GovCompass
Knowledge base
AnalysisAccountabilityHuman oversight

The AI Officer: why every organisation needs this key function

By Michel Venniker· · Aligned with the consolidated EU AI Act, including the 2026 Omnibus amendments.

The AI Officer is the organisation-wide director of responsible AI use, broader than a compliance role: it covers AI strategy, ethics, risk and literacy. The EU AI Act (Art. 26) makes the coordinating function necessary, but the need for an AI Officer extends beyond the law itself.

Five years ago, the role of Data Protection Officer (DPO) was unknown at most organisations. Today it appears in virtually every organisation chart, with a clear mandate, a structured methodology and a recognised professional community. The European legislator deliberately forced that shift through Article 37 of the GDPR.

The AI Officer follows a similar path, but is fundamentally a broader role. Where the DPO is primarily a compliance officer monitoring adherence to privacy legislation, the AI Officer is the organisation-wide director of responsible and strategic AI use. Compliance with the EU AI Act is an important part of that role, but certainly not the only part.

What makes the AI Officer broader than a compliance function?

The comparison with the CISO (Chief Information Security Officer) is illuminating. A CISO does not work solely to comply with the GDPR or NIS2, they build information security as a strategic capability of the organisation: culture, architecture, risk management and legal compliance simultaneously. The AI Officer does the same for artificial intelligence.

This means the AI Officer operates across four layers that together cover the full spectrum of responsible AI use:

Layer 1, strategy and policy

The AI Officer formulates, in collaboration with management, the organisation's AI policy: which AI applications are permitted, under what conditions, and with what ethical boundaries? This policy translates the organisation's mission and values into concrete rules for the deployment of AI. It is not a legal document, but a strategic framework that guides procurement officers, product managers, IT teams and end users.

Layer 2, ethics and values

AI systems can discriminate, manipulate and cause unintended harm, even without crossing a legal boundary. The AI Officer safeguards the ethical dimension of AI use: are the outcomes of our systems fair? Are those affected transparently informed? How do we handle algorithmic decisions that affect people? What are the consequences if the system makes a mistake? These questions require a structural ethical review process, not as a one-time project, but as an ongoing practice.

Layer 3, risk management and compliance

Here the AI Officer connects with the EU AI Act. Article 26 imposes a series of concrete obligations on deployers of high-risk AI systems: ensuring human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry →, monitoring input data, reporting incidents, requesting and retaining supplier documentation. The AI Officer coordinates compliance with all these obligations and builds the compliance dossiers a supervisory authority expects. But risk management does not stop at the law: the AI Officer also identifies operational, reputational and strategic risks that fall outside the legal definition of 'high-risk'.

Layer 4, AI maturity and culture

An AI Officer who only manages dossiers misses half the impact. The function also has an internally mobilising role: increasing AI literacyAI literacySufficient understanding of AI's workings, capabilities and risks for one's role — an explicit expectation for provider and deployer staff under the EU AI Act.Open full entry → across the organisation (Art. 4 EU AI Act already mandates this), building knowledge among managers, and creating a culture in which employees dare to flag AI risks. Organisations that do this well discover risks internally, rather than through a supervisory authority or an incident.

The parallel with the DPO: similarities and differences

The AI Officer shares several structural characteristics with the DPO:

  • Broad knowledge base required, Legal knowledge alone is insufficient. Anyone taking AI governance seriously also understands how ML models work, what biases can exist in training data, and how AI architecture choices determine the risk profiles of systems.
  • Independence essential, Just as a DPO cannot be instructed by the controller in their supervisory function, the AI Officer must have the authority to contest classifications, challenge procurement decisions and halt projects when risks are insufficiently covered.
  • Can be filled internally or externally, Large organisations appoint an internal AI Officer; smaller organisations outsource the function to specialist firms. Both are legitimate, provided the mandate and powers are formally established.

The crucial difference: the DPO is a legally mandated function for a defined category of organisations. The AI Officer is, for now, not a legally mandated function, but a strategic necessity for every organisation that uses AI structurally. The EU AI Act indirectly forces the presence of someone who coordinates the obligations; the real need for an AI Officer, however, is broader than that legislation.

What does an AI Officer do concretely?

The day-to-day tasks fall into five clusters:

1. AI register and classification

The AI Officer manages the AI register, the living overview of all AI systems the organisation deploys, per department, per supplier, per intended use. The risk class for each system is determined on the basis of Article 6 and Annex IIIAnnex IIIThe EU AI Act's list of high-risk use-case areas — biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice.Open full entry → of the EU AI Act. Incorrect classification is itself a violation, and responsibility for correct classification lies with the organisation, not the supplier.

2. compliance dossier formation

For each high-risk system, the AI Officer coordinates the construction of a compliance dossier: the deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry → assessment (Art. 26), the Fundamental Rights Impact Assessmentimpact assessmentThe design-time discipline of describing a system, mapping stakeholders, identifying harms, rating probability × severity, choosing mitigations and documenting a signed decision — the skeleton under DPIAs, FRIAs and AIAs.Open full entry → (Art. 27), supplier documentation and oversight registers. The AI Officer is not always the executor, but always the director who ensures all components are present and current.

3. ethical review of new AI applications

For every new AI application, whether a purchased SaaS tool or an internally developed model, the AI Officer conducts a structured ethical review. Who is affected by the outcomes of this system? Are those outcomes transparent and explainable? Is there sufficient human oversight? These questions are not optional, they are the foundation for responsible AI use.

