They have an organisational problem.
AI has long since made its way into many businesses – just not in the way the big headlines suggest. Not as a transformation project with a roadmap and a steering group, but quietly, as part of day-to-day work: for a bit of wording here, a summary there, a quick search in between. And that is precisely why the real question in most companies is no longer whether AI is being used. Rather: How clearly is this use actually structured internally?
This quiet use has long been a reality
When I speak to Management / Executive and HR managers, I often hear the same phrase: “AI doesn’t play a major role in our company yet.” What they usually mean is: We haven’t set up an AI project, purchased any software or adopted a strategy.
That may well be true. But it doesn’t describe the reality on the ground.
Because, at the same time, the following has long been happening:
- In Marketing, a LinkedIn post is pre-drafted using an AI tool – and an image is generated to go with it.
- In Sales, the first draft of a quotation or a customer email is created in a chat tool.
- In Customer Service, someone is getting suggestions for a tricky reply before it’s sent out.
- In accounts, a long contract is quickly summarised to capture the key points.
- And in Management / Executive, research is being initiated before the next meeting begins.
Each of these steps seems minor. None of them feels like ‘using AI’. But taken together, they have created a new organisational reality – often without shared rules, without a common language and without any training ever having taken place.
‘We only use it occasionally’ – the most costly misconception
The most common objection is: ‘We only do that occasionally.’
I understand the instinct. But it is precisely this sporadic use that has long been routine in many companies. It is simply spread across so many small moments that it remains invisible.
The real problem here is not that employees want to work efficiently. On the contrary – that is exactly the behaviour one would hope for. The problem only arises when a company fails to translate this efficiency into a clear framework.
Because where guidelines are lacking, three things almost inevitably arise:
- Different habits within the team. One colleague uses AI for almost everything, whilst another, out of uncertainty, uses it for nothing. There is no common approach – and therefore no certainty as to how a result was achieved.
- Uncertainty when dealing with sensitive content. Is the Sales team allowed to copy a real customer list into a public tool to have it sorted? Is HR allowed to paste a job application containing real names? Anyone who doesn’t know the answer will make the wrong call when in doubt – sometimes being too cautious, sometimes too careless.
- Inconsistent decisions in day-to-day business Without a common standard, every individual case is renegotiated from scratch. This costs time, creates friction and makes the outcome dependent on chance – depending on who happens to be sitting at the desk.
In the long run, this is too fragile. Not dramatic, not scandalous – but fragile.
Hence my key point: Using AI doesn’t require panic. But it does require structure.
Why most AI discussions start too late
It’s striking where the discussion begins in most companies: with the tools. Which model? Which provider? What about data protection at that major US corporation? Important questions – but they often come too late.
Because in practice, the issue begins much earlier, with four very straightforward questions:
- What uses are actually already in place in day-to-day work?
- What content is sensitive – and therefore shouldn’t be stored in just any tool?
- Which processes are approved internally, and which aren’t?
- And what should staff do when in doubt, if they’re unsure?
As long as these questions remain unanswered, AI in the company isn’t being managed. It’s left to individual cases.
The professional starting point for addressing this topic is therefore rarely the technology itself. More often than not, it’s clarity.
What a framework actually looks like – and how streamlined it can be
The good news is that this framework need not be either extensive or complicated. No company needs a forty-page AI governance document to become operational. It needs a few clear answers that actually work in day-to-day practice.
In practice, a brief internal guide that clarifies three things is often sufficient to start with:
What is permitted – and what i
- What is permitted – and what is expressly prohibited. Drafting, summarising or translating texts: by all means. Entering personal data, draft contracts or confidential customer information into a public tool: not without authorisation.
- Where results belong and who is responsible for them. AI provides a draft, not a finished result. The person who sends or publishes something remains responsible. That sounds obvious – but it needs to be stated explicitly.
- Who to turn to in case of doubt. A designated point of contact – this could be Management / Executive, IT or the data protection officer – removes a surprising amount of uncertainty from day-to-day work.
Only when employees know what is permitted, what is sensitive and what standards apply will AI become a productive asset rather than a vulnerability. Clarity doesn’t slow things down. It makes us more confident.
The EU AI Act is not a distant prospect – it is an organisational issue for the here and now
This is where the EU AI Act comes into play – and in many companies, it is still treated as a peripheral issue that needs to be tackled ‘sometime’.
I consider this a mistake. Not because every SME now has to set up a major AI programme straight away. But because most companies have long been facing the practical reality that this entire text is about: their staff are already using AI.
And the EU AI Act ties in precisely with this – in a far more measured way than the headlines suggest. Two points are relevant for the vast majority of operators, and neither has anything to do with dramatic scenarios:
- The requirement for AI competence (Article 4). This requires that employees who use AI or work with its outputs have a sufficient understanding of it. This is not some distant prospect – this requirement has been in force since February 2025. The legislator has deliberately left room for companies to decide how to implement this; the key thing is that action is taken and that it is documented in a transparent manner.
- The labelling requirement (from August 2026). People should be able to recognise when AI is involved. The chatbot on the website, the AI-generated image in a social media post, the automated assistant on the intranet – they should all identify themselves as what they are.
To put this into context: the much-discussed strict obligations for so-called high-risk systems – such as AI that automatically pre-sorts job applications – have recently been postponed and do not affect the vast majority of SMEs anyway. What remains is precisely the uncontroversial aspects: competence and transparency. In other words, exactly the points that a company can manage effectively with a little organisation.
For Management / Executive and HR, this means: the EU AI Act is not a future issue. It is an organisational matter for the here and now.
Ultimately, it is not a technological issue, but an organisational one
Much of this boils down to the same point. Many companies believe they are facing a technological problem – the question of which tool is the right one and whether the whole thing can be trusted. In fact, they are facing an organisational problem: a useful practice has emerged faster than the internal rules governing it.
This is no cause for concern. It is a solvable organisational issue. And the first step requires neither a large budget nor half a year’s project time. It consists of consciously putting the issue on the table once and for all, rather than leaving it to chance.
This won’t make AI any less significant. It will simply make it clearer. And that is precisely what makes all the difference.
This is exactly where I come in with the EU AI Act Academy: clear, compulsory training courses that provide employees with guidance in their day-to-day work – without fear, without technical jargon, but with the certification required by the EU AI Act.
