PrivacyForgeSign In
Back to Blog

Inside the AI Governance Dashboard: How to Manage EU AI Act and UK ICO Compliance in One Place

A feature deep-dive into PrivacyForge's AI Governance module — from registering your first AI system and classifying its risk tier to running bias audits, generating model cards, and monitoring regulatory alerts. Everything you need to go from "we use some AI tools" to audit-ready confidence.

PFMariyan ValevMar 11, 2026 · 22 min read
AI GovGuide

The Problem: AI Is Everywhere, but Governance Is Nowhere

Most companies adopted AI the same way they adopted SaaS — one tool at a time, with no central oversight. Marketing added a recommendation engine. HR started using an AI resume screener. Customer support deployed a chatbot. The product team integrated a third-party API for content moderation. Finance uses an AI-driven fraud detection service.

Each decision made sense in isolation. But the result is that most organizations now operate dozens of AI systems without a single document that answers the basic questions regulators will ask:

  • What AI systems do you use?
  • What data do they process?
  • What decisions do they influence?
  • What risk do they pose to individuals?
  • What safeguards are in place?

Before August 2, 2026, these were good-practice questions. Now, under the EU AI Act, they are legal obligations. The penalties for not having answers reach up to €35 million or 7% of global annual turnover — exceeding even GDPR fines. The UK's Information Commissioner's Office (ICO) has its own AI governance framework that adds a parallel layer of requirements.

PrivacyForge's AI Governance module exists to solve this problem: it gives companies a single place to inventory, classify, assess, document, and monitor every AI system they operate, so the gap between "we use some AI tools" and "here is our auditable compliance record" is closed.

This article walks through every part of the dashboard, explains why each feature was built, and shows how it protects your business. For the broader discipline this dashboard operationalizes, see our guide to [what AI governance actually means](/resources/blog/what-is-ai-governance).

The Dashboard: Your Organization's AI Health at a Glance

The AI Governance dashboard is the first thing you see. It is designed around a single principle: surface the most important compliance signals immediately, so you can take action before problems become penalties.

The dashboard displays four metric cards at the top and two operational panels below them.

Total AI Systems — Because You Cannot Govern What You Cannot See

The first card shows the total count of AI systems registered in your inventory.

Why this matters: The AI Act applies to any organization that develops, deploys, or uses AI systems affecting people in the EU. The first question a regulator or auditor will ask is "how many AI systems does your organization operate?" If you cannot answer that question — or your answer is incomplete — everything downstream falls apart. You cannot classify risk for systems you do not know about. You cannot run assessments on invisible tools. You cannot generate documentation for shadow AI.

Most companies undercount their AI systems by a wide margin because they think only of the obvious ones: the chatbot, the recommendation engine, the custom ML model. They miss the AI embedded in their CRM's lead scoring, their email marketing platform's send-time optimization, their analytics tool's anomaly detection, their payment processor's fraud screening, and their HR platform's candidate ranking.

The AI Systems Inventory forces a structured, deliberate cataloging process that closes these visibility gaps. The total count on the dashboard is your at-a-glance measure of how complete that inventory is.

Compliance Score — A Single Number That Tells You Where You Stand

The compliance score is a real-time metric from 0 to 100 that aggregates the state of your entire AI governance program into one number.

Why this matters: AI governance involves multiple moving parts — classification, assessment, documentation, monitoring. Without a summary metric, it is easy to miss that three systems are unclassified, two assessments stalled in draft, and a model card expired last week. The compliance score forces these issues to the surface.

The score starts at 100 and deductions work as follows:

  • Unclassified systems reduce the score proportionally, up to 30 points. If you have 10 systems and 5 are unclassified, you lose 15 points. This penalty exists because unclassified systems represent blind spots — you do not know what obligations apply, so you cannot meet them.
  • Unacceptable-risk systems trigger a flat 40-point deduction. This is the largest single penalty because unacceptable-risk systems represent practices that are banned under the AI Act. Their existence is a compliance emergency.
  • Pending assessments cost 5 points each, up to 20 points. This penalizes assessment debt — work that was started but never completed. Stale drafts suggest a governance process that is not being followed through.
  • Expiring documents cost 3 points each, up to 10 points. Compliance documents have a validity window. Letting them expire means your documentation no longer reflects the current state of your systems, which is exactly what regulators check for.

