Author: Paul Bardell

  • You’ve Been Made Responsible for AI. Now What?

    You’ve Been Made Responsible for AI. Now What?

    At some point, in a meeting or an email, it landed on you:

    “Can you own the AI side of things?”

    Or maybe you volunteered.

    In any case, nobody has really defined the role. But now you’re the person accountable for AI in a business – and you may not be sure what that means, or what you’ve signed up for.

    This is a guide to what being accountable for AI actually involves, what you’re on the hook for, and what you’re not.

    First: you weren’t given a technical job

    The instinct is to think you now need to understand AI. You don’t.

    Being accountable for AI isn’t about knowing how the models work, any more than being responsible for the company car means you can rebuild the engine.

    It’s about knowing what’s being used, by whom, for what – and making sure someone can answer for it.

    It’s a governance job, not an engineering one.

    It rewards the things you already do: asking questions, keeping track, noticing when something doesn’t add up.

    You were probably handed this precisely because you’re the sort of person who does those things.

    What you’re actually accountable for

    Accountability sounds vast and vague. In practice it’s four concrete things.

    • Knowing what AI is in use – Not every technical detail – just what tools are being used for work, and roughly what they’re used for. You can’t answer for what you can’t see.
    • Knowing what AI touches – Which tools handle sensitive things – customer data, financials, decisions about people. That’s where the highest risk concentrates, and it’s what you’d be asked about first.
    • Making sure each use has an owner – Not you, personally, for all of them. Each AI use needs someone close to it who can answer for it. Your job is that the map exists, not that your name is on every line.
    • Being able to show it – If a client, an auditor, or your boss asks “how do we know our AI use is under control?” – you can point to something real.

    Notice what’s not on the list: you don’t have to prevent every mistake, understand every algorithm, or personally police every tool.

    What you’re not on the hook for

    If the role was handed to you as “you’re now to blame when AI goes wrong,” then that’s not accountability, that’s a set-up, and it’s worth having a firm discussing with anyone who implies you are responsible for an AI mishaps.

    In a functional work environment:

    • You’re not personally liable for every AI mistake – Accountability for governance means making sure the system is sound – not taking the fall when someone, despite reasonable care, gets something wrong. A tool giving a bad answer isn’t your personal failure if you built a sensible process around it.
    • You’re not expected to be the expert – “I don’t know, but I know who does, and I’ll find out” is a complete and correct answer. Accountability is about the process being sound, not about you personally knowing everything.
    • You’re not doing it alone – The job isn’t to do all the governance yourself. It’s to make sure it’s happening – that uses have owners, that risks are seen, that there’s a record.

    You need authority, not just responsibility

    Everything above only holds if you can actually do the job.

    Responsibility without authority isn’t accountability, and if that is the situation you find yourself in, then you’re being set up to fail.

    If you’ve been made accountable for AI, you need four things. If you don’t have them, ask for them.

    • The power to say no – You can veto an AI use that isn’t safe or appropriate, without having to win an argument with whoever wants it. A decision that can be overruled by whoever is loudest isn’t a decision.
    • The right to conduct reviews – You can see how tools are actually being used, and what data is going into them. You can’t be accountable for what you’re not allowed to inspect.
    • A budget line – You can require the paid, secure tier rather than the free one that trains on your client data. If the answer is “we can’t afford it,” then the correct answer is “then we can’t do this project.”
    • A direct line up. When you flag a risk, you go straight to whoever can act on it – and they should back you until it’s properly reviewed.

    If you have those four, you can do the job, and you are genuinely not carrying personal liability for a good-faith mistake.

    If you don’t have all four, then it’s worth having a direct conversation with whoever handed you the role – before something goes wrong, not after.

    So where do you start?

    With visibility.

    You can’t be accountable for what you can’t see, so the first real move is simply finding out what AI is actually being used in your business.

    Ask your team, plainly and without threat – most AI use is invisible not because it’s hidden, but because nobody ever asked.