4. AI literacy and internal knowledge building

Article 4 of the EU AI Act has obliged organisations since 2 February 2025 to demonstrably make employees who work with AI AI-literate. The AI Officer coordinates this training programme, registers who has completed which training, and ensures knowledge remains current as the technology evolves. But AI Literacy goes beyond legislation: it is the foundation for an organisation that internally recognises and manages AI risks.

5. oversight of AI in the procurement process

Many AI risks enter the organisation through the procurement chain. The AI Officer ensures that when purchasing new AI systems, the right questions are asked of suppliers: what is the risk class of this system, is a CE declaration or conformity assessmentconformity assessmentThe pre-market process demonstrating a high-risk AI system meets the EU AI Act's requirements, leading to CE marking and registration.Open full entry → available, what do the instructions for use say? AI governance begins at the contract table, not at go-live.

Practical first steps for organisations

You do not need to wait for a definitive job description to begin. The following steps are immediately actionable:

  1. Designate a lead, Assign someone internally to take on the AI Officer role, even if it is initially a secondary responsibility. Without ownership, governance stalls at good intentions.
  2. Inventory all AI systems, Per department, per supplier, per intended use. Including shadow AIshadow AIAI tools adopted by staff or business units outside official channels and governance — the predictable product of processes that are too heavy or too slow.Open full entry → (ChatGPT, Copilot, niche SaaS tools). This is the indispensable foundation for every subsequent step.
  3. Formulate an AI policy, One page is sufficient to start: which AI applications are permitted, what are the ethical boundaries, who has approval authority for new systems?
  4. Start AI Literacy training, The obligation is in force now. Register training sessions and retain attendance lists (Art. 4 EU AI Act).
  5. Document every decision, Every classification, every review, every oversight action, dated and retained. This is the evidence you need at an audit.

Why the AI Officer is here to stay

The emergence of the AI Officer is not hype. It is a direct consequence of a technology that is penetrating organisations deeply, combined with legislation that is already in force. Organisations that invest now in the knowledge, the structure and the mandate are building a capability that is resilient to further regulatory changes and that radiates trustworthiness to clients, employees and supervisory authorities.

Legal referencesArt. 4Art. 26Art. 27

More on Accountability

Art. 10 EU AI Act: data and data governance for high-risk AI

Reference

Art. 10 requires that the training, validation, and testing data for high-risk AI systems meets quality criteria: relevant, sufficiently representative, and as free of errors and complete as possible for the intended purpose. It also requires documented data governance practices covering collection, preparation, bias examination, and gap mitigation, and it permits the limited processing of special-category data where strictly necessary to detect and correct bias, under safeguards.

Art. 12 EU AI Act: record-keeping and logging for high-risk AI

Reference

Art. 12 requires high-risk AI systems to technically allow for the automatic recording of events (logs) over their lifetime. The logging must enable traceability of the system's functioning at a level appropriate to its intended purpose, support post-market monitoring, and help identify situations that may lead to risk or substantial modification. It is a design obligation on the provider that makes the system auditable by construction.

Art. 19 EU AI Act: keeping the automatically generated logs

Reference

Art. 19 requires providers of high-risk AI systems to keep the logs that the system automatically generates (under Art. 12) for as long as they control them, for a period appropriate to the intended purpose and at least six months unless other law requires longer. It is the retention counterpart to the Art. 12 logging capability, and it works alongside the deployer retention duty in Art. 26.6.

Art. 26.1 EU AI Act: following provider instructions as a deployer

Reference

Art. 26.1 requires deployers to use high-risk AI systems strictly in accordance with the provider's instructions for use. This means using the system only for its intended purpose, within its specified technical configuration, and by qualified users, and documenting that compliance. Deviating from the instructions can shift liability entirely to the deployer.

More on Human oversight

Art. 14 EU AI Act: designing high-risk AI for human oversight

Reference

Art. 14 requires providers to design and build high-risk AI systems so that they can be effectively overseen by humans during use. The system must let an overseer understand its capabilities and limits, watch for anomalies, resist automation bias, correctly interpret outputs, decide not to use the system, and intervene or stop it through a kill switch (Art. 14(4)(e)). It is the design obligation that makes the deployer oversight duty of Art. 26.2 possible.

Art. 26.2 EU AI Act: human oversight of high-risk AI

Reference

Art. 26.2 requires deployers to ensure that the people assigned to oversee a high-risk AI system have the competence, training, and authority to do so effectively. Valid oversight is substantive, not formal: the overseer must understand the system, be trained on its limitations, and hold genuine authority to override its outputs.

Art. 27 EU AI Act: Fundamental Rights Impact Assessment (FRIA)

Reference

Art. 27 requires certain deployers, public bodies and private deployers in defined sectors such as credit and insurance, to conduct a Fundamental Rights Impact Assessment (FRIA) before deploying a high-risk AI system, examining the impact on fundamental rights and the mitigation measures.

Art. 4 EU AI Act: AI literacy obligations for organisations

Reference

Art. 4 has required organisations since 2 February 2025 to ensure a sufficient level of AI literacy among staff who operate or use AI systems, proportionate to the system and the role. It applies to all AI use, not only high-risk systems, and must be demonstrable.