The score displays green at 80+, yellow at 50–79, and red below 50. For most organizations, keeping the score above 80 should be the operational target — it means your inventory is classified, assessments are current, and documentation is up to date.

Pending Assessments — Preventing Governance Debt

This card counts assessments in draft or in-progress status.

Why this matters: Assessments are where you actually evaluate whether an AI system is safe, fair, and compliant. Starting an assessment but not completing it is worse than not starting one at all — it creates a false sense of progress while the actual risk goes unaddressed. The pending count makes this debt visible so it cannot be ignored. If the number grows, it signals that your team's assessment capacity is not keeping pace with your AI adoption.

Expiring Documents — Keeping Your Paper Trail Current

This card counts published compliance documents with a validity period ending within 30 days.

Why this matters: The EU AI Act requires that documentation is kept up to date. A model card written when a system was first deployed becomes misleading after the model is retrained, the data sources change, or the deployment context evolves. Expired documents are not just stale — they are a compliance gap. If an auditor asks for your documentation and it expired three months ago, the fact that it once existed does not help.

Documents in PrivacyForge have a default validity of one year. The expiring-documents count gives you a 30-day warning window to review, update, and re-publish before anything lapses.

Risk Tier Distribution — Understanding Your Portfolio's Risk Profile

Below the metric cards, the left panel shows the Risk Tier Distribution: a breakdown of all registered AI systems by their EU AI Act risk classification.

Why this matters: Not all AI systems carry the same risk or the same obligations. A spam filter and a credit scoring algorithm are fundamentally different from a regulatory perspective. The risk tier distribution shows you the shape of your AI portfolio at a glance — how many systems fall into each category and what percentage of your total inventory each tier represents.

This matters operationally because your compliance workload is directly proportional to your risk distribution. An organization with 15 minimal-risk systems has very different obligations than one with 5 high-risk systems and 2 unclassified ones. The distribution chart helps you:

  • Prioritize work — High-risk and unacceptable systems need attention first
  • Allocate resources — More high-risk systems means more assessment and documentation work
  • Track progress — As you classify unclassified systems, the distribution should shift
  • Report to leadership — The chart is a clear visual for board or executive reporting

The Five Tiers Explained

Unclassified — Systems that have been registered but not yet classified. These are your blind spots. Until a system is classified, you do not know what obligations apply to it, which means you cannot demonstrate compliance. The compliance score penalizes unclassified systems specifically to drive their resolution.

Unacceptable — AI practices that are prohibited under EU AI Act Article 5. These include social scoring for government purposes, subliminal manipulation, exploitation of vulnerable groups, real-time remote biometric identification in public spaces, emotion recognition in workplaces and schools, and untargeted facial image scraping. If any system is classified here, it must be decommissioned or reclassified with documented justification. There is no middle ground — these practices are banned.

High — The most regulated tier. The AI Act identifies specific domains where AI systems are considered high risk because they can significantly affect individuals' rights, safety, or livelihoods. PrivacyForge's rule library covers all high-risk categories from the EU AI Act — biometric identification, critical infrastructure, education, employment, essential services access (credit scoring, insurance), law enforcement, migration, justice, medical devices, and safety components — plus UK ICO-specific indicators for automated decision-making, bias-sensitive processing, special category data, and children's data.

High-risk systems must maintain risk management systems, data governance procedures, technical documentation, automatic logging, transparency disclosures, human oversight mechanisms, and demonstrated accuracy and robustness. This is where the bulk of compliance effort concentrates.

