We are in the midst of a step-change technological reformulation of our daily lives within both our work and private existence.
Ai is and will continue to be truly transformative, but at what cost to prior commitments in respect of ESG and in complying with various ESG-related laws?
The reality is that, as with AI security / data privacy, there is a major divergence between the US & EU in respect of how organisations must face up to the dilemma of needing to implement /scale AI & simultaneously comply with EU directives appertaining to environmental controls.
With data centre development, scaling & use causing demonstrable electricity, water & emissions negative impacts upon a broad population globally, those operating within the EU face this competing versus compliance GOVERNANCE conundrum.
How may refences are made to the Energy Efficiency Directive (EED), or CSDDD by AI governance “experts” – the penalties for non-compliance are substantial, yet intrinsically linked to AI use.
Taking the EU EED & CSDDD as prime examples :
EED Article 20(4) + Member State transposition – Failure to meet energy savings targets: Fines up to 4% of annual turnover (or fixed amounts, e.g., €50,000–€500,000+)
EED Article 8(4) – No energy audit (for >10 TJ/year companies): Fines up to €100,000–€1M+
EED + CSRD (if applicable) – False or incomplete reporting: Fines up to 2% of turnover + corrective measures + Public naming and shaming
EED Article 3 – Non-compliance with efficiency-first principle: Exclusion from public tenders + fines.
CSDDD Article 20 – Failure to conduct due diligence: Fines up to 5% of global turnover
CSDDD Article 21 – False or incomplete due diligence reporting: Fines up to 4% of turnover
Additionally, there are country-level penalties, for example for EED:
– France: Fines up to €2M for failing to conduct energy audits (Decret n°2023-1036).
– Germany: €50,000–€500,000 for EED violations (Energiedienstleistungsgesetz – EDL-G).
– Netherlands: €120,000–€1.2M for non-compliance with energy savings obligations.
For CSDDD
– Germany: Up to €8M or 2% of turnover (whichever is higher) for CSDDD violations (Lieferkettensorgfaltspflichtengesetz – LkSG).
– France: Up to €10M or 5% of turnover (Loi sur le devoir de vigilance).
– Netherlands: Up to €870,000 or 10% of turnover (Wet zorgplicht kinderarbeid).
The powers that be in the EU have recognised this dilemma too, with NIS2, AI Act, CRA, DORA being streamlined with omnibus editions; CSDDD transposition deadline delayed, EED having a pre & post 2030 split.
Yet managing your AI governance is still twisted into the strands of compliance, ESG, corporate governance & ethics. How then to square this circle?
Corporate Governance
Is the system of rules, practices, and processes by which a company is directed, administered, and controlled.
At its core, it involves balancing the interests of a company’s many stakeholders—such as shareholders, senior management executives, customers, suppliers, financiers, the government, and the community.
The Core Framework
Corporate governance provides the framework for attaining a company’s objectives. It encompasses practically every sphere of management, from action plans and internal controls to performance measurement and corporate disclosure.
IT governance
Is a subset of corporate governance that focuses specifically on information technology systems, their performance, and risk management.
Put simply, it is a framework that ensures a company’s IT investments actively support its overall business goals, manage risks effectively, and deliver measurable value. It bridges the gap between business strategy and IT execution, ensuring no siloing of technology departments.
The 5 Core Focus Areas of IT Governance
Effective IT governance typically revolves around five primary domains:
- Strategic Alignment: Ensuring that IT operations and strategy link directly with the organization’s broader business objectives.
- Value Delivery: Executing the IT value proposition throughout the delivery cycle, ensuring that IT projects are delivered on time, within budget, and actually provide the promised benefits.
- Risk Management: Safeguarding corporate assets, disaster recovery planning, data privacy, and managing cybersecurity threats.
- Resource Management: Optimizing the organization’s investment in, and the allocation of, critical IT resources (people, applications, infrastructure, and information).
- Performance Measurement: Tracking and monitoring project delivery and IT services using metrics like Key Performance Indicators (KPIs) to ensure the tech strategy is working.
Moving to AI governance, this is the structured system of policies, ethical principles, regulations, and technical controls that an organization uses to oversee the design, development, deployment, and ongoing operation of artificial intelligence.
While IT governance focuses broadly on hardware, software availability, and operational uptime, AI governance specifically manages the unique risks of autonomous and semi-autonomous systems—such as unintended bias, data privacy, model drift, and hallucinated or unpredictable outputs.
The Fundamental Pillars of AI Governance
Modern AI governance translates high-level ethical concepts into concrete technical and legal operational guardrails:
- Transparency & Explainability: Ensuring that AI decisions are explainable to internal teams, users, and regulators, rather than acting as an un-auditable “black box.” This is covered very specifically within the EU AI Act and follows on from past financial crisis, where algorithmic trading involving black-box modelling caused global negative impact. The lessons are being applied now to AI.
- Accountability & Lifecycle Ownership: Assigning an explicit owner to every AI use case, model, and dataset in production. This answers exactly who has the authority to approve a model and who must pull the plug if it behaves unexpectedly. The human-in-the-loop criticality has been underlined by the CEO’s of the hyper-scalers at the G5 conference in France, in June 2026.
- Fairness & Non-Discrimination: Proactively testing datasets and models to detect and mitigate algorithmic biases.
- Robustness, Safety & Security: Implementing continuous technical controls to prevent model drift and protecting models from novel vulnerabilities like prompt injection attacks.
- Data Privacy & Compliance: Enforcing strict data-use boundaries to ensure that confidential or personal identifiable information (PII) is not improperly used to train models, or leaked during user interactions.
How They Intersect
The best way to visualise how they intersect is to think of these three layers as nested within one another:
- Corporate Governance acts as the umbrella. It sets the overarching ethical and financial boundaries for the whole company.
- IT Governance sits inside Corporate Governance. It takes those corporate rules and translates them into policies for data management, cybersecurity, and tech infrastructure.
- AI Governance is the newest layer, sitting within both IT and Corporate governance. It inherits standard IT security rules but adds specialized controls required specifically for the unpredictable, data-heavy, and autonomous nature of machine learning models.
| Feature | Corporate Governance | IT Governance | AI Governance |
| Primary Scope | The entire organization, including financial health, legal compliance, and stakeholder value. | Information technology systems, infrastructure, software, and hardware alignment. | The development, deployment, safety, and ethical use of AI models and autonomous agents. |
| Main Objective | To ensure the company is directed and controlled fairly, transparently, and profitably. | To ensure IT investments support business strategies and that tech systems are secure and reliable. | To ensure AI systems are safe, unbiased, explainable, compliant, and performing as intended. |
| Primary Owners | Board of Directors, CEO, and Executive Leadership. | CIO, CTO, and Head of Information Security (CISO). | Chief AI Officer (CAIO), Head of Data Science, Risk & Compliance Teams. |
| Key Risks Managed | Financial fraud, market reputation, bankruptcy, and macro-legal non-compliance. | System downtime, data breaches, shadow IT, and failed software implementations. | Algorithmic bias, model drift, data poisoning, hallucinations, and autonomous execution errors. |
| Core Frameworks | Sarbanes-Oxley (SOX), OECD Principles, Cadbury Report. | COBIT, ITIL, ISO/IEC 38500. | NIST AI RMF, ISO/IEC 42001, EU AI Act. |
| Success Metric | Shareholder value, long-term corporate sustainability, and clean financial audits. | System uptime, ROI on tech investments, and swift project delivery. | Model accuracy, fairness metrics, auditability, and prevention of harmful outputs. |
For further information on how we can assist your organisations’ GRC programs, contact us today: