AI Governance: A Complete Audit and Compliance Guide for French Mid-Market Companies
Executive summary. The progressive entry into force of the European AI Act (2024-2028), combined with the strengthening of French sector frameworks (ACPR, ANSSI, CNIL, HAS, RGS), creates an unprecedented regulatory environment for companies deploying artificial intelligence. This guide offers an in-depth analysis of the obligations in force and to come, a structured audit methodology, and ready-to-use operational templates for DPOs, CISOs, leadership committees and technical teams. AI governance doesn't replace existing compliance setups: it integrates with them, aggregating the requirements of the GDPR, the AI Act, sector frameworks and international standards such as ISO/IEC 42001.
Chapter 1. The European Regulatory Framework: the AI Act
1.1 Origins and structure of the regulation
The European regulation on artificial intelligence, known as the AI Act, came into force on 1 August 2024. It is the first regulatory framework in the world aimed at protecting citizens from the risks linked to AI while fostering a European single market for trustworthy AI. Its core logic rests on a classification of AI systems by their potential risk level to people's safety, health and fundamental rights. This proportionate approach means the regulatory obligations vary in intensity according to the system's perceived dangerousness: unacceptable-risk practices are purely and simply prohibited, while high-risk systems are subject to strict oversight covering documentation, traceability and human oversight.
The structure of the text revolves around four risk categories — unacceptable, high, limited and minimal — to which are added specific obligations for general-purpose AI models (GPAI) such as large language models (LLMs). This tiered architecture targets requirements where they're most needed, without imposing a disproportionate burden on low-impact uses. For French companies, and particularly the mid-market companies that make up the country's main economic fabric, a fine understanding of this classification is the indispensable step before any production deployment.
1.2 Classification of systems by risk level
The AI Act classification is the heart of the framework. Every company must be able to place its AI systems in one of the following four categories, because it's this classification that determines all the applicable obligations.
| Risk level | Definition | Concrete examples | Applicable regime |
|---|---|---|---|
| Unacceptable | Harm to the EU's fundamental values | Social scoring, cognitive manipulation, exploitation of vulnerabilities, emotion recognition in the workplace/school | Total prohibition since 2 February 2025 |
| High | Significant potential impact on fundamental rights | Automated recruitment, credit scoring, medical diagnosis, justice, critical infrastructure | Strict oversight: registry, technical documentation, human oversight, CE marking |
| Limited (transparency) | Interaction with the user without a critical decision | Chatbots, virtual assistants, deepfakes, AI-generated content | Obligation to inform about the AI nature of the system |
| Minimal | Negligible risk to fundamental rights | Spam filters, basic recommendations, video games, duplicate detection | No specific obligation beyond the GDPR |
High risk is the category densest in obligations and the one that directly concerns mid-market companies in regulated sectors. Annex III of the regulation lists the domains concerned: biometrics, critical infrastructure, education, employment, access to essential services, law enforcement, migration and the administration of justice. For the financial sector specifically, two categories of systems are explicitly classified as high-risk by Article 6(2): AI systems intended to assess the creditworthiness of natural persons or establish their credit score, and those used to assess risks and pricing in life and health insurance.
1.3 Updated application timeline (Digital Omnibus)
The application of the AI Act is progressive, but the pace has accelerated considerably since the end of 2024. The Digital Omnibus, a political agreement reached on 7 May 2026 between the European Parliament, the Council of the EU and the European Commission, amended several key deadlines. These adjustments aim to allow the harmonised technical standards to be finalised before the heaviest obligations apply.
| Date | Obligation concerned | Status |
|---|---|---|
| 1 August 2024 | Entry into force of the AI Act | ✅ In force |
| 2 February 2025 | Prohibition of unacceptable-risk practices (Art. 5) | ✅ In force |
| 2 August 2025 | GPAI obligations, applicable penalties | ✅ In force |
| 2 August 2026 | Transparency obligations (Art. 50) for limited-risk systems | ⚠️ In force |
| 2 December 2026 | Watermarking of AI-generated content | ⚠️ Postponement confirmed |
| 2 December 2027 | High-risk systems (Annex III), Omnibus date | 🔄 Postponement confirmed |
| 2 August 2028 | Systems integrated into regulated products (Annex I) | 🔄 Postponement confirmed |
The confirmation of these postponements by the Digital Omnibus offers companies apparent breathing room, but must not mask the operational urgency. High-risk systems require 12 to 18 months of preparation to reach full compliance. Companies that wait until the last minute will risk not having the technical and organisational resources needed to meet the deadlines. Moreover, some earlier obligations remain unchanged: prohibited practices have effectively been illegal since February 2025, and financial penalties have applied since August 2025.
1.4 Detailed obligations by risk level
1.4.1 Unacceptable-risk systems (prohibited)
Since 2 February 2025, the following practices are strictly prohibited across the European Union:
- The social scoring of individuals by public authorities or profiling systems assessing individuals based on their online behaviour
- Subliminal cognitive or behavioural manipulation, such as the artificial production of content intended to influence or deceive individuals without their knowledge
- The exploitation of vulnerabilities of people (age, disability, social or economic situation) to alter their behaviour in a harmful way
- Real-time biometric surveillance systems in public spaces, save for very strictly framed exceptions (search for kidnapping victims, prevention of terrorist acts)
- Emotion recognition in professional or educational contexts
Failure to comply with these prohibitions exposes you to maximum penalties of €35 million or 7% of total worldwide annual turnover.