Limited — Systems that must meet transparency obligations. Users must be informed they are interacting with AI (chatbots), that content is AI-generated (deepfakes, synthetic media), or that emotion recognition is in use. The obligations are lighter but still mandatory.

Minimal — Systems with no specific mandatory obligations under the AI Act (spam filters, game AI, inventory optimization). Voluntary codes of conduct are encouraged. These systems still benefit from being inventoried because their risk profile could change if their deployment context changes.

How the Classification Engine Works

PrivacyForge does not require you to manually determine risk tiers. When you register a system, the classification engine automatically evaluates it against a rule library drawn from the AI Act text and UK ICO guidance.

The engine analyzes the system's name, description, and purpose statement through keyword matching and structured criteria evaluation. It checks whether the system's stated purpose, data categories, or affected populations match known risk indicators. When multiple rules match, the engine selects the highest applicable tier and calculates a confidence score (0.5 to 1.0) based on match strength.

Why automated classification matters: Manual classification requires deep regulatory expertise. Someone has to read the AI Act's annexes, understand the case law, interpret the ICO guidance, and apply it correctly to each system. For organizations with dozens of AI systems, this is expensive and error-prone. Automated classification gives you a defensible starting point that covers the regulatory text comprehensively, so your compliance team can focus on reviewing and refining rather than starting from scratch.

Manual overrides are available when context matters. If a system's keywords trigger a high-risk classification but its actual deployment context makes it lower-risk, you can override the tier with a written justification. The override, justification, original classification, and timestamp are all stored in the audit trail — so you can demonstrate to regulators that you considered the risk and made a reasoned decision, not that you ignored it.

Regulatory Alerts — Staying Ahead of a Moving Target

The right panel on the dashboard shows Regulatory Alerts: recent developments from the EU AI Act, UK ICO, and related frameworks.

Why this matters: The AI regulatory landscape is not static. The AI Act itself is still being interpreted through guidance documents, delegated acts, and early enforcement actions. The European AI Office is publishing implementation guidelines. The UK ICO is updating its AI auditing framework. National supervisory authorities are issuing their own positions. Standards bodies are developing harmonized standards.

For companies, this creates a moving compliance target. A practice that was acceptable six months ago may now be under scrutiny. A grace period that seemed distant may be approaching. A new interpretation may reclassify one of your systems.

PrivacyForge's alert system monitors these developments and surfaces them with three severity levels:

  • Critical — Immediate compliance impact. Examples: a new prohibition taking effect, an enforcement action in your sector, a deadline you must meet. These require urgent review and potentially immediate changes to your AI governance.
  • Warning — Upcoming changes or trends that need planning. Examples: a new guidance document that will change how risk assessments are conducted, an enforcement trend targeting your industry, a standard nearing adoption. These give you time to prepare.
  • Informational — Background developments that are worth tracking. Examples: a consultation launched, a research report published, a cross-jurisdictional development.

Each alert includes the regulation it relates to, the risk tiers it affects, the effective date, and a source link. You can mark alerts as read or dismiss them to keep the dashboard focused.

The business value is simple: organizations that learn about regulatory changes after they take effect are always in reactive mode — scrambling to comply, under pressure, at risk of enforcement. Organizations that learn about changes weeks or months in advance can plan, budget, and implement changes on their own timeline.

Assessments: Proving Your Systems Are Safe and Fair

Registering and classifying AI systems establishes visibility. Assessments are where you actually evaluate whether each system meets its compliance obligations. PrivacyForge supports four assessment types, each designed for a different regulatory need.

Data Protection Impact Assessment (DPIA) — Because AI and Personal Data Are Inseparable

Why this exists: GDPR Article 35 requires a DPIA for any processing likely to result in high risk to individuals — and most AI systems processing personal data meet that threshold. The AI Act's risk management requirements reinforce this obligation specifically for high-risk AI. A DPIA is not optional for these systems; it is a legal prerequisite.

What it evaluates: The necessity and proportionality of the processing, the risks to data subjects' rights and freedoms, and whether the safeguards in place are adequate. For AI systems specifically, this means examining training data governance, automated decision-making impacts, data minimization in model inputs, and the right to human review.

