Somewhere in the next twelve months, a national competent authority will ask a mid-market organisation to present the person responsible for their AI compliance programme. They will ask who classified the AI systems. Who signed the declaration of conformity. Who approved the risk management framework. And in some organisations, the honest answer will be: nobody. Because the programme was generated by AI and never reviewed by a human with the authority to own it.
The accountability gap
The EU AI Act is explicit about accountability. Article 16 assigns obligations to providers. Article 26 assigns obligations to deployers. Article 43 requires conformity assessment. Article 48 requires a signed EU declaration of conformity. Article 49 requires registration in the EU database. At every stage, the regulation assumes that a natural or legal person is taking responsibility for the system's compliance.
This is not unique to the AI Act. DORA assigns accountability to the management body of financial entities (Article 5). NIS2 holds management bodies responsible for cybersecurity risk management measures (Article 20). GDPR assigns accountability through the controller (Article 24) and, where appointed, the Data Protection Officer (Article 37). Across every major EU regulatory framework, the common thread is that someone β a named individual or body β must be accountable for the programme's integrity.
AI cannot fill this role. It can produce the documentation. It can generate the risk assessments. It can draft the declaration of conformity. But it cannot sign it. It cannot answer questions at a supervisory meeting. It cannot explain why a particular risk was rated as "medium" rather than "high." It cannot defend a classification decision when a regulator challenges it.
What regulators actually look for
Regulators do not assess compliance by reading documents. They assess compliance by testing whether the organisation understands its obligations, has made informed decisions about how to meet them, and can demonstrate that those decisions are being implemented in practice.
Understanding. Can the responsible person explain, in their own words, why the organisation's AI system is classified as high-risk? Can they articulate which articles of the Act apply and how the organisation has addressed each one? A document that says the right things is not evidence of understanding β it is evidence that a document exists.
Decision rationale. Can the organisation explain why specific risk mitigations were chosen? Why certain controls were implemented and others were not? Why the residual risk level was accepted? These decisions require judgement β and regulators test whether that judgement was exercised by someone who understood the context, not generated by an algorithm that does not.
Operational evidence. Is the compliance programme actually running, or does it only exist on paper? Are risk assessments being reviewed at the stated frequency? Are incidents being detected, classified, and reported? Are changes to the AI system triggering compliance reviews? A regulator will ask for evidence of operational implementation β logs, reviews, reports, and records β not just the policy that describes the process.
Board-level exposure
The personal accountability dimension is escalating. Under DORA, the management body of a financial entity is required to approve and oversee the ICT risk management framework. This is not a delegatable obligation β the board must demonstrate active oversight, not passive awareness. Under NIS2, management bodies can be held personally liable for failing to ensure compliance with cybersecurity risk management measures. Under the EU AI Act, the person who signs the declaration of conformity takes personal responsibility for its accuracy.
Board members and senior executives who allow compliance programmes to be built entirely by AI β without expert review, without operational validation, and without named accountability β are exposing themselves personally. When the programme fails under scrutiny, the question will not be "why didn't the AI get it right?" It will be "why didn't you ensure the programme was adequate?"
The scenario
Imagine the following scenario. Your organisation deploys a credit scoring AI system. It is classified as high-risk under Annex III. You use AI tools to generate the risk management framework, technical documentation, and conformity assessment. The output looks professional. The board approves the programme based on the documentation presented.
Eighteen months later, a consumer complaint triggers a regulatory inquiry. The national competent authority requests your compliance file. They review the technical documentation and note that the risk assessment does not reflect the actual deployment context β the risks described are generic, not specific to your system. The bias monitoring methodology references metrics that were never actually measured. The human oversight procedures describe a review process that does not match how the system is operated in practice.
The regulator asks: who conducted this risk assessment? Who validated the bias monitoring methodology? Who approved the human oversight procedures? The compliance team points to the documentation. The regulator points to the declaration of conformity and asks the signatory to explain the discrepancies. The signatory cannot β because they signed a document they did not fully understand, based on AI-generated content they did not fully review.
This scenario is not hypothetical. It is the predictable outcome of building compliance programmes without expert oversight.
The alternative
The alternative is straightforward. Use AI to handle the volume β generating documentation, mapping obligations, detecting overlaps, and producing reports. Then have a compliance professional review every output, validate it against your specific situation, interpret the regulatory context, and take accountability for the programme's integrity.
When the regulator asks "who signed off?", the answer is a named professional who reviewed the documentation, understood the risks, made informed decisions, and can defend those decisions under scrutiny. That is what accountability looks like. That is what CORAβ’ delivers.
The compliance professional with AI beats AI without a compliance professional. And when the regulator comes calling, that distinction is the difference between a satisfactory outcome and an enforcement action.
Primary Regulatory Sources
Morclear resources are independently produced. They do not constitute legal, regulatory, financial, or professional advice.