    From there it’s steady, process-based work:

    • Give each use an owner
    • Note what touches sensitive data
    • Keep a simple record.

    Every governance framework and obligation you’ll ever face is built on that same foundation.

    Start there and you’re ahead of most.

    So why would you want this job?

    If you’ve read up to this point and you’re wondering why you would want this role in the first place, here are some of the payoffs when you get handed the AI file:

    You become the person who unlocks AI, not the one who blocks it.

    Without an owner, businesses default to one of two bad options: reckless use, or a blanket ban. Both cost you.

    The first is a data breach waiting to happen. The second means watching competitors get faster while your team quietly uses AI on their phones anyway.

    With an owner, there’s a third option. People can actually use these tools – safely, openly, with permission. Your colleagues will feel the difference. It’s the difference between being the person everyone works around and the person everyone comes to.

    You end up with a map of the business that almost nobody else has.

    To do this job properly, you have to find out what every team actually does, what data matters, and where the risks concentrate. Very few people in any organisation have that picture.

    This is why good operations and compliance people become indispensable – they’re  the only ones who can see the whole board. You become the go-to person in your organisation for AI.

    You’re early in something that’s about to matter a great deal.

    AI governance is being invented right now. In a few years there will be an established playbook, a standard qualification, and a routine way of doing it.

    Today there isn’t. Which means the people doing it now are the ones who will be consulted, trusted, and promoted into it later. It’s rare to be handed a role that is quietly about to become more important than it currently looks.

    Whoever owns AI decides whether governance becomes a bureaucracy that everyone works around, or a system that genuinely helps people do better work.

    It’s impactful work and it matters right now

    Most work is invisible. Nothing went wrong, so nobody noticed. This is different. You’ll have a register, a set of decisions, a record. Something concrete you can show a client, an auditor, a board, or a future employer.

    Take this on now and you help write the rules. Take it on in five years and you’ll be enforcing someone else’s.

    The opportunity is real

    From some chatter I’ve heard, not everyone who has been put in charge of AI necessarily wanted the responsibility or the extra work.

    But think of it like this: of all the things that could have landed on your desk, this one comes with a rare combination of benefits.

    • It’s genuinely useful
    • It’s genuinely early
    • And almost nobody knows about it yet.

    That’s an opportunity.

    Make the most of it.

     

  • How should you deal with Shadow AI?

    How should you deal with Shadow AI?

    Shadow AI: it’s more than ChatGPT

    Shadow AI is broadly defined as employees using AI tools or features without management knowledge, oversight, or approval.

    Asking ChatGPT questions in a browser tab is an obvious example, but there are lots of ways Shadow AI use is probably already occurring in your business.

    Level 1 – the obvious. Staff using ChatGPT, Claude, or Gemini through personal accounts. Emails, summaries, spreadsheets.

    Level 2 – the switched-on. AI features inside tools you already pay for. The summarise button in your inbox. The notetaker in your calls. The “ask AI” box that appeared in your CRM after an update.

    Level 3 – the invisible. AI built into software that never announced it. Your data passes through it in the background – nothing to switch on or off, no magic wand icon. You may not even realise you’re using AI.

    Your best people are likely reaching for these tools to do good work under pressure. It’s about efficiency, the desire to beat KPIs, or win back free time.

    If one person on the team starts using AI to increase their productivity, pretty soon everybody else feels like they have to too.

    In this way shadow AI is not so much a discipline problem.

    It’s a governance problem.

    Put simply, AI governance is the framework of rules, practices, and ethical guidelines used to ensure an AI tool or system is developed and deployed responsibly. It acts as guardrails – often known in compliance terminology as controls – that help to manage risks.

    By establishing clear accountability and oversight throughout the AI’s lifecycle, governance ensures the technology operates transparently, safely, and in alignment with human and company values.

    So what are the risks of Shadow AI?