How it helps companies: A completed DPIA is one of the first documents a data protection authority will request during an investigation. Having a current, thorough DPIA for every high-risk AI system demonstrates that your organization is taking its obligations seriously. It also forces you to identify and address risks before they become incidents — which is far cheaper than responding after a harm occurs.

Bias Audit — Because Fairness Is Not Optional

Why this exists: AI systems can perpetuate and amplify discrimination. A recruitment screening tool trained on historical hiring data may disadvantage women or minorities. A credit scoring model may produce different outcomes based on ethnicity or postcode. The EU AI Act requires that high-risk systems are tested for bias, and the UK ICO's fairness framework sets out specific expectations for how organizations should evaluate AI fairness.

What it evaluates: PrivacyForge generates structured bias audits following the ICO AI Guidance Fairness Framework, analyzing potential impact across protected characteristics: race and ethnicity, gender, religion, age, disability, and sexual orientation. The audit produces preliminary metrics, identifies which characteristics are most at risk, and flags areas requiring deeper investigation with production data.

How it helps companies: Discrimination claims against AI systems are among the most damaging — both financially and reputationally. The New York City bias audit law, the EU AI Act's fairness requirements, and the UK Equality Act all create legal liability for biased AI. A documented bias audit shows that your organization has evaluated fairness proactively rather than waiting for a complaint. It also gives your engineering team concrete guidance on what to test and monitor.

Risk Assessment — A Holistic View Across Five Dimensions

Why this exists: Not every risk fits neatly into a DPIA or bias audit. Some AI systems raise concerns about transparency (are users informed?), accountability (who is responsible when something goes wrong?), or robustness (does the system fail gracefully?). The general risk assessment captures these broader concerns in a structured way.

What it evaluates: Five dimensions, each scored from 0 to 100:

  • Data protection — How personal data is collected, processed, stored, and protected within the AI pipeline
  • Transparency — Whether users and affected individuals receive meaningful information about how the AI works and what decisions it influences
  • Fairness — Whether the system produces equitable outcomes across different groups and avoids unjust discrimination
  • Accountability — Whether governance structures are in place: human oversight mechanisms, escalation paths, audit trails, and clear ownership
  • Overall risk — An aggregate score that weighs all dimensions

How it helps companies: The five-dimension framework translates abstract regulatory requirements into concrete, measurable criteria. Instead of asking "are we compliant?" — which is unanswerable in the abstract — your team can ask "is our transparency score acceptable?" and "where is our accountability weakest?" This makes risk management actionable and progress trackable.

Impact Assessment — For Systems That Affect Communities

Why this exists: Some AI systems have effects that extend beyond individual data subjects to communities, public services, or societal structures. A content recommendation algorithm may not violate any individual's data rights but can amplify misinformation at scale. An urban planning AI may affect entire neighborhoods. The impact assessment captures these broader social, ethical, and operational dimensions.

How it helps companies: Impact assessments demonstrate responsible AI governance that goes beyond minimum legal compliance. For organizations operating in regulated industries, responding to public procurement requirements, or serving socially sensitive use cases, this broader assessment is often expected by clients, partners, or oversight bodies.

The Assessment Workflow — Built for Accountability

Every assessment follows a formal lifecycle: Draft (created, findings being gathered), In progress (active analysis), Completed (findings documented), then either Approved (signed off by a responsible party) or Rejected (sent back for revision).

Why this lifecycle matters: Regulatory compliance requires accountability — not just that work was done, but that it was reviewed and approved by someone with authority. The status workflow creates an auditable chain of responsibility. If a regulator asks "who approved this risk assessment?", you have the answer. If an assessment was rejected and reworked, the history shows that your organization takes quality seriously.

Each assessment produces structured findings categorized by severity (critical, high, medium, low, informational) with specific recommendations tied to the system's risk tier. Every finding includes mitigation measures with assigned owners and tracking status — so remediation does not stall at "we identified the problem."