1.4.2 High-risk systems (strict oversight)
High-risk systems, which make up the densest perimeter of the AI Act, must comply with a set of requirements structured around nine pillars before being placed on the market or put into service.
| Pillar | Concrete requirement | AI Act reference |
|---|---|---|
| Risk-management system | Identification, assessment and mitigation of risks throughout the lifecycle | Art. 9 |
| Data governance | Quality, representativeness, absence of bias, documentation of training datasets | Art. 10 |
| Technical documentation | Detailed technical sheet: architecture, data, performance, known limits | Art. 11 |
| Effective human oversight | Maintaining meaningful human intervention in the decision loop | Art. 14 |
| Accuracy, robustness, cybersecurity | Performance tests, resilience to adversarial attacks | Art. 15 |
| Traceability and logging | Automatic recording of events throughout the system's lifetime | Art. 12 |
| CE marking | Compliance with harmonised standards, EU declaration of conformity | Art. 43-48 |
| Systems registry | Registration in the European database of AI systems | Art. 71 |
| Transparency | Provision of clear instructions to deployers and end users | Art. 13 |
For companies that deploy these systems ("deployers" in the regulation's terminology), additional obligations apply: putting human oversight in place on site, monitoring the system's operation, retaining logs, and notifying serious incidents.
1.4.3 Limited-risk systems (transparency)
Limited-risk systems, which include chatbots and content-generation tools, are subject to one main obligation: clearly informing the user that they're interacting with an AI or that the content they're viewing was generated by an AI. This transparency obligation, provided in Article 50 of the regulation, applies from 2 August 2026. The Digital Omnibus postponed to 2 December 2026 the specific obligations for digital marking (watermarking) of AI-generated content.
The Digital Omnibus also introduced a new prohibition: the ban on AI systems generating non-consensual intimate images and child sexual abuse material, applicable from December 2026.
1.5 Penalties
The AI Act's penalty regime is graduated according to the gravity of the breaches and the risk level of the systems concerned. It aims to ensure consistent application of the regulatory framework and to deter non-compliant behaviour.
| Type of breach | Maximum fine | Alternative (% worldwide turnover) |
|---|---|---|
| Violation of strictly prohibited practices (Art. 5) | €35 million | 7% of worldwide turnover |
| Breaches of general compliance obligations | €15 million | 3% of worldwide turnover |
| Supplying incorrect, incomplete or misleading information to the authorities | €7.5 million | 1% of worldwide turnover |
Beyond financial penalties, the national surveillance authorities can order the withdrawal from the market of a non-compliant AI system and impose injunctions, including provisional ones, in case of serious and immediate danger. The AI Act also provides for reduced penalties for SMEs and start-ups so as not to hinder innovation, while maintaining a minimum compliance requirement.
Chapter 2. The French Sector Framework: Supervisors and Standards
For French companies, the AI Act is only one layer of the regulatory framework. Regulated sectors — banking, insurance, healthcare, public sector — must align these new requirements with already demanding pre-existing standards: ACPR, ANSSI, CNIL, HAS, HDS, RGS, NIS2, DORA. This stacking of frameworks creates a compliance complexity that requires an integrated approach.
2.1 Financial sector: ACPR, DORA and AMF
2.1.1 The ACPR, market-surveillance authority for the AI Act
The Autorité de Contrôle Prudentiel et de Résolution (ACPR) is expected to be designated market-surveillance authority for the banking and insurance sectors under the AI Act. This mission, expected to be effective since 2 August 2025 (the deadline for designating competent national authorities), gives the ACPR the power to oversee the proper application of the European AI regulation in the French financial sector.
The ACPR has set up an internal task force bringing together all its functions, working on five main axes:
| Work axis | Description |
|---|---|
| Legal questions | Adaptation of national and European law, AI Act / financial-regulation interactions |
| AI audit | Methodologies for evaluating AI systems, fairness, explainability |
| Coordination | European (other financial supervisors) and national (other competent authorities) |
| Internal organisation | Structuring of teams and AI-supervision processes |
| Communication and reporting | Exchanges with the financial sector, census of difficulties |
The ACPR intends to carry out these missions in the spirit of reconciling innovation and security that is the regulation's, by adopting a proportionate risk-based approach and using every possible synergy with its usual checks. On 2 April 2025, the ACPR held a working meeting with around twenty institutions (banks, insurers, fintechs) to assess their readiness and co-build its thinking on AI audit.
2.1.2 DORA: digital operational resilience
The Digital Operational Resilience Act (DORA), which came into force on 17 January 2025, is a complementary framework particularly relevant to AI systems deployed in the financial sector. DORA imposes new obligations on financial institutions for managing risks linked to information and communication technologies (ICT). Its four pillars apply directly to AI infrastructure:
| DORA pillar | Implication for AI systems |
|---|---|
| ICT risk management | Executive leadership assumes full responsibility for IT risks, including those linked to AI |
| Incident notification | Incidents affecting AI systems must be recorded and, if major, notified to the ACPR or the AMF |
| Resilience testing | Mandatory annual tests, and advanced penetration tests (TLPT) for critical entities |
| ICT third-party management | Assessment of the resilience of AI service providers, contractual exit clauses |
DORA strengthens the oversight of risks linked to cloud providers and AI service providers, requiring financial institutions to assess their resilience. The EU sovereign cloud, backed by the EUCS framework, aims to guarantee the security and confidentiality of European data, aligning with DORA's objectives.
2.1.3 High-risk systems in the financial sector
In the financial sector, two categories of AI systems are explicitly classified as high-risk by Article 6(2) of the AI Act:
- Creditworthiness-assessment systems: tools for evaluating the credit of natural persons, excluding financial-fraud-detection systems
- Insurance risk-assessment and pricing systems: tools used to assess risks and set premiums in life and health insurance
These systems will have to comply with all the requirements for high-risk systems (technical documentation, human oversight, traceability, CE marking) from 2 December 2027. The ACPR will be the competent authority to verify their compliance.
2.2 Healthcare sector: HAS, HDS and ANSM
2.2.1 The HAS and medical artificial intelligence
The Haute Autorité de Santé (HAS) has integrated artificial intelligence into its certification framework for healthcare establishments. The 2025 version of the framework introduces three specific AI-related criteria:
| Criterion | Description |
|---|---|
| 3.4-05 | The establishment governs the use of digital medical devices for professional use, particularly those using artificial intelligence |
| 3.4-06 | The establishment uses innovative technological tools without a medical purpose to improve its organisation, particularly those using artificial intelligence |
| 3.4-04 | The establishment uses telehealth to improve the patient journey |
These criteria require healthcare establishments to actively govern AI tools, whether they have a medical purpose (diagnosis, clinical decision support) or an organisational one (planning, resource management). The HAS v2 certification, applicable since 2025, also strengthens the criteria on cybersecurity and digitalisation.
