate their AI oversight to human reporting cycles: weekly dashboards, monthly exception reports, quarterly board packs. An agentic system making sequential decisions at production throughput produces thousands of decision cycles in the time between those reports. The reckoning requires asking not whether you have monitoring, but whether your monitoring cadence matches your agent’s action cadence.
ALSO READ: Regulation Actioned: Inside Corlytics’ Approach to Responsible RegTech
The third, and least visible, is the gap between the mechanism and the exercise. Every organisation we work with has an Article 14 human override mechanism on paper. Almost none of them have exercised it under realistic operating conditions — with live data flows, actual downstream consequences pending, and a documented record of who intervened and what the outcome was. A mechanism that has never been exercised under realistic conditions is nominal, not functional. The reckoning is partly the discipline to ask: when was this last tested in a way that would satisfy an examiner?
The board either owns the policy layer or it is borrowed from whoever builds the system. August 2 is when the borrowing arrangement ends.
Many boards are still treating AI risk as an extension of traditional IT risk, rather than as a new category that cuts across conduct, model, and data risk. What’s a governance question you wish every board chair would ask their executive team before 2 August 2026?
The question would be: has the board set risk appetite for emergent behaviour?
Boards set risk appetite — it is the foundational governance decision that all other risk decisions reference. For every technology a board has previously approved, risk appetite could be set for specified behaviours: actions the system was designed to take, under defined conditions, within defined parameters. Agentic systems will take actions that were not specified in advance. They find efficient paths to their authorised objective that no one anticipated at deployment. That is not a defect. It is the property that makes them powerful.
A board that has not set risk appetite for emergent behaviour has not yet made the foundational governance decision that all of the controls below it depend on. The Article 14 override mechanism, the Article 9 risk assessment, the Article 12 logging architecture — all of them are downstream of a board-level decision about what the organisation is and is not prepared to accept when the system does something unexpected.
Revisit: When EU Data Act Went Live — What it Means for Enterprise Strategy
The follow-on question — equally important — is: who is the named executive who owns the policy layer between the system’s capability and the business outcome? Not who built the model. Not who approved the budget. The person who owns the outcomes the system was not designed to produce. If the board cannot name that person for each of its Annex III agentic systems, it does not yet own the governance layer. It has borrowed it from engineering.
You’ve emphasised that the Governance Arc is designed to “travel” — across jurisdictions, supervisory examinations, and the EU AI Act’s 2028 review cycle. What design principles make a governance capability genuinely portable rather than over‑fitted to one regulator or one internal policy cycle?
The key design principle is to build for governance architecture, not governance policy. Policy answers the question: what rules do we follow? Architecture answers the question: how do we decide, learn, and adapt? A governance architecture built around Article 9 of the EU AI Act specifically is over-fitted by construction. It will require rebuilding for the Act’s 2028 review, for any non-EU jurisdiction, and for any supervisory authority that asks a question the regulation does not specify.
The three structural requirements that emerge from the Three Agentic Gaps — explicit authority boundaries, reasoning-chain logging, and named outcome ownership — are not EU AI Act requirements. They are what governance of any autonomous system requires, at any level of maturity, under any regulatory framework. Consider a UK financial institution not subject to the EU AI Act: it still needs to know what actions its agents are authorised to take, and it still needs a logging architecture that can reconstruct a decision sequence under FCA examination. Or a US asset manager building toward the SEC’s emerging AI disclosure guidance: the same reasoning-chain logging that satisfies Article 12 is precisely what that examination will require. These are not compliance artefacts. They are governance fundamentals that happen to satisfy multiple regulatory frameworks simultaneously.
The second principle is to build for production from the first deployment. A governance architecture designed for a controlled-scope pilot will not survive the transition to business-as usual scale — because the conditions that expose governance gaps are precisely the conditions a pilot is designed to exclude. Portability is not about being jurisdiction-neutral. It is about being built for the conditions that matter: live data flows, production throughput, unexpected decision sequences, and a supervisory examination request that arrives with seventy-two hours’ notice.
In chess, every player faces identical rules. Strategy is the sole differentiator. The organisations that will have portable governance capability are not the ones that read the rules most carefully. They are the ones that have built the decision-making architecture to play the game well regardless of which board they sit down at.
The governance question for an agentic system is not only ‘was the outcome correct?’ It is ‘did the system reach that outcome through a process we authorised?’
Agentic AI systems complicate the traditional “input/output” way of thinking about compliance because they act, adapt, and learn over time. How should firms re‑think evidence, audit trails, and “explainability” when their systems are constantly re‑configuring themselves?
The input/output model of compliance was designed for systems that produce outputs for human review. An agentic system does not wait for review. It pursues a goal across multiple steps, each of which may commit resources, trigger external actions, or modify the context for the next step. By the time any human reporting cycle would flag an anomaly, the consequences are already downstream.
The implication for evidence and audit trails is that the governance question is no longer only ‘was the outcome correct?’ It is ‘did the system reach that outcome through a process we authorised?’ Those are different questions, and they require different log architectures. Output logging — capturing the final decision, the response returned — cannot answer the second question. What is required is reasoning-chain logging: the sequence of intermediate decisions, tool calls, and data inputs at every step. The log schema has to be queryable for post-hoc supervisory reconstruction, not assembled after the fact from partial records.
The compounding problem is that for agentic systems, the data governance trail of Article 10 must be reconstructable from the Article 12 log. Two separate articles are satisfied by a single log architecture. That compound reading appears in no published guidance, but it is precisely what supervisory examination has tested in practice. An organisation whose logging architecture was designed to satisfy each article independently will fail the examination that tests them together.
For explainability specifically, the target shifts from ‘why did the model produce this output?’ to ‘why did the system take this sequence of actions?’ That is a runtime question, not a model question. It requires an execution architecture where the reasoning trace is produced by construction — built into the orchestration layer from the first deployment — rather than assembled retrospectively from partial logs.
The deeper implication is that explainability is an organisational commitment, not a technical feature. It requires three named decisions — explicit authority boundaries, reasoning-chain logging, and a policy layer owner — all made before deployment, not after an incident. The organisations that make those decisions early will have the evidence architecture that an examination requires. The others will discover the gap at the worst possible moment.
ALSO READ: 6 Enterprise Tests to Expose Hidden AI Compliance Risks Across Borders
