The question surfaces in almost every board meeting about AI, usually near the end, once the slides about risks and deadlines are done: so who actually owns this? Eyes turn to the data protection officer, who points out that the AI Act is broader than privacy. Then to the CISO, who notes that this is more than security. Someone suggests appointing an AI officer, because surely that is mandatory by now. And that is where the misunderstanding begins.
The direct answer: the EU AI Act does not designate any mandatory officer or function. There is no legal duty to appoint an AI officer, no required AI compliance role, and no AI equivalent of the data protection officer that the GDPR prescribes for certain organisations. The obligations in the regulation rest on the organisation itself, in its role as provider or deployer of AI systems. And where the organisation is addressed, ultimate responsibility sits with the board, exactly as it does for any other legal obligation that rests on the legal entity. The practical question is therefore not who must be appointed by law, but how to assign responsibility internally so that something actually gets done.
What the law does and does not regulate
The AI Act works with roles at the level of the organisation. An organisation is a provider when it develops an AI system or places one on the market under its own name, and a deployer when it uses an AI system under its own authority. Obligations attach to those roles: from ceasing prohibited practices (enforceable since February 2025) to the transparency obligations for chatbots and AI-generated content that take effect on 2 August 2026, and the heavier requirements for high-risk systems, which the Digital Omnibus has moved to December 2027.
What is missing from all of those provisions is a duty to appoint a specific officer. The GDPR does contain that construction, with the mandatory data protection officer for certain organisations. The AI Act deliberately does not. The legislator places the compliance obligation on the entity and leaves the internal arrangement free.
That is not a licence to leave the subject unassigned. An organisation that cannot show, after an incident or a question from the regulator, how compliance is organised has a problem that lands directly on the board's desk. The fines are not symbolic: up to 35 million euros or 7 percent of worldwide annual turnover for prohibited practices, and up to 15 million euros or 3 percent for most other obligations, imposed through the supervisory authority. In the Netherlands, supervision is being assigned to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) as coordinating algorithm regulator and the Dutch Authority for Digital Infrastructure (RDI); the government submitted the implementing bill formalising that designation in April 2026.
Why the board cannot delegate what it cannot delegate
Boards delegate the execution of compliance all the time, and rightly so. But ultimate responsibility for complying with legislation that rests on the legal entity stays with the board. In practice that means three things.
First: the board must know which AI systems the organisation uses and which risk category they fall into. Without a current AI inventory, every governance discussion is a discussion about an empty map.
Second: the board must establish the division of roles and resource it. A compliance structure without mandate and budget is an organisation chart, not governance.
Third: the board must receive periodic reporting and act on it. AI Act compliance is not a project with an end date but a continuing obligation, especially now that the deadlines arrive in phases: transparency in August 2026, GPAI enforcement from that same moment, high-risk at the end of 2027.
A workable division of roles
Because the law leaves the internal arrangement free, you can build on the structure that already exists. In practice a division along these lines works, phrased as a RACI in plain language.
The board is ultimately responsible (accountable). It adopts the AI policy, approves the division of roles, receives reporting and decides on systems with a high risk profile. In organisations with a supervisory board, AI governance belongs on that agenda periodically as well.
The process owner per AI system is operationally responsible. This is the owner of the business process in which the system runs: the HR director for the recruitment system, the operations manager for the planning tool. The process owner knows how the system is used, spots deviations first, and is the natural place for the human oversight that Article 14 requires for high-risk systems. Assigning responsibility to whoever actually uses the system prevents compliance from becoming a paper reality that runs parallel to the operational one.
The data protection officer is consulted on the privacy interface. Almost every AI system that makes decisions about people processes personal data. The DPO assesses the GDPR side, advises on DPIAs and guards the coherence between the two frameworks. But the DPO is not automatically the AI officer: the AI Act covers product safety, technical documentation, logging and oversight requirements that fall outside the DPO's profile and often outside the DPO's mandate. Loading the entire AI Act onto the DPO is the fastest way to make both tasks fail.
The CISO is operationally responsible for the security dimension. Robustness, access management, logging and the resilience of AI systems against manipulation map directly onto the existing security domain. For financial institutions there is the additional overlap with DORA, which has applied since January 2025.
Compliance and legal set the frameworks (consulted, partly responsible). They translate the regulation into internal policy, review contracts with AI vendors, track developments around the Digital Omnibus and the national implementing bill, and test whether practice matches policy.
Everyone who works with AI systems is informed and trained. AI literacy under Article 4 has applied since February 2025. Treat it not as a standalone sanction risk but as the condition under which everything above works: human oversight is only real when the people doing the overseeing understand what they are looking at.
Why a coordinating AI governance role pays off anyway
No obligation, then. But anyone reading the division above sees the risk immediately: five functions, each holding one piece of the puzzle, and nobody guarding the whole. That is exactly why a coordinating role pays off in practice, even without a legal duty.
That role, call it AI governance coordinator or AI officer if that lands better internally, keeps the AI inventory current, tracks the deadlines, puts new systems on the agenda for risk classification, organises reporting to the board and serves as the internal point of contact for questions. In smaller organisations this is a few hours a week attached to an existing function, often compliance or legal. In larger organisations with many AI systems it grows into a full role, sometimes embedded in an AI governance board where the disciplines mentioned above come together.
Anchoring the coordinating role in a management system, for instance along the lines of ISO 42001, additionally gives it a structure that is auditable. How that standard relates to the AI Act is covered in an earlier analysis on this platform.
How to arrange this within a month
For a director who wants to get this assigned, the sequence is manageable:
- Confirm that the board is ultimately responsible and record it in a short AI policy or board resolution.
- Commission or update an AI inventory, recording per system the organisation's role and a provisional risk category. The obligations per category are set out in the AI Act Explorer.
- Appoint a process owner per system and designate one coordinator with mandate and time.
- Involve the DPO, the CISO and legal formally in the structure, with clear interfaces instead of shared vagueness.
- Plan the reporting cycle, with 2 August 2026 (transparency obligations and the start of GPAI enforcement) as the next milestone.
Organisations that want an outside perspective, for instance to test the division of roles or to guide the first inventory and risk classification, can turn to Embed AI.
The core remains simple. The law does not ask for a title on a business card. It asks for an organisation that can demonstrate that it knows its AI systems, controls the risks and has assigned responsibility. An organisation that has that in order has answered the question from the boardroom, whatever the role is called.