2.2.2 HDS: hosting of health data
The HDS (Health Data Hosting) certification is a mandatory framework for any actor hosting or processing personal health data in France. Established by Article L.1111-8 of the Public Health Code, it guarantees that medical information is stored and processed under strict conditions of security, confidentiality and availability. The HDS v2 framework, published in 2025, introduces several notable changes.
| Aspect | HDS requirement |
|---|---|
| Legal framework | Article L.1111-8 of the Public Health Code |
| Supervision | Agence du Numérique en Santé (ANS) |
| Issuance | Certification bodies accredited by COFRAC |
| Alignment | GDPR, ISO 27001, ISO 27017, ISO 27018 |
| Actors concerned | Cloud providers, medical SaaS vendors, healthcare establishments, HealthTech |
For AI systems deployed in the healthcare sector, HDS compliance is an indispensable prerequisite. The data used to train or feed an AI model (via RAG, for example) must be hosted on HDS-certified infrastructure as soon as it contains personal health data. This constraint also applies to the subprocessors and cloud-service providers used by medical AI-solution vendors.
2.3 Public sector: RGS and NIS2
2.3.1 The General Security Framework (RGS)
The RGS is a set of rules laid down by ANSSI that applies to the information systems of French administrative authorities. It defines the security requirements for online services, messaging and authentication in electronic exchanges. The RGS applies mandatorily to State administrations, local authorities, public establishments and their digital providers.
| RGS level | Description | Typical use |
|---|---|---|
| RGS* | Basic level, basic authentication and signature | Common applications, non-sensitive data |
| RGS** | Standard level, protection of data in transit and at rest, strengthened authentication | Sensitive data, public procurement |
| RGS*** | Reinforced level, the most demanding measures | Classified data, systems critical to the State |
Any administration carrying out electronic exchanges must obtain a security accreditation through a three-step process: identifying threats, analysing risks according to the criticality of the data, and implementing an action plan compliant with the RGS requirements. For AI systems deployed in the public sector, this accreditation must integrate the specific risks linked to AI (algorithmic bias, hallucinations, data leakage via the models).
2.3.2 NIS2: cybersecurity and AI
The NIS2 directive, which must be transposed into French law, strengthens the cybersecurity of companies in the EU by broadening its scope and imposing stricter obligations. In France, between 15,000 and 18,000 companies will be concerned, classified as essential entities (EE) or important entities (EI). The companies concerned will have three years to comply from the publication of the implementing decrees.
| Aspect | Detail |
|---|---|
| Entities concerned | 15,000 to 18,000 companies in France |
| Classification | Essential entities (EE) and important entities (EI) |
| Compliance deadline | 3 years after publication of the decrees |
| EE penalties | Up to €10 million or 2% of worldwide turnover |
| Supervisory authority | ANSSI |
ANSSI has defined 20 strategic objectives to frame this transposition. The interaction between NIS2 and AI systems is particularly important: attacks specifically targeting AI (poisoning, evasion, extraction) must be integrated into the cyber-risk analyses of the entities concerned.
2.4 Cybersecurity: ANSSI's 35 recommendations
The Agence nationale de la sécurité des systèmes d'information (ANSSI) published in April 2024 a guide of 35 security recommendations for a generative-AI system. Updated in 2025, this document is the French reference for securing AI architectures. It addresses securing a generative-AI system architecture from the design phase to deployment.
The recommendations are organised around three main categories of attack identified:
| Attack category | Description | Phase targeted |
|---|---|---|
| Manipulation attacks | Hijacking the system's behaviour via malicious queries (prompt injection, jailbreaking) | Production |
| Infection attacks | Contamination during the training phase by altering the data or inserting backdoors | Training |
| Exfiltration attacks | Extraction of training data, model parameters or user data | Production |
Among the 35 recommendations, several are directly applicable to the governance of enterprise RAG systems and chatbots:
| # | Recommendation | Governance relevance |
|---|---|---|
| 1 | Integrate security into all phases of an AI system's lifecycle | Mandatory DevSecOps framework |
| 7 | Take data-confidentiality issues into account from the design stage | Privacy by design (GDPR Art. 25) |
| 8 | Take the need-to-know into account from the design stage | Principle of least privilege |
| 9 | Prohibit the automated use of AI systems for critical actions on the IT system | Mandatory human oversight |
| 18 | Train an AI model only with legitimately accessible data | GDPR / AI Act compliance |
| 25 | Protect the AI system by filtering user inputs and outputs | Input/output validation |
| 28 | Compartmentalise the AI system in one or more dedicated technical environments | Network isolation |
| 29 | Log all processing carried out within the AI system | Traceability (AI Act Art. 12) |
ANSSI also published in February 2025 an international report, in partnership with 16 organisations, on building trust in AI through a cyber-risk-based approach. This document underlines that the security of AI systems is never guaranteed and that their use can increase their users' vulnerability to cyberattacks. The agency is also a stakeholder in the Institut national de l'évaluation de la sécurité de l'intelligence artificielle (INESIA), launched in 2025, which develops certification schemes for products and systems integrating AI.
Chapter 3. GDPR and Artificial Intelligence: the CNIL's Recommendations
Applying the GDPR to artificial-intelligence systems is a major challenge of AI governance. The CNIL has published a series of practical sheets detailing the conditions for AI systems' compliance with the European data-protection regulation. These recommendations are part of the AI action plan launched by the CNIL in 2023 and complement the existing compliance rules.
