The AI Act as Organizational Regulation
Real-economy analysis of the organizational and economic impacts of the EU AI Act. - Reference Framework
Full PDF version (EN/DE) at the end of the document.
1. Executive Summary
A. Organizational regulation instead of technology regulation
The EU AI Act regulates less the technology itself than the organizational conditions of its deployment.
B. New governance and decision structures
Risk classification, documentation requirements and human oversight reshape processes, responsibilities and organizational control mechanisms within organizations.
C. Transition frictions and emerging markets
The adjustment phase introduces temporary remanualization of processes and longer development cycles, while new markets for governance, certification and infrastructure emerge simultaneously.
2. Perspective Framework
The EU AI Act establishes a comprehensive legal framework for the development and deployment of AI systems within the European internal market.
Public discourse often frames the AI Act as a technology regulation. For organizations, its primary impact lies in the governance and decision structures within which AI systems are deployed.
The AI Act therefore operates less as a regulation of technology itself and more as a regulation of the organizational conditions of its deployment. Organizations must define responsibilities, document decision processes and establish organizational control mechanisms for AI-assisted decisions.
This analysis examines the AI Act from a real-economy perspective: which organizational adjustments emerge within organizations, which transition frictions occur and which economic structures develop around the regulated deployment of AI systems.
3. Regulatory Mechanism
The EU AI Act governs the deployment of AI systems through a combination of risk classification, documentation requirements, human oversight and conformity assessment (Art. 6–7, Art. 14, Art. 43). This structure generates concrete organizational requirements.
The classification of AI systems into risk categories is the central regulatory element. Systems with higher risk are subject to stricter requirements regarding transparency, documentation and human oversight (Art. 6–7).
For organizations, three operational requirements follow:
Documentation to ensure traceability: development processes, training data, model changes and decision processes are documented in a traceable manner
Human oversight: AI-assisted decisions remain subject to human review and potential override (Art. 14)
Conformity assessment: organizations must demonstrate compliance with regulatory requirements for certain systems (Art. 43)
This regulatory mechanism shifts the focus from the technical development of individual models to the organizational conditions of their deployment.
Regulatory mechanism:
The regulatory logic of the AI Act operates through a clear sequence: risk classification, documentation requirements and human oversight shift requirements for AI systems from technical performance to organizational integration. This results in new governance structures, additional review and approval processes and expanded organizational control mechanisms. During the transition phase, these adjustments create frictions and extended development cycles, while simultaneously enabling new markets for governance, audit and infrastructure services.
Example:
An AI system for credit risk assessment requires more than technical performance. Organizations must document training data, decision processes and control mechanisms that enable human review.
4. Organizational Adjustments
The primary adjustments triggered by the EU AI Act occur not within the technology itself, but within the organization of its deployment: defined responsibilities, documented decision processes and regulatory control mechanisms.
Responsibilities for AI systems
Organizations must define regulatory responsibility for each AI system, a function that often lacks clear allocation.
New interfaces emerge between:
AI development teams
operational business units
risk and compliance functions
Example:
An AI system for credit risk assessment is developed by a data science team, deployment by a credit department and overseen by risk and compliance functions.
New review and approval processes
Organizations must assess whether an AI system falls under a regulated risk category and which requirements apply.
Typical adjustments include:
internal approval processes for new AI systems
regulatory assessments prior to deployment
additional reviews for model changes
These processes extend the time between technical development and operational deployment.
Example:
A newly developed credit risk model must undergo risk classification, documentation and internal approval before deployment.
Integration into risk and compliance structures
AI systems integrate more strongly into existing control structures. Risk management, compliance and internal audit functions gain influence over their deployment.
AI systems thereby become organizationally comparable to other regulated decision infrastructures.
Example:
An AI system for prioritizing incoming medical findings in a hospital integrates into clinical workflows. Decisive is process integration: defined human review at specific thresholds, documented overrides of automated prioritization and clear responsibilities for monitoring and incident handling.
5. Transition Regime
Between existing AI deployment and full regulatory integration, organizations operate within a transition phase. Existing systems undergo review, processes adapt and governance structures emerge.
These adjustments introduce temporary review layers, organizational frictions and partial constraints on automation.
System inventory and retrospective documentation
Organizations must establish a structured inventory of existing AI systems. Applications previously treated as technical tools require reclassification and documentation within a regulatory context.
Typical steps include:
systematic identification of existing AI systems
retrospective documentation of training data and model logic
internal assessment of regulatory risk classification
Example:
A fraud detection system in long-term deployment must undergo retrospective documentation of training data, model changes and monitoring responsibilities.
Temporary remanualization of decisions
Organizations may temporarily limit automated processes until regulatory requirements are fully implemented.
Remanualization refers to the temporary shift of automated decisions back to human review and decision-making processes during regulatory adjustment phases.Typical situations include:
additional human review of automated decisions
parallel manual assessments during transition phases
temporary restriction of automated decision-making
This particularly affects decisions with direct impact on individuals.
Example:
An automated applicant screening system continues to operate, but each decision undergoes human review until documentation and control processes are fully implemented.
Extended development and deployment cycles
Regulatory documentation and review requirements extend development and deployment cycles of AI systems.
Additional coordination and review phases emerge between technical completion and operational deployment.
Example:
A credit risk model must undergo documentation, risk classification and internal approval before deployment.
Stabilization after the adjustment phase
These frictions primarily occur during the integration of regulatory requirements. With increasing experience and established governance processes, they become established organizational processes.
6. Emerging Market Mechanisms
When organizations simultaneously establish governance, control and documentation structures for AI systems, new markets emerge for services and infrastructure.
Phase 1 – Governance and implementation consulting
Initial demand focuses on regulatory implementation.Typical services include:
inventory of existing AI systems
assessment of regulatory risk classification
development of internal AI governance structures
Example:
An organization using multiple AI systems receives external consulting for systematic identification and regulatory classification of these systems.
Phase 2 – Audit and certification structures
With increasing regulatory integration, formal audit and certification structures emerge. Organizations must demonstrate that certain AI systems comply with regulatory requirements (Art. 43).
Markets develop for:
conformity assessments
independent auditing bodies
specialized certification services
Phase 3 – Infrastructure markets
Technical infrastructure emerges to support monitoring, documentation and traceability of AI systems.
Typical solutions include:
monitoring systems for AI-assisted decisions
platforms for documenting model changes
software for managing regulatory documentation
Temporal dynamics of market formation
The development of these markets typically unfolds over several years:
0–2 years: governance and implementation consulting
2–4 years: audit and certification structures
3–6 years: technical infrastructure markets
7. Conclusion
The AI Act reshapes not only the deployment of individual AI systems, but also the organizational and economic conditions of their deployment. Organizations establish new governance structures and control mechanisms, while new markets for services and infrastructure emerge.
The AI Act operates less as a regulation of technology itself and more as a regulation of the organizational and economic structures surrounding AI deployment.
8. Legal References
EU AI Act
Art. 6–7 – Risk classification of AI systems
Art. 9 – Risk management system
Art. 14 – Human oversight
Art. 43 – Conformity assessment
Download full paper (PDF):
Related analysis: OA #01 - AI Regulation as Value Chain Reconfiguration