    Unapproved and ungoverned AI use can expose your business to a range of potential issues, including:

    Data leakage and privacy exposure.
    Employees often paste sensitive company info – customer details, financial statements, source code, or internal contracts – into public AI tools.

    Compliance and legal violations. Using unvetted AI tools without signed Data Processing Agreements (DPAs) can put businesses in breach of data privacy regulations, exposing them to fines, penalties, and reputational damage.

    Errors and “hallucinations”. AI tools can produce fabricated or factually incorrect information. Without careful review, these errors can damage client trust.

    Intellectual property loss. Proprietary designs, business strategies, or unique formulas submitted to free external AI platforms can lose their confidential status.

    Cybersecurity and insurance risks. Browser extensions and unvetted AI plugins can expose your network to malware or unauthorised integrations. Many cyber insurance providers now require strict AI policies and oversight, the absence of which can lead to denied claims in the event of an incident.

    Why it’s happening now

    If creating a detailed spreadsheet takes weeks, and Claude can do it in ten seconds, which option would you choose?

    Smart people will do what smart people always do – find efficient ways to increase their output.

    So it makes sense that people are using AI. Menlo Security’s 2025 research found a 68% surge in shadow generative AI use across enterprise between 2024 and 2025.

    The problem is that most businesses have no rules for AI at all – no guidance on what’s acceptable or who to ask – and workers are often unaware of the risks associated with pasting company information into AI tools.

    During my research I’ve noticed some smaller companies tend to have an attitude of “we don’t need governance, that only applies to big companies”.

    But smaller businesses are often more exposed to these risks, not less.

    Big companies have IT teams and always-on telemetry tools specifically designed to notice unauthorised AI use. A 15-person medical practice doesn’t have these tools – and even the most sophisticated tools won’t catch somebody entering client details into ChatGPT on their personal phone.

    The fix isn’t a crackdown. It’s a culture.

    AI arrived so fast companies haven’t had time to implement policies, or even fully identify the risks. Microsoft’s Work Trend Index found the majority of knowledge workers are already using it – and most are bringing their own tools to work.

    So how can you build a culture of openness, awareness, and accountability around responsible AI use?

    Give each AI use case an owner

    Not to have someone to blame – the opposite.

    Blame is what you reach for after something breaks and nobody was watching. Accountability is what stops it breaking in the first place.

    An owner is a guardian, not a fall guy: one named person who keeps an eye on one AI use case. They are the person who has the responsibility to manage an AI use case, and – this is key – the authority and backing of the company to control how it is used.

    1. Define the AI use case

    The responsibility: clearly state exactly what the tool is used for. “Reception uses ChatGPT to draft replies to customer enquiries.”

    The authority: the owner requires the formal power to veto unapproved use cases. If an employee tries to use ChatGPT to draft a legal contract, the owner has the authority to stop them immediately.

    2. Know what data goes in

    The responsibility: maintain total visibility over what information is entered into the AI, ensuring sensitive client, financial, or health data is strictly protected.

    The authority: the owner has the authority to inspect how the team uses the tool, and to require management to fund secure, paid business tiers so data is not leaked to public models.

    3. Answer “who decided this?”

    The responsibility: be the named person who stands behind the tool when a client, auditor, or the business owner asks questions. Keeping an immutable paper trail of all key decisions regarding what is and isn’t permitted.

    The authority: the owner must be backed by senior management as the sole decision-maker for that tool. Because management officially gave them the green light, the owner cannot be scapegoated if an unpreventable technical glitch occurs.

    4. Flag changes

    The responsibility: monitor the tool’s usage and issue an immediate pause-and-review order if scope-creep occurs, or if the AI tool begins touching more sensitive data.

    The authority: the owner must have a direct line to executive management. When they flag a risk or a change in usage, the business owner needs to have their back until a formal review is conducted.

    Choosing the right owner – and making sure they can actually do the job without being overruled – is its own question. We’ve written about that separately: [link to ownership post].

    Shadow AI detection tools versus just asking

    There is a class of software tools that detect shadow AI by monitoring your team’s computer usage to various degrees of sophistication and detail – from simply identifying that your team is using an AI tool – for instance we can see they connected with ChatGPT’s internet address, but we don’t know what they’re entering – to invasive systems that log every single keystroke on your team’s devices.

    These tools have a place, but they also have limits.

    Even if you spent thousands of dollars on enterprise-grade network monitoring and laptop tracking, it becomes irrelevant the moment an employee pulls out their personal mobile phone.

    If a staff member is working from home and they turn on their personal laptop on their personal 5G data plan, your corporate IT department is completely blind.

    Worse, when you rely heavily on technical surveillance and spy software, you implicitly signal to your staff: “We don’t trust you, we are watching you.”

    That destroys morale and creates a culture of distrust. It challenges people to find clever workarounds.

    Cultivating a culture of open communication creates a far safer business.

    When employees feel safe to say, “Hey, I tried using this AI tool today to help me summarise this long client PDF, is that okay?” – you can actually identify and manage the risk.

    For most businesses, asking beats detecting.

    Don’t ban AI – manage it

    Shadow AI isn’t proof your team is reckless. It’s proof they’re working better, faster than the business caught up.

    Treat it as a crime and it goes underground.

    Treat it as a signal and it shows you where your useful tools – and your real risks – sit.

    The should never be to ban AI. That wouldn’t work anyway – the floodgates are open.

    It’s to move from “I think we’re probably okay” to “I can show we’re okay, and here’s why.”

    Visible, owned, on the record.

    Further reading

     

  • The EU AI Act and Australian Businesses

    The EU AI Act and Australian Businesses

    A European client emails and asks you to confirm your AI use complies with the EU AI Act.

    You’re in Australia. No office in Europe, no European staff, and because of that you may be thinking that European law can’t reach you.

    But it can.

    The EU AI Act is not a toothless tiger that Australian businesses can simply ignore.

    It is a real legal framework with real, business-ending consequences for non-compliance.

    Think of it as the AI equivalent of the GDPR, but with sharper teeth.

    The EU has a proven track record of enforcing its digital laws globally, and this Act carries maximum penalties of up to €35 million or 7% of global annual turnover, whichever is higher.

    For many Australian businesses, a single penalty of that scale is a business death sentence.

    This guide sets out to show whether the EU AI Act reaches your Australian business – and why it may matter even sooner than the legal deadline suggests.

    I’ll cover two situations, because the Act treats them very differently:

    • You use AI in your business – Tools, features, assistants – anything you didn’t build.
    • You build AI into a product you sell – For example – you’re a startup shipping software with AI inside it.

    While the obligations carry more weight for second situation, don’t think you’re off the hook because you’re only using AI, not selling it.

    The EU AI Act isn’t bound by geography. It’s bound by who your AI affects.

    Most people may assume European law only applies to European companies.

    This one doesn’t work that way.

    If your AI system’s output is used in the EU – a tool that ranks EU job applicants, a model that scores EU customers, a service EU users interact with – you can be in scope even with no European presence at all.

    According to the Act, the Regulation applies to providers placing AI systems on the market or into service in the Union, irrespective of whether those providers are established in the Union or in a third country.

    This mirrors GDPR, which caught plenty of Australian businesses the same way.

    Telling regulators: “But we’re not in Europe” was not a credible defence then either.

    First, work out which one you are: deployer or provider

    This is the distinction that determines everything else:

    A deployer uses an AI system – You bought it, or you subscribed to it, and you use it in your work. Your obligations are real but manageable – transparency, human oversight, using the tool as intended.

    A provider builds an AI system and puts it on the market – Your obligations are substantially more detailed: involving risk management, data governance, technical documentation, logging, conformity assessment.

    Here’s the trap, which seems to have caught a few startup founders I’ve spoken to:

    You can become a provider without building a model.

    If you plug into an API like OpenAI or Anthropic, or use an open-source model, you might assume you’re just a user.

