Most EU AI Act conversations focus on deadlines and fines. But the organisations that will actually be ready when regulators come knocking understand two articles that sit at the operational heart of the law, Article 9 and Article 10. Together they define what governing high-risk AI really means in practice.
Article 10, Data governance is now a legal obligation
Article 10 makes something explicit that the technology industry has treated as optional for years. The data powering your AI must be representative, relevant, and free from bias. And you must document how it was sourced, processed, and cleaned.
If your AI produces a biased hiring decision or an inaccurate credit assessment, a regulator will ask for your data governance records. If you cannot produce them, that absence is not a technicality, it is evidence of non-compliance. The law is clear: without high-quality input, even the best AI design can produce harmful outcomes. And it holds you accountable.
Article 9, Risk management is a system, not a project
The most important word in Article 9 is continuous. It does not ask for a risk assessment filed before deployment. It requires a live, ongoing system that identifies potential harms, tracks them over time, and adapts when conditions change.
This means real humans with real authority who can monitor AI outputs, intervene when something looks wrong, and override the system when necessary. If your organisation cannot describe exactly how that works for each high-risk AI system you operate, you do not have human oversight. You have the idea of it.
Why they cannot be separated
Article 10 feeds Article 9. The quality of your data determines the nature of your risks. The risks you identify determine what your governance must build in. And your monitoring determines whether you catch data problems before they become AI failures.
Strong data governance with no risk system is a foundation with no structure. A sophisticated risk framework built on ungoverned data is an elaborate structure on unstable ground. Both are non-compliant.
Three questions for your leadership team
Can you demonstrate your AI data is representative, relevant, and documented? Do you have an active risk management system, not a past report, a live process? And who in your organisation owns it?
If the answer to any of these is uncertain, that is your starting point.