3.1 The pillars of GDPR compliance for AI
The CNIL stresses the need to integrate data protection by design (privacy by design) and by default (privacy by default) into AI systems. The controller must be able to demonstrate compliance at all times with the GDPR principles, which implies rigorous documentation and the mobilisation of the Data Protection Officer (DPO).
| GDPR principle | Application to AI systems | Concrete requirement |
|---|---|---|
| Lawfulness, fairness, transparency (Art. 5.1.a) | Data subjects must be informed of the use of AI | Specific information notices on the algorithmic logic |
| Purpose limitation (Art. 5.1.b) | Data collected to train a model cannot be reused for other purposes | Documentation of the purposes from the design stage |
| Minimisation (Art. 5.1.c) | Only collect data that is strictly necessary | Removal of identifying fields, pseudonymisation |
| Accuracy (Art. 5.1.d) | Training data must be up to date and relevant | Dataset quality-control protocols |
| Storage limitation (Art. 5.1.e) | Training data must not be kept indefinitely | A justified and documented retention period |
| Integrity and confidentiality (Art. 5.1.f) | Securing models and data | Encryption, access control, security audit |
| Accountability (Art. 5.2) | Demonstrate compliance at all times | Records of processing, impact assessments, documentation |
The CNIL recalls that these principles apply to all phases of the lifecycle of an AI system: constituting the datasets, training the model, deployment in production, and use by end users.
3.2 Training data: constitution and management
The CNIL's practical sheets insist on documenting the constitution of training datasets. For each dataset, the controller must be able to justify several key elements:
- The provenance of the data (direct collection, open databases, web scraping, purchase)
- The legal basis applicable to each source
- The categories of data included and excluded
- The minimisation measures applied (removal of identifying fields, pseudonymisation)
- The retention period of the training data after the model is completed
The question of retaining training data receives particular attention. The CNIL considers that retention "just in case", with no specific purpose, contravenes the storage-limitation principle. If the data is necessary to retrain or improve the model, its retention may be justified, but this justification must be documented.
3.3 Anonymisation, pseudonymisation and synthetic data
The CNIL considers that anonymisation and pseudonymisation are strong safeguards that don't preclude the use of personal data for AI training, provided these measures are necessary for the processing. In its summary of the contributions on the AI sheets, the CNIL provides several important clarifications:
| Technique | Recommended use | Limits |
|---|---|---|
| Pseudonymisation | Reduce the risk to data subjects while preserving the data's utility | The data remains personal data within the meaning of the GDPR |
| Anonymisation | Take the data out of the GDPR's scope | Hard to achieve with certain types of model (re-identification risk) |
| Synthetic data | Encourage the emergence of more protective techniques | Current limits in terms of fidelity for certain use cases |
The CNIL has developed a decision tree to guide actors in determining a model's status under the GDPR. This methodology goes through assessing the likelihood of re-identifying people from the model, by conducting attack tests on the system. If the analysis concludes that the likelihood of re-identification is insignificant, the use of the system may be presumed to fall outside the GDPR's scope.
3.4 The right to be forgotten and vector stores: the major technical challenge
The right to erasure, often called the "right to be forgotten", is enshrined in Article 17 of the GDPR. It allows individuals to request the deletion of their personal data held by an organisation. In 2025, this right was chosen as the theme of the coordinated action of the European Data Protection Board (EDPB), with the participation of 32 European authorities. For the CNIL alone in 2024, the right to erasure represented 37% of the complaints received.
Applying the right to be forgotten to AI systems raises major technical challenges, particularly for RAG (Retrieval-Augmented Generation) architectures that rely on vector stores.
| Technical aspect | Challenge | Architectural solution |
|---|---|---|
| Data indexed in a vector store | The vectors (embeddings) contain mathematical representations of personal data | Implement a targeted erasure mechanism that removes the corresponding vectors without full reindexing |
| Models fine-tuned on personal data | The model's weights may memorise personal information | Case-by-case analysis with the DPO; "unlearning" techniques in development |
| Data in the LLM context | Queries and responses may contain personal data | Log-retention policy, anonymisation of conversations |
| Data synthesised by the model | The model may "regurgitate" training data | Output filters, techniques to reduce memorisation risk |
The CNIL launched the partnership project PANAME (Privacy AuditiNg of Ai ModEls) with ANSSI, the iPoP program and PEReN, aiming to develop a software library to assess whether a model processes personal data or not. This tool, expected in the coming months, will offer concrete technical solutions to developers and users of AI models.
3.5 Responsibilities of the value-chain actors
The CNIL announced the publication, in the second half of 2025, of new recommendations to clarify for the actors in the chain of creating an AI system their responsibilities under the GDPR. These recommendations will cover, in particular:
- Clarifying the consequences of applying the GDPR to models that aren't anonymous
- Studying the case of open source, an essential practice for the development of AI technologies
- The technical tools to facilitate the concrete implementation of the recommendations
| Actor | Potential GDPR responsibility | Example |
|---|---|---|
| Model designer | Controller if the model isn't anonymous | A company training an LLM on personal data |
| Host / Cloud provider | Processor | AWS, Azure, OVHcloud hosting the model |
| Integrator / Deployer | Controller for the final use | A mid-market company deploying an internal RAG chatbot |
| Reuser | Controller for their own purpose | A client using an existing model API |
Chapter 4. Security of Enterprise RAG Systems and Chatbots
Deploying chatbots and RAG (Retrieval-Augmented Generation) systems in the enterprise carries a specific risk: the circumvention of existing access rules. A poorly scoped chatbot can expose the leadership team's salaries to a production operator. A misconfigured RAG can reveal the legal committee's confidential notes to a salesperson. Document-access security cannot be a layer bolted on afterwards: it must be an integral part of the architecture.
4.1 The principle: inheriting existing permissions
Enterprise chatbots and RAGs must build on the authorization systems already in place: Active Directory, IAM (Identity and Access Management), or a business RBAC model. The production operator querying an agent must only retrieve documents they could already access in the existing applications. No AI channel should circumvent the established access rules.
This approach relies on several complementary mechanisms:
| Mechanism | Description | Technical implementation |
|---|---|---|
| Inherited ACLs | Each document chunk in the vector store is tagged with its original ACLs | An acl or permissions column in the vector's metadata |
| Query-time filtering | At query time, the system filters the results according to the user's permissions | A WHERE clause or metadata filter on the user_id / role |
| Row-level security | Security applies at the level of each row/document, not only at the global index | RLS policies in the vector database or the application layer |
| Post-query validation | Validation that the returned chunks belong to the user's perimeter before sending to the LLM | An explicit check in the orchestrator |
4.2 Row-level security and metadata filtering
Row-level security (RLS) is the state of the art for securing enterprise RAG systems. This technique consists of applying permission filters before the vector search, guaranteeing that only authorized documents are taken into account in the similarity calculation.
