AI Governance Checklist for Companies
Last updated 1 July 2026 by attorney-at-law Kjell Steffner
|
In short
|
The question is no longer whether your company uses AI
Most organisations have already adopted AI, whether or not they have decided to. Microsoft 365 Copilot ships inside the Office tools your staff use every day, Google Workspace has Gemini built in, and Slack, Notion and most large SaaS platforms now embed generative AI in their core features. The choice to use AI has, in many cases, been made by your suppliers rather than by your management.
That changes the question a business needs to answer. It is no longer whether to allow AI, but how to govern the AI that is already in the building. Governance is simply the set of decisions that lets you capture the productivity gains while keeping confidential information, personal data and legal risk under control.
Why a privacy policy is not an AI policy
A common and expensive misconception is that an existing privacy policy already covers AI. It does not. A privacy policy tells the outside world how you handle personal data. An AI policy tells your own staff which tools they may use, for what, and with which information. The two documents answer different questions, and one cannot stand in for the other.
The gap matters because the most damaging AI incidents rarely look like a data breach. They look like an employee pasting a draft contract or a customer list into a public chatbot, or a manager acting on an AI answer that was confident and wrong. A privacy policy addresses neither. An AI policy, backed by a few practical controls, addresses both.
The six building blocks of an AI governance checklist
Good AI governance is not a long document. For most mid-sized companies it is a small, practical control system built from six parts, each of which can be produced quickly and maintained with modest effort.
| Building block | What it covers |
|---|---|
| AI policy | A two-to-four page document setting out the principles for how the organisation uses AI and who is accountable. |
| Tool inventory | A living list of which AI tools are approved for which purposes, and which are not permitted. |
| User guidelines | Practical rules for staff, including prompting and a simple filter for what must never be pasted into a tool. |
| DPIAs | A data protection impact assessment for each tool that processes personal data, tied to the supplier contract. |
| Incident handling | A route for dealing with mistakes, such as confidential data being uploaded or an AI output turning out to be wrong. |
| Training | An AI-literacy plan covering who is trained on what and when, which the EU AI Act now makes a legal duty. |
None of these needs to be elaborate to be effective. The value comes from having all six in place and used, not from length.
What the law already requires, and where Norway differs
Two parts of the EU AI Act are already in force in the EU and bear directly on governance. Since 2 February 2025, the obligation to ensure a sufficient level of AI literacy among staff who work with AI systems (Article 4) has applied, and a set of AI practices judged to pose an unacceptable risk (Article 5) has been prohibited outright. AI literacy is therefore no longer merely good practice, it is a legal duty in the EU, and staff training is how a company meets it.
The position in Norway is more nuanced, and this is where general commentary often gets it wrong. The AI Act is a regulation that must be incorporated into the EEA Agreement before it applies as Norwegian law, and at the time of writing that incorporation has not been completed. The Norwegian government has consulted on an implementing act, expects the rules to take effect during 2026, and Nkom has been designated as the coordinating supervisory authority. Two consequences follow. Norwegian businesses that offer or use AI in the EU market are already caught by the EU rules regardless of the domestic timetable, and the Data Protection Authority already expects organisations to prepare rather than wait. Because both the Norwegian incorporation and parts of the EU timetable are still moving, the exact dates should be checked before you rely on them.
Alongside the AI Act, the GDPR continues to apply in full. Where an AI tool processes personal data, Article 35 of the GDPR may require a data protection impact assessment before the tool is put into use. A DPIA is an accountability exercise, and it does not cure an otherwise unlawful processing activity, so the basic data protection requirements must be met first. That is why a DPIA belongs on the governance checklist, and why it should be tied to the supplier contract rather than done in isolation.
What management should ask before approving an AI tool
Before a new AI tool is approved, management should be able to answer a short set of questions. If any answer is unclear, the tool is not ready to be rolled out.
- What information will staff put into the tool, and does any of it include personal data or client-confidential material?
- Are we the data controller, and does the supplier act as our processor under a signed data processing agreement?
- Where is the data stored and processed, and is it used to train the supplier’s own models?
- Who owns this tool internally, and is it on our list of approved tools with a defined purpose?
What good governance looks like by sector
The six building blocks stay the same across sectors, but their weighting shifts. A healthtech company has to weigh the Patient Records Act and the health-sector information security norm before any tool touches clinical data. A financial institution carries model-risk and anti-money-laundering obligations that narrow which tools it can use. Public bodies face heavier transparency and documentation duties. A manufacturer worries most about trade secrets leaking into a public model. The framework is constant, the emphasis is sector-specific, and a governance process that ignores this produces a policy that does not fit the business.
A practical four-to-eight week path to being AI-ready
For most organisations the distance between ad hoc AI use and a defensible position is short. A focused programme over four to eight weeks is usually enough to map the tools already in use, write a proportionate AI policy, set user guidelines, run DPIAs where they are needed, and train staff to the standard the law now expects.
At Nordia Law we run this as a structured AI-readiness process, so that a company can adopt AI with the legal, privacy and contractual risks mapped before implementation rather than after. If your organisation is rolling out AI tools or reviewing AI-enabled suppliers, that is the right moment to put the governance in place.
Sources: European Commission, regulatory framework on AI; Regulation (EU) 2024/1689 (the EU AI Act), Articles 4 and 5; Regulation (EU) 2016/679 (GDPR), Article 35.
|
About the author Kjell Steffner · Attorney Partner, Nordia Law Oslo. Technology and IT law, data protection and commercial contracts. Kjell Steffner advises Norwegian and international businesses on technology and IT contracts, data protection and the practical governance of AI. He is Nordia Law’s AI-responsible partner in Oslo and leads the firm’s work on safe and compliant AI adoption. |