    But if you fine-tune it, materially alter its output, put your own name on it, or apply it to a specific high-stakes domain – such as HR, fintech, education – you may be legally classified as the provider of that system.

    You absorb the liability, even though you’re not nearly on the scale of an OpenAI or Anthropic and you didn’t train a thing.

    If you’re a startup using an AI model’s API anywhere in your product and selling it, by far the safest option is to assume you’re a provider until a lawyer tells you otherwise.

    Does the Act apply to you? A quick and rough self-check

    Give the following four questions some thought and answer honestly:

    • Do you sell a product or service which may be used by anyone in the EU? Customers, users, members – anyone based there.
    • Does it use AI? Including AI features inside tools you resell or embed, not just AI you built.
    • Does the AI’s output reach an EU person? A decision, a score, a recommendation, generated content, a chatbot they talk to.
    • Is it used for something consequential? Hiring, credit, education, access to services – anything affecting someone’s rights or opportunities points toward the “high-risk” tier, where the real obligations sit.

    More “yes” than “no” means you’re likely affected by the act, or close enough that you can’t assume otherwise.

    You should also note that this simply rough guidance and should not be taken as legal advice.

    But it may give you an indication as to whether you need to assess your exposure in more detail (and if you’re reading this – you probably should).

    What is defined as high risk AI?

    The EU AI Act flags specific use cases where AI decisions directly impact a person’s life, career, or bank account.

    If your business or product does any of the following, you are almost certainly operating in the high-risk zone:

    • HR and recruitment – AI that screens CVs, ranks job applicants, targets job ads, or tracks employee workplace performance.
    • Fintech and insurtech – AI used for credit scoring, assessing eligibility for a loan, or calculating insurance premiums and risk.
    • Edtech – AI tools that score exams, grade student essays, or decide who gets admitted into a course or school.
    • Biometrics – Software doing facial recognition, emotion tracking, or categorising people based on sensitive biometric data.
    • Critical infrastructure – Embedded AI that optimises or controls physical networks like traffic lights, water systems, or renewable energy grids.
    • Safety components – If your AI is built into a physical product already subject to strict EU safety checks – medical devices, machinery, smart toys.

    Note that this catches deployers too, not just builders.

    An Australian firm using an AI tool to screen job applicants in the EU is in the high-risk zone, even though someone else built the tool.

    If you checked any of those boxes, now is the time to stop wondering. The deadlines for high-risk rules are approaching.

    Book a chat with a technology lawyer sooner rather than later.

    A small upfront outlay now beats a drawn-out legal process and company-destroying fine in a couple of years.

    Two deadlines

    So far, I’ve spoken mostly about the legal ramifications but if you’re operating in the EU in any capacity, you’re not just running against the regulatory deadline.

    There are also commercial considerations to take into account.

    • The legal deadline – Key obligations were set for August 2026, but a simplification package pushed high-risk duties to 2 December 2027 for stand-alone high-risk AI systems, and 2 August 2028 for high-risk AI systems embedded in products. Whether this changes again is unclear at the time of writing, but the deadline is real and approaching.
    • The customer deadline –  EU buyers are increasingly writing AI Act expectations into contracts and questionnaires. Suppliers are being asked to confirm compliance well before any regulator gets involved.

    The customer deadline is the one that will probably hit your business first.

    Even if you’re happy to live in denial and betting on the probability that an EU regulator may never question you, you should still be prepared when your EU customers do.

    What “getting ready” actually looks like

    While you don’t need to become an EU compliance expert, you do need to have answers ready for the following questions when they come:

    • Where and how do you use AI? List every AI system and feature touching your product or your EU-facing work. (If you’re not sure, that might be due to Shadow AI).
    • Does each AI use case have an owner? One person who can answer for what it does and what data it touches. Accountability is the spine of every framework, this one included.
    • Have you assessed risks by consequence? How does your AI use touch EU people or customers? Which do something high-stakes? Those matter first.
    • Do you have an AI register? What each system does, what data goes in, who owns it, what you’ve checked.
    • Do you have proof? When a client or auditor asks, you can say: “Here’s what we use, here’s who owns it, here’s where we are, and here is the evidence”

    At the very least, compiling your AI register is a low investment way to get a head-start on meeting regulatory requirements which only requires a spreadsheet or Notion file.

    Starting your AI register

    At its most simple, an AI register documents the lifecycle of your AI use. It should show:

    • What the AI does – The system’s exact purpose, limitations, and intended use cases.
    • What data goes in – The data ingredients, where they came from, and how they are cleaned.
    • Who owns it – Clear accountability – who built it, who maintains it, who reviews it.
    • What gets checked – The monitoring, bias checks, and guardrails in place.
    • When and how – The schedule for regular audits, performance tests, and system updates.
    • By whom – The specific roles responsible for signing off on safety and compliance.

    Why DIY compliance is a risk

    Starting an AI register in a spreadsheet is a great first step. But don’t rely on DIY compliance to protect your business.

    Considering the stakes and the size of the penalties, if you have users, data, or clients in the Eurozone, book a chat with a specialised technology lawyer sooner rather than later.

    Here’s why.

    • The risk categories are tricky – The Act ranks systems from minimal risk to unacceptable risk. A lawyer needs to look at your exact use case to tell you where you land in a way that is legally defensible. Misclassify a high-risk feature and the fines are severe.
    • The provider trap is easy to fall into – Plugging into someone else’s model doesn’t keep you safe. Alter the output, or apply it to a regulated domain, and you may absorb the full provider liability.
    • Investor due diligence for startups – Sophisticated VCs will start asking for legal sign-off on AI compliance. A lawyer-approved framework makes you look professional and investable.

    If you build AI into a product: assume you’re high risk until you’re sure you’re not

    If you’re a startup or software companies shipping AI-enabled product, the safest option is to assume you’re high risk until you can definitively prove that you’re not.

    The EU AI Act works on a sliding scale of risk, and the boundaries can be blurry. If you don’t know exactly what risk level your AI represents, don’t cross your fingers and assume you’re safe.

    The safest rule of thumb: treat your system as high risk from day one.

    It is vastly easier – and cheaper – to build documentation, data tracking, and guardrails into your product now, rather than trying to reverse-engineer compliance later when an auditor knocks on your door.

    It also has added benefits. It helps future-proof your business if you decide to scale with AI in the coming years, and it encourages good habits around AI hygiene.  

    What assuming high risk looks like in practice

    Five simple habits to build into your development workflow:

    • Build a kill switch – Design the architecture so a human can instantly override, pause, or shut down the AI if it starts producing harmful, biased, or highly inaccurate output.
    • Keep the training receipts – Document exactly where your training data came from, how it was filtered for bias, and how you prevent copyrighted or private personal information from slipping in.
    • Log everything automatically – Set up system logs that track the AI’s operations, uptime, errors, and any instances where a human had to step in and correct its output.
    • Write a plain-English user guide – Clear documentation for end-users explaining how the AI works, what its limitations are, and how they can review or challenge its decisions.
    • Appoint a safety lead – Assign one person (even if it’s a member of the founding team) to own the AI safety mantle, ensuring risk reviews happen before every major deployment.

    Why it’s worth getting ready now, regardless of your legal standing

    Whether or not the EU AI Act legally binds your Australian business depends on specifics only you can check.

    But the question underneath isn’t just legal. It’s commercial.

    Your EU customers are deciding, right now, whether you’re a supplier who has their AI use handled safely, or one who carries too much risk to deal with.

    It’s happening in Europe, and signs indicate it will be happening in Australia very soon too.

    Being prepared means knowing what AI you use, who owns it, and being able to show proof when a customer or an auditor asks.

    That’s worth having whether the law reaches you or not.

    Further reading