The process unfolds in three critical phases:
Phase 1: Ingestion and ACL tagging. When documents are ingested into the vector store, each chunk is enriched with security metadata: owner_id, tenant_id, department, access_level, classification (public, internal, confidential, secret). This metadata comes directly from the source document-management system (SharePoint, Google Drive, Confluence) where the ACLs are already defined.
Phase 2: Query-time filtering. When a user submits a query, the system first retrieves their permissions from the Identity Provider (Active Directory, Okta, etc.), then builds a dynamic filter that is applied to the vector search. For example: WHERE department IN ('Finance') AND access_level <= user_access_level.
Phase 3: Post-query validation. Before sending the retrieved chunks to the LLM, the system performs a final validation to ensure no out-of-scope document has been included. This "fail close" step guarantees that if the user context is missing or corrupted, the query is rejected.
| Filtering approach | Advantages | Disadvantages |
|---|---|---|
| Pre-filter (filter before search) | Strong security guarantees, no leak possible | Higher computational cost if the user has very broad access |
| Post-filter (filter after search) | Optimal performance, simple to implement | Risk of information leakage via the embeddings, less safe |
| Hybrid (combination) | A good security/performance balance | Increased implementation complexity |
4.3 Authorization models for RAG
Several authorization models can be implemented in a RAG system, depending on the complexity of the organisation's needs:
| Model | Principle | Use case |
|---|---|---|
| ACL (Access Control Lists) | Direct mapping between users and permissions on resources | Small organisations, simple permissions |
| RBAC (Role-Based Access Control) | Permissions granted by user role | Mid-market companies with a clear organisational structure |
| ABAC (Attribute-Based Access Control) | Access determined by the attributes of the user, the resource, the action and the context | Complex needs, variable contexts |
| ReBAC (Relationship-Based Access Control) | Permissions based on the relationships between users and resources | Matrix organisations, relational permissions |
The ReBAC model is particularly well suited to RAG applications because it focuses on the relationships between users and resources rather than on endpoint management. This makes it ideal for post-query filtering, where the system must determine which documents a user can access based on their relationships with the document categories.
4.4 Multi-tenant isolation and vector-store security
In SaaS or multi-department architectures, data isolation between tenants is fundamental. Three isolation patterns are commonly used:
| Pattern | Description | Isolation level | Operational complexity |
|---|---|---|---|
| Namespace per tenant | Physical or logical partition in the vector store | High | Medium |
| Index per tenant | A dedicated vector index for each tenant | Very high | High |
| Shared index + tenant filter | A single index with a tenant_id metadata filtered at query time | Moderate (depends on the filtering) | Low |
Modern vector databases (Pinecone, Weaviate, Qdrant, pgvector) all support metadata filtering, which efficiently implements tenant-filter isolation. The security recommendation is to apply the tenant filters before the similarity search, not after, to avoid other tenants' embeddings being loaded into memory and leaking via prompt manipulations.
4.5 Defences against attacks on RAG systems
RAG systems are exposed to specific attacks that can circumvent access controls or extract sensitive information:
| Type of attack | Mechanism | Counter-measure |
|---|---|---|
| Prompt injection | Injecting malicious instructions into the user query to change the system's behaviour | Input sanitization, instruction hierarchy, output filtering |
| ACL circumvention via semantic manipulation | Rephrasing the query to access out-of-scope documents | Post-query validation, controlled semantic query |
| Data extraction via the embeddings | Inverting the embeddings to reconstruct the source data | Encryption of the embeddings, strict access control |
| Inter-tenant leakage | Accessing another tenant's data via vulnerabilities in the shared index | Row-level security, namespace isolation |
The concept of RAG 2.0 is emerging to address these challenges by introducing a security-centred control flow: session-based policy evaluation, metadata filtering before injection into the prompt, permission branching mid-flow, and explainable provenance tracking.
Chapter 5. Organisational Governance of AI
5.1 The AI steering committee: a cross-cutting decision-making body
The first reflex of companies is often to entrust AI governance to IT or the Chief Data Officer. That's a mistake. The AI steering committee must be a cross-cutting decision-making body, co-chaired by a member of the executive committee and the data/AI lead. Its typical composition includes: the CEO or deputy CEO, the CIO, the main business director, the HR director (for the employment impact), the CISO (for data security), and an ethics lead.
The effectiveness of an AI governance committee rests on the diversity of the expertise represented. An exclusively technical or legal view would be insufficient to grasp the multidimensional nature of AI challenges.
| Committee member | Specific role | Contribution |
|---|---|---|
| CEO / Deputy CEO (co-chair) | Executive sponsorship, strategic arbitration | Legitimacy, budget allocation, strategic alignment |
| CIO / CTO | Technological vision, technical feasibility | Assessment of integration with existing systems, infrastructure issues |
| DPO | GDPR and AI Act compliance | Records of processing, impact assessments, informing data subjects |
| CISO | Data and model security | Vulnerability assessment, protection strategies, incident management |
| Business director | Operational relevance, ROI | Guarantor of alignment with real needs, measurement of value created |
| HR director | Employment impact, change management | Analysis of the impact on employees, training needs |
| Ethics / legal lead | Ethical framework, intellectual property | AI ethics charter, bias analysis, contractual responsibilities |
The frequency of meetings depends on the number of AI systems deployed: quarterly for two or three systems, monthly beyond five. The committee's role is to validate new deployments, arbitrate changes, and review incidents. Once at least two AI systems are deployed in production, a dedicated steering committee becomes indispensable.
5.2 A three-tier organisational architecture
Effective AI governance is organised into three levels of intervention, from the strategic to the operational:
Strategic level, AI governance committee. Chaired by a member of the executive committee (CEO or COO), this body defines the organisation's AI vision, strategy and investment priorities. It ensures alignment between AI initiatives and business objectives, arbitrates conflicting priorities and validates major investments. Its missions include: defining the corporate AI strategy, validating investments beyond a defined threshold, approving governance policies, and overseeing major AI risks.
