Europe's AI governance challenge is no longer about writing rules; it's about enforcing them across organizations where AI adoption has become decentralized and often invisible to compliance teams. At the AIGG Europe 2026 conference in Dublin last week, practitioners and regulators revealed a critical gap: while policymakers finalized the EU AI Act and its recent Omnibus revisions, real-world AI deployment has fragmented into what experts call "distributed innovation" and "shadow AI," creating compliance blind spots that traditional governance structures cannot address.

What Is "Shadow AI" and Why Should Organizations Care?

Shadow AI refers to artificial intelligence tools that employees adopt independently, often without formal approval or documentation from their organization's technology governance teams. This happens in two ways: business units deploy AI tools ahead of formal governance structures, and employees purchase low-cost subscriptions like monthly software-as-a-service (SaaS) tools outside the technology governance process entirely. The scale of this problem has grown dramatically because modern AI platforms offer broad capabilities with minimal guardrails, making it easy for anyone to adopt them without oversight.

The risks are substantial and multifaceted. During a panel discussion at the conference, experts identified several critical vulnerabilities:

• Inconsistent Standards: Different business units may use different AI tools with varying safety features and compliance requirements, creating fragmented risk profiles across the organization.
• Undocumented Models: Shadow AI deployments often lack documentation about which models are being used, how they were trained, or what data they process, making audits nearly impossible.
• Liability Gaps: When AI systems operate outside formal governance, responsibility for failures becomes unclear, potentially exposing organizations to legal and regulatory consequences.
• Erosion of Human Oversight: The EU AI Act and basic risk management principles require meaningful human oversight, but shadow AI deployments often eliminate this safeguard entirely.

Randstand Director Global Legal and Responsible AI Martin Woodward led a discussion with BCG Partner and Managing Director Anne Kleppe, Coinbase Ireland Chief Risk Officer Melissa Longmore, and Bird & Bird Partner Vincent Rezzouk-Hammachi on this vital topic. They shared that the risks are real and growing.

How Can Organizations Distribute Governance as Fluidly as Innovation?

Rather than attempting to slow AI adoption, panelists argued that organizations need to distribute governance structures to match how innovation has become distributed. This requires a fundamental shift in how companies think about compliance and risk management. The traditional approach of centralizing AI governance in a single compliance team no longer works when AI tools are spreading across multiple departments simultaneously.

• Shift-Left Approach: Inspired by practices in hardware engineering, organizations should set guardrails in real time while building solutions, rather than waiting for post-deployment reviews. This means embedding compliance checks into the development process itself.
• Cross-Functional Communities of Practice: Instead of concentrating AI governance expertise in one team, organizations should build internal communities where lessons from early deployments are shared across functions, creating a collective learning environment.
• Safety-First Culture: Create an environment where practitioners feel empowered to surface problems before they become incidents, rather than hiding issues to avoid delays or scrutiny.
• AI Literacy Across Roles: Employees involved in system management, from engineers to business leaders, need foundational knowledge about how AI systems work and how to manage them responsibly.

"If harmonised standards will define what technical compliance looks like, then legal professionals need to get comfortable operating in deeply technical territory and vice versa," said Barry Scanell, partner at William Fry and Irish AI Advisory Council Member.

Barry Scanell, Partner at William Fry and Irish AI Advisory Council Member

Anne Kleppe, who has a background in engineering, emphasized the importance of the shift-left approach. She explained that while you are building the solution, you need to set the guardrails in real time. It is also necessary to apply AI governance expertise across functions rather than concentrating it in a single compliance team.

Why Are Timelines Still Tight Despite Recent Delays?

The EU AI Act Omnibus pushed back implementation timelines for high-risk AI systems to December 2, 2027, giving organizations more breathing room than originally planned. However, practitioners at the conference realized this extension still provides limited time to develop comprehensive compliance strategies. The challenge is compounded by the fact that harmonized standards, which will define what technical compliance actually looks like, are still under development. Without clear technical standards, organizations struggle to know exactly what they need to build and test.

The conference also addressed updates to AI literacy requirements, new rules around deepfake creation tools (referred to as "nudifier" rules), and the expanded role of the EU AI Office in enforcement. These additions layer complexity onto an already demanding compliance landscape.

What Role Does AI Sovereignty Play in Europe's Governance Strategy?

While practitioners grappled with implementation details, European policymakers have shifted their focus to a broader strategic concern: AI sovereignty. Irish MEP and AI Omnibus rapporteur Michael McNamara used his keynote address to highlight the importance of AI sovereignty for Europe, arguing that Europe's barriers to accelerating AI adoption are related to access and investment in compute, capital, and energy. This reflects a geopolitical reality: as China and the United States race to consolidate AI infrastructure and define global norms, Europe is positioning itself differently.

For Europe, technological sovereignty is not a protectionist impulse but rather an assertion of democratic agency. Lucilla Sioli, head of the EU AI Office, and tech entrepreneur and journalist Mark Little both emphasized why investments in Europe's digital infrastructure are critical now. They identified the current geopolitical climate and discussed ways to leverage Europe's knowledge and talent in an AI era. Agnieszka Piotrowska, author and filmmaker, urged participants to think about how to be active users in the development of these technologies instead of passive bystanders, emphasizing that technology is not neutral and must be shaped by human values.

Should Congress Tie AI Preemption to Other Tech Legislation?

Across the Atlantic, the U.S. Congress faces a different governance challenge. The Information Technology and Innovation Foundation (ITIF) has warned against bundling federal AI preemption with separate legislation on children's online safety and digital replicas. According to ITIF Senior Policy Manager Ash Johnson, pairing these issues could sabotage ongoing debate about each topic individually.

"Pairing federal preemption of state AI laws with separate children's online safety and digital replica bills could sabotage the ongoing debate surrounding each of these issues," stated Ash Johnson, Senior Policy Manager at ITIF.

Ash Johnson, Senior Policy Manager at ITIF

ITIF supports federal preemption of state AI laws to prevent regulatory fragmentation and enable innovation, but argues that Congress should enact this preemption separately while continuing to develop its approach to children's online safety and digital replicas. The concern is that tying preemption to bills that still contain flaws would be "taking one step forward and several steps back".

The governance challenge facing both Europe and the United States reflects a fundamental tension in AI regulation: how to establish clear rules and oversight without stifling innovation or creating fragmented compliance burdens. Europe's approach emphasizes rights-based frameworks and distributed governance, while the U.S. is still debating whether federal preemption or state-level flexibility better serves innovation and safety. What remains clear is that governance structures must evolve as rapidly as the technology itself.

" }