I’ll be honest—I’ve watched too many smart teams stumble here. They bolt GenAI onto legacy model risk frameworks and wonder why auditors keep finding gaps. Here’s what I’m seeing work with CDOs navigating the EU AI Act:

You need segmentation, not standardization. Traditional ML, GenAI, and agents carry fundamentally different risks. Treating them the same is like using the same playbook for three different sports.

Start with an AI Management System — ISO/IEC 42001 for structure, 42005 for impact assessments, 42006 for auditability. Map it to NIST’s GenAI Profile + COSAIS overlays. This isn’t box-checking; it’s how you govern at scale without chaos.

Then segment your controls: ML needs drift monitoring and data quality checks. GenAI needs prompt-injection defenses and hallucination tracking. Agents? Autonomy caps, tool allow-lists, human-in-the-loop gates, sandboxed execution, full action logs. Use OWASP’s LLM Top 10 — your security team already speaks that language.

On EU AI Act compliance: GPAI obligations are phasing in now. Inventory your systems, classify them (general-purpose, high-risk, other), run fundamental rights impact assessments for high-risk deployers, then choose your conformity path. Don’t wait.

Make it operational. Name control owners. Set SLAs. Track what matters—prompt-injection incidents, drift rates, task success, hallucination coverage, adoption rates, cycle-time savings. Require evidence (model cards, eval runs, logs) before promotion. Gate agent autonomy upgrades.

And frankly, treat anonymization as something you prove, combining technical (DP, SDC, k-anon) with organizational and process controls. Keep DPIA’s records updated per EDPB/ICO guidance.

If you’re piloting agents: cap autonomy first, scale second.

The teams moving fastest with focus aren’t skipping controls—they built the right ones from day one.

Which KPI tells you the most about your AI program’s health—risk metrics, performance indicators, or value creation? I’m especially curious what agent pilots are tracking beyond the basics.