Operational level, AI steering committee. Led by the Chief Data Officer or Chief AI Officer, this committee translates the strategy into concrete action plans and steers the execution of the initiatives. It ensures coordination between projects, resource allocation and performance monitoring. Its responsibilities cover: prioritising projects by strategic criteria, allocating technical and budgetary resources, monitoring performance and ROI, and escalating issues to the strategic committee.
Technical level, AI Center of Excellence. This structure centralises the technical and methodological expertise, develops the standards and best practices, and supports the business in their projects. It typically comprises: a data-science and ML-engineering team, AI ethics and explainability experts, data-governance specialists, and internal consultants to support the business.
5.3 The five pillars of AI governance in a mid-market company
Experience with dozens of mid-market companies makes it possible to formalise the fundamentals of AI governance that works:
| Pillar | Operational description | Associated deliverable |
|---|---|---|
| 1. AI steering committee | A cross-cutting decision-making body, monthly meetings, arbitration of use cases | Minutes, decision register |
| 2. Data governance | Business data owners, data catalog, quality SLA, full traceability | Data catalog, lineage, quality sheets |
| 3. Ethical and regulatory framework | AI Act classification by risk level, internal ethics charter, bias assessment | AI registry, ethics charter, bias reports |
| 4. Technical governance | Architecture standards, security by design, production monitoring, incident management | Architecture standards, runbooks, response plans |
| 5. Change management | AI-literacy training, risk awareness, business support | Training program, teaching materials |
5.4 ISO/IEC 42001: the international AI-governance standard
ISO/IEC 42001:2023 is the first certifiable international standard dedicated to artificial-intelligence management systems (AIMS). Published in December 2023, it's quickly becoming the reference standard for governing AI responsibly. In December 2025, more than 2,400 organisations were certified worldwide, with growth of +350% compared with 2024.
| Indicator | Value (2025-2026) |
|---|---|
| Organisations ISO 42001–certified worldwide | 2,400+ |
| Growth in certifications vs 2024 | +350% |
| French organisations certified or in progress | 680 |
| Public trust in AI companies | 47% (declining) |
| Average cost of a major AI incident | €2.8 billion (IBM Security 2025) |
| ISO 42001 / AI Act convergence | 80-85% of requirements |
One of ISO 42001's major strengths is its strong convergence with the AI Act's requirements. The standard already covers 80 to 85% of the European regulation's obligations, which makes it a particularly effective operational foundation for reaching compliance.
| AI Act requirement | ISO 42001 chapter | Alignment |
|---|---|---|
| AI risk-management system | Chapter 6 (Planning) + section 8.3 | 95% |
| Complete technical documentation | Chapter 7.5 + Chapter 8 | 90% |
| Data governance | Chapter 8.4 | 85% |
| Logs and decision traceability | Chapters 8.5 + 8.7 | 90% |
| Robustness and cybersecurity testing | Chapter 8.2 | 90% |
| Human oversight | Chapter 8.6 | 80% |
Only a few areas remain specific to the AI Act and aren't covered by ISO 42001: registration in the European database, evaluations by notified bodies for certain products, CE marking, and the EU declaration of conformity. These elements represent between 15 and 20% of the AI Act's requirements and must be handled in addition to ISO 42001 certification.
Chapter 6. AI Audit Methodology and Compliance Deliverables
6.1 Phases of the AI governance audit
A structured AI governance audit unfolds in five successive phases, with a total duration of two to three weeks for an existing system:
| Phase | Duration | Activities | Intermediate deliverable |
|---|---|---|---|
| 1. Scoping | 2-3 days | Defining the perimeter, identifying stakeholders, collecting existing documentation | Audit plan, list of required documents |
| 2. Mapping | 3-4 days | Inventory of AI systems, classification by AI Act risk level, mapping of data flows | AI-systems inventory, risk matrix |
| 3. Evaluation | 5-7 days | Analysis of access controls, audit of training data, review of technical documentation, testing of security mechanisms | Gap report, compliance grid |
| 4. Recommendations | 2-3 days | Drawing up the compliance plan, prioritising actions, cost estimation | Action plan, provisional budget |
| 5. Reporting back | 1 day | Presentation to the leadership committees, validation of the plan, commitment of resources | Executive presentation, roadmap |
The cost of an initial audit for an AI system in production with no compliance documentation ranges from €12,000 to €25,000 depending on complexity. The compliance work itself ranges from €15,000 for a simple documentation clean-up to €80,000 if the access architecture needs to be redesigned. On the French market in 2026, the day rates of specialised consultants range from €600 to €3,000 per day depending on the level of expertise.
