Do Not Build Your AI Governance on the EU AI Act Alone

Key Takeaways

*The EU AI Act sets a legal floor, not an operating system. Key obligations phase in from February 2025 through August 2026, with some extending into 2027. Parts of the implementation timeline are still moving targets. If your governance posture is "wait for guidance," you are choosing compliance lag by design.

*Most "bias testing" claims are theater. NIST is blunt about the measurement problem: ground truth may not exist, metrics evolve, and organizations must document what they cannot measure. Without that infrastructure, bias testing is a checkbox, not a control.

*Mature governance requires both top-down authority and bottom-up participation. If frontline staff cannot trigger review and shape policy as systems evolve, your governance is paperwork, not a system.

*If your governance cannot pivot faster than the external guidance cycle, you are not governing. You are waiting.

I have been back from the holidays less than a week and already my LinkedIn feed is flooded with governance frameworks, manifestos, and playbooks. Everyone has a take on AI governance in 2026 and most of it is headed in the right direction.

The problem is that the overwhelming majority of these are built on the EU AI Act. A document that is already beginning to crack under pressure. The European Commission has proposed delaying certain high-risk provisions, guidance documents are still being drafted months after rules took effect, and the codes of practice meant to clarify compliance will not be finalized until mid-2026.

That is not a criticism of the Act. That is how large regulatory projects work. But if you build your entire governance posture on a foundation that is still settling, you inherit every delay, every revision, and every gap between the rulebook and operational reality.

Any framework worth implementing in 2026 needs three things the Act alone cannot provide: clear escalation pathways, bottom-up maturity, and the ability to pivot faster than the guidance cycle.

The Timeline Problem

The EU AI Act entered into force August 2024. But the rollout is phased, and the gaps matter.

February 2025: General provisions including AI literacy requirements and prohibited practices apply.

August 2025: General-purpose AI rules apply and EU governance structures must be operational.

August 2026: The majority of rules apply, including Annex III high-risk AI systems. Enforcement powers activate. Article 50 transparency obligations begin.

August 2027: High-risk AI embedded in regulated products under sector-specific regimes applies.

That phased rollout means institutions operating high-risk AI systems in education face a moving compliance target. Think automated grading, learning analytics, behavioral monitoring. The Commission's first draft Code of Practice on AI-generated content marking arrived December 2025. Feedback closes January 23, 2026. A second draft is expected mid-March. Finalization is not anticipated until June 2026.

Meanwhile, Reuters has reported the Commission proposed delaying some high-risk provisions to December 2027. Whether that proposal survives is uncertain. What is certain: if your governance strategy is "wait for clarity," you will wait indefinitely because classrooms do not pause for regulatory timelines.

The Bias Testing Illusion

The most common governance maturity illusion I encounter is bias testing presented as a completed control.

Frameworks routinely treat bias testing as a pre-deployment checkbox: test the model, confirm fairness, deploy with confidence. Some imply that monitoring bias in production is straightforward.

In most institutional environments, this is fantasy.

NIST's AI Risk Management Framework materials are blunt about the measurement problem: ground truth may not exist or may not be available in many contexts. Metrics development is often an institutional endeavor and may inadvertently reflect factors unrelated to actual impact. The field is evolving, and organizations must document what they cannot measure.

The NIST Playbook goes further. It presents traditional bias testing as one method among a set of complementary evaluation approaches, alongside investigating known failure modes, assessing data quality and diverse sourcing, applying public benchmarks, chaos engineering, and stakeholder feedback. Most institutions treat bias testing as the only method and skip the rest.

Bias is contextual. Fairness is not a universal metric. Ground truth is often contested. Populations change. Educational contexts shift. What counts as harm evolves. While I look forward to speaking with colleagues who are working on this issue, I have yet to see any meaningful infrastructure or even a methodology that looks like it can hold up to international scrutiny. 

If your framework does not have a clear methodology about how you will detect drift, document and evaluate allegations, escalate findings, and how to adapt the system when bias emerges, you do not have a control. You have a wish.

The Missing Maturity Marker

Here is what separates governance that survives from governance that collapses at first contact with reality: frontline participation.

Teachers see misuse and overreach first. Learning support staff see accessibility and equity impacts. IT sees shadow adoption and workarounds. Administrators see complaints before they become incidents.

If those people cannot materially influence policy, your governance is top-down paperwork that lags the system it claims to control. Not as a one-time consultation. Not as training recipients. As co-governors of the operating reality.

The EU governance structure acknowledges this partially. The Advisory Forum includes diverse stakeholders. National authorities have formal information rights. But the architecture is hierarchical: AI Office, national authorities, Board, with advisory input layered underneath.

What most institutions lack is the internal equivalent: mechanisms that turn frontline observations into policy decisions.

Top-down governance provides authority. Bottom-up governance provides sensing and adaptation. You need both to survive this decade.

What Pivot-Capable Governance Looks Like

If you are evaluating a governance framework in 2026, ask a brutal operational question: does it contain a change engine?

A change engine turns frontline signals into leadership decisions and turns those decisions into updated practice. At minimum, it requires an inventory of tools and use cases that is actually maintained, named ownership with authority to pause or retire tools, an escalation pathway staff can use without political risk, a review cadence faster than the external guidance cycle, and an evidence trail documenting what was decided, why, and what changed afterward.

That is governance you can run. It is exactly what purely top-down, AI-Act-only governance tends to miss.

The frameworks floating down my feed this week share a common flaw: they treat governance as a document to finalize rather than a system to run. They map use cases to the AI Act, check the bias testing box, and call the result "governance."

It is not. Regulation sets the floor. You build the house.

If you want a governance system designed for bottom-up implementation, with escalation pathways, vendor audit protocols, incident response frameworks, and 60-day pilot calendars already built, Stop-Gap AI Compliance Guide provides a complete AI Compliance Operating System. It includes over thirty ready-to-use forms and templates aligned with GDPR, FERPA, COPPA, PIPEDA, and the EU AI Act. Available now on Amazon.

For institutions that need independent assessment of their current governance posture, I offer Assurance Advisory services: targeted reviews that identify compliance gaps, evaluate operational readiness, and provide actionable recommendations without long-term consultant dependency. If you want to know whether your governance can actually pivot, reach out directly.

About the Author

Ryan James Purdy is an AI governance and compliance advisor with nearly 30 years of experience across public and private education in North America, Europe, and South America. He is the author of the Stop-Gap AI Policy Guide series and founder of Purdy House Publishing & AI Consulting. His frameworks have reached education leaders, ministers, and policy experts worldwide, including UNESCO advisors and government officials across multiple continents.

LinkedIn: @purdyhouse

References

European Commission. (2024, August 1). AI Act enters into force. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai

European Commission. (2025, December 17). First draft Code of Practice on AI-generated content marking and labelling.

EU AI Act Service Desk. (2025). Implementation timeline. https://artificialintelligenceact.eu/implementation-timeline/

NIST. (2023). Artificial Intelligence Risk Management Framework (AI RMF 1.0). https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf

NIST AI Resource Center. (2025). AI RMF Playbook: MEASURE Function. https://airc.nist.gov/airmf-resources/playbook/measure/

Reuters. (2025). EU proposes delay to some AI Act high-risk provisions.