6.2 AI governance maturity-assessment grid
The following grid assesses an organisation's AI governance maturity on a scale of 1 (initial) to 5 (optimised):
| Domain | Level 1, Initial | Level 3, Defined | Level 5, Optimised |
|---|---|---|---|
| AI strategy | No documented strategy | AI strategy aligned with the corporate strategy | AI integrated into the corporate strategy, measured ROI |
| Organisation | No dedicated committee | An operational AI steering committee, defined roles | AI governance integrated into corporate governance, active CoE |
| AI registry | No inventory | An up-to-date AI-systems registry, classification by risk | A registry integrated into the GDPR records of processing, updated in real time |
| Access control | No specific AI filtering | ACLs inherited from the IAM, row-level security in place | Dynamic access control, continuous audit, zero-trust |
| Technical documentation | Non-existent or fragmentary documentation | Complete technical sheets for each system | Documentation generated automatically, versioned, AI Act–aligned |
| Human oversight | No defined process | Documented human oversight for critical decisions | Real-time oversight, automated alerts, validation circuit |
| Incident management | No dedicated AI plan | A documented AI-incident response plan | Regular exercises, integration with the SOC, systematic lessons learned |
| Regulatory compliance | Limited awareness of obligations | AI Act and GDPR compliance assessed, action plan in progress | Demonstrable compliance, regular internal audits, ISO 42001 certification |
6.3 The eight production deliverables
Every production rollout of an AI system must produce eight documents that make up the compliance file:
| # | Deliverable | Expected content | Regulatory reference |
|---|---|---|---|
| 1 | AI-systems registry | Name, purpose, owner, production-rollout date, AI Act risk classification | AI Act Art. 71 |
| 2 | Risk-level classification | Justification of the classification (minimal, limited, high, unacceptable), impact analysis | AI Act Art. 6, Annex III |
| 3 | Detailed technical sheet | Architecture, training data (provenance, quality, bias), performance, known limits, mitigation measures | AI Act Art. 11 |
| 4 | Access mapping | Permissions matrix: who can query what, on which data, in what context | GDPR Art. 32, AI Act Art. 15 |
| 5 | Documentation of automated decisions | Decision logic, explanation procedure for data subjects, avenue for recourse | GDPR Art. 22, AI Act Art. 14 |
| 6 | Usage charter | Terms of use for end users, limitations, responsibilities | AI Act Art. 50 |
| 7 | AI-incident response plan | Detection, escalation, rollback, regulatory-notification procedures | AI Act Art. 62, GDPR Art. 33 |
| 8 | Annual review schedule | Planned compliance-review date, update criteria, withdrawal procedure | AI Act Art. 61 |
6.4 AI Act compliance checklist by risk level
Checklist, Limited-risk systems (chatbots, content generation)
| # | Requirement | Status | Evidence |
|---|---|---|---|
| 1 | Is the user informed that they're interacting with an AI? | ☐ | Visible information notice |
| 2 | Is AI-generated content identifiable (watermarking planned by Dec. 2026)? | ☐ | Documented technical implementation |
| 3 | Is a usage charter available for users? | ☐ | Published document |
| 4 | Is users' data processed in compliance with the GDPR? | ☐ | Up-to-date records of processing |
| 5 | Can data subjects exercise their GDPR rights? | ☐ | Documented procedure |
| 6 | Have team members completed AI-literacy training? | ☐ | Training certificates |
Checklist, High-risk systems (recruitment, scoring, diagnosis)
| # | Requirement | Status | Evidence |
|---|---|---|---|
| 1 | Risk-management system documented and operational? | ☐ | ISMS documentation |
| 2 | Training-data governance (quality, representativeness, absence of bias)? | ☐ | Data-assessment report |
| 3 | Complete technical documentation (architecture, performance, limits)? | ☐ | Signed technical sheet |
| 4 | Effective human oversight defined and implemented? | ☐ | Oversight procedure, defined roles |
| 5 | Logging and decision-traceability system? | ☐ | Documented logging architecture |
| 6 | Robustness and cybersecurity testing carried out? | ☐ | Test reports |
| 7 | CE marking and EU declaration of conformity? | ☐ | Regulatory documents |
| 8 | Registration in the European database of AI systems? | ☐ | Registration confirmation |
| 9 | Conformity assessment by a notified body (if applicable)? | ☐ | Assessment report |
| 10 | Information and explanation procedure for data subjects? | ☐ | User documentation |
Chapter 7. Regulatory Integration: Aligning the AI Act, GDPR and Sector Frameworks
7.1 Framework-alignment matrix
Companies in regulated sectors must navigate a complex ecosystem of partly overlapping frameworks. The following matrix summarises the main alignments:
| Framework | Scope | Specific AI obligations | Maximum penalties |
|---|---|---|---|
| AI Act | All AI systems placed on the market or put into service in the EU | Risk classification, technical documentation, human oversight, traceability | €35M or 7% worldwide turnover |
| GDPR | Any processing of personal data | Privacy by design, right to explanation, right to be forgotten, records of processing | €20M or 4% worldwide turnover |
| DORA | Financial sector (since Jan. 2025) | Digital operational resilience, ICT incident management, penetration testing | Per national transposition |
| ACPR | Banking and insurance in France | Supervision of the financial-sector AI Act, evaluation of scoring models | Administrative sanctioning powers |
| NIS2 | Essential and important entities (15-18k in France) | Cybersecurity, incident reporting, risk management | €10M or 2% worldwide turnover (EE) |
| HAS | Healthcare establishments | Governance of medical AI devices, organisational AI tools | Non-compliance with certification |
| HDS | Health-data hosting | Security, confidentiality, availability of health data | Withdrawal of certification |
| RGS | French public sector | Authentication, electronic signature, protection of exchanges | Non-accreditation of the system |
| ISO 42001 | Any organisation (voluntary) | AI management system, governance, ethics, risks | Not applicable (voluntary) |
7.2 An integrated approach to compliance
The approach recommended for mid-market companies is to not treat each framework in isolation, but to build an AI governance setup that aggregates the common requirements and identifies the sector specifics. AI governance builds on the existing data governance: the data catalog references the datasets used by the AI systems, the classification policies determine which documents an AI system can ingest, and the existing access-validation processes extend to the new AI channels.
| Governance layer | Function | Frameworks concerned |
|---|---|---|
| European regulatory layer | The base legal framework applicable to all | AI Act, GDPR, NIS2, DORA (financial sector) |
| National regulatory layer | French supervision and specifics | ACPR, CNIL, ANSSI, HAS |
| Sector layer | Requirements specific to the field of activity | HDS (healthcare), RGS (public), professional frameworks |
| Organisational layer | Operational implementation in the company | ISO 42001, AI ethics charter, steering committee |
| Technical layer | Implementation in the systems | ACL, row-level security, logging, monitoring |
7.3 Mapping the supervisory actors in France
| Supervisor | Role regarding AI | Perimeter |
|---|---|---|
| CNIL | Protection of personal data, GDPR compliance of AI systems | All processing of personal data by AI systems |
| ACPR | AI Act market-surveillance authority for the financial sector | Banks, insurers, fintechs |
| ANSSI | Cybersecurity of AI systems, security recommendations | All AI systems, particularly public sector and OES |
| HAS | Quality and safety of medical AI devices, establishment certification | Healthcare establishments, medical-device AI vendors |
| DGCCRF | Fraud prevention, consumer protection | AI systems aimed at consumers |
| Arcom | Content regulation, deepfakes | AI-generated content distributed to the public |
Chapter 8. Operational Templates
8.1 Template, AI-systems registry (AI Act–compliant)
| Field | Description | Example |
|---|---|---|
| Unique identifier | Internal reference of the system | AI-HR-001 |
| System name | Commercial or internal name | HR Assistant Chatbot |
| Date put into service | Effective date of the production rollout | 15/03/2026 |
| Business owner | Functional owner of the system | Human Resources Department |
| Technical owner | Responsible for technical maintenance | IT, Data Team |
| Purpose | Objective pursued by the system | Assisting employees with HR questions (leave, payroll, health insurance) |
| Functional description | General workings of the system | RAG based on the HR document base (internal rules, memos, collective agreements). Responses generated by an LLM hosted in France. |
| AI Act classification | Risk level determined under Annex III | Limited risk (chatbot, Art. 50) |
| Justification of the classification | Detailed reasoning | The system provides information for guidance without making any automated decision about employees. It doesn't handle recruitment, performance evaluation or the allocation of benefits. |
| Legal basis of the processing (GDPR) | Legal ground | Legitimate interest of the employer (Art. 6.1.f GDPR) |
| Data processed | Categories of personal data concerned | Surname, first name, department, questions asked, answers provided |
| Recipients of the data | Who has access to the data | Employees (access to their own interactions), system administrators (anonymised logs) |
| Retention period | Data-storage duration | Logs: 1 year. Conversations: 6 months. |
| Security measures | Technical and organisational controls | SSO authentication, ACLs inherited from Active Directory, encryption of data in transit and at rest, SecNumCloud hosting |
| Human oversight | Level of human intervention | After-the-fact moderation of conversations (monthly sample). No automated decision. |
| DPO consulted | Consultation date and opinion | 10/02/2026, Favourable opinion subject to the implementation of access control |
| Review date | Date of the next compliance review | 15/03/2027 |
8.2 Template, Technical sheet for a high-risk AI system
| Section | Content |
|---|---|
| 1. Identification | Name, version, provider, date put into service, owner |
| 2. Functional description | General architecture, data flows, interfaces with other systems |
| 3. Training data | Provenance, volume, data categories, quality measures, bias handling |
| 4. AI model | Type of model (LLM, traditional ML, etc.), version, provider, key parameters |
| 5. Performance | Performance metrics (accuracy, F1-score, etc.), test dataset, results |
| 6. Known limits | Identified failure cases, under-represented populations, bias risks |
| 7. Mitigation measures | Counter-measures implemented to mitigate the identified risks |
| 8. Human oversight | Oversight procedure, roles and responsibilities, operator training |
| 9. Traceability | Logging architecture, data retained, retention period |
| 10. Cybersecurity | Security measures, tests carried out, incident-response plan |
| 11. Regulatory compliance | AI Act conformity assessment, DPO opinion, possible certification |
8.3 Template, AI-incident response plan
| Step | Action | Owner | Timeframe |
|---|---|---|---|
| Detection | Identifying the anomaly (automated monitoring + user report) | Technical team / SOC | Immediate |
| Qualification | Assessing the severity (minor, major, critical), identifying the system concerned | CISO / business owner | 1 hour |
| Containment | Isolating the affected system, deactivating if necessary | Technical team | 2 hours |
| Investigation | Analysing the causes, assessing the impact (data, users, decisions) | CISO + DPO + business owner | 24 hours |
| Internal communication | Informing leadership, the AI steering committee, the teams concerned | Communications department | 4 hours (if major incident) |
| Regulatory notification | Reporting to the competent authority (CNIL, ACPR, ANSSI as applicable) | DPO / CISO | 72 hours (GDPR) / without delay (DORA if major incident) |
| Correction | Implementing the corrective measures (patch, model update, change of business rules) | Technical team | Per severity |
| Verification | Validation testing of the corrections, resumption of service | Quality team + business owner | Before resumption |
| Resumption | Reactivating the service in production | Technical team | After validation |
| Review and capitalisation | Writing the post-mortem, updating the procedures, training if necessary | AI steering committee | 1 week |
Conclusion, The 10 commandments of AI governance for mid-market companies
Faced with the complexity of the regulatory and technical landscape, here are the ten guiding principles we recommend to any mid-market company deploying or considering deploying artificial-intelligence systems:
| # | Principle | Concrete implementation |
|---|---|---|
| 1 | AI governance is cross-cutting, not technical | Set up a steering committee with the CEO, DPO, CISO, business and ethics |
| 2 | Access control is part of the architecture | Implement row-level security from the design stage, not as a patch |
| 3 | Document before deploying | A system with no compliance documentation is a major legal risk |
| 4 | Classify by AI Act risk level | Each system must have a justified and documented classification |
| 5 | The right to be forgotten applies to vector stores | Provide for a targeted erasure mechanism without full reindexing |
| 6 | Inherit existing permissions | Your AI channel must never circumvent your IAM's access rules |
| 7 | Oversee automated decisions | Maintain meaningful human intervention on high-impact decisions |
| 8 | Prepare for the audit before it arrives | An initial audit costs €12-25k; a penalty can reach 7% of turnover |
| 9 | Integrate security by design | Follow ANSSI's 35 recommendations from the design phase |
| 10 | Think integrated compliance | The AI Act, GDPR, DORA, NIS2 and sector frameworks reinforce one another |
Compliance isn't a destination but a continuous process. Companies that invest now in structured AI governance — with operational committees, up-to-date registries, robust access controls and complete documentation — will turn this regulatory constraint into a competitive advantage. ISO 42001 certification, demonstrated risk mastery and the ability to respond effectively to audits will become differentiators in a market where trust in AI keeps eroding.
Document written in May 2026. The regulatory dates cited incorporate the changes made by the Digital Omnibus (political agreement of 7 May 2026). This guide does not constitute legal advice and must be supplemented by a case-by-case analysis of each organisation's situation.