Compliance Documents: Your Audit-Ready Paper Trail

The EU AI Act requires extensive documentation, and regulators expect it to be current, complete, and accessible. PrivacyForge generates four types of compliance documents.

Model Cards — The Single Source of Truth for Each AI System

Why this exists: When a regulator, auditor, client, or internal stakeholder asks about an AI system, they need a single document that summarizes everything: what the system is, what it does, what data it processes, who it affects, what risk it carries, and what compliance measures are in place. The model card is that document.

What it contains: System name, purpose, provider type and name, deployment status, risk classification and confidence score, all data categories processed, all affected populations, compliance obligations for the system's risk tier, and a summary of the latest assessment findings.

How it helps companies: Model cards transform scattered knowledge — some in the engineering team's heads, some in procurement records, some in compliance spreadsheets — into a single, standardized, versioned document. When due diligence requests arrive from enterprise clients, when auditors visit, or when regulators inquire, you hand them the model card instead of scrambling to compile information from five different sources.

Transparency Labels — Meeting Your Disclosure Obligations

Why this exists: The AI Act requires that users are informed when they are interacting with AI (chatbots), when content is AI-generated (synthetic media, deepfakes), or when emotion recognition is being used. Transparency labels are user-facing documents that fulfill these obligations.

How it helps companies: Getting transparency disclosures wrong is one of the most common compliance failures — and one of the easiest for regulators to detect. A user who discovers they were talking to an AI without disclosure has a clear basis for a complaint. Pre-built transparency labels ensure your disclosures meet the regulatory requirements without requiring each product team to interpret the AI Act independently.

Conformity Declarations — Formal Compliance Statements for High-Risk Systems

Why this exists: High-risk AI systems under the EU AI Act must undergo conformity assessment — either self-assessment or third-party evaluation, depending on the domain. The conformity declaration is the formal document stating that your system meets all applicable requirements.

How it helps companies: Conformity declarations are a market access requirement. Without one, a high-risk AI system cannot legally be placed on the EU market. PrivacyForge structures the declaration based on your system's classification, assessment results, and documentation, so you are not drafting legal documents from scratch.

Technical Documentation — The Engineering Record

Why this exists: The AI Act requires detailed technical records for high-risk systems covering design, development, testing, and deployment. This includes training data characteristics, model architecture, performance metrics, testing methodology, and known limitations.

How it helps companies: Technical documentation serves two purposes. First, it satisfies the regulatory requirement. Second, it creates institutional knowledge that survives staff turnover. When the engineer who built a model leaves the company, the technical documentation ensures that the compliance team — and any future engineers — can understand how the system works.

Document Lifecycle — Because Compliance Is Not a Moment, It Is a Process

All documents are versioned and have a validity period (default one year). The lifecycle runs from draft to published to either archived or expired.

Why this matters: AI systems are not static. Models are retrained, data sources change, deployment contexts evolve, and regulations are updated. A document written twelve months ago may no longer reflect reality. The validity period forces periodic review, and the expiring-documents metric on the dashboard ensures that renewals do not fall through the cracks.

Settings: Tailoring Governance to Your Organization

The Settings page lets you configure how the AI Governance module operates.

  • Auto-classify on save — When enabled (the default), PrivacyForge automatically runs risk classification whenever a new system is registered or an existing one is updated. This ensures that no system sits in your inventory without a risk tier for longer than necessary. Disable it if you want to batch classification or review systems before they are classified.
  • Default assessment type — Sets which assessment type is pre-selected when creating new assessments. If your organization primarily needs DPIAs, set that as the default to save time. If you are focused on fairness, set bias audit as the default.
  • Notification preferences — Control whether you receive alerts for regulatory changes, assessment deadlines, and classification updates. For compliance leads, all three should be on. For engineers who only interact with specific systems, turning off regulatory alerts may reduce noise.

Putting It All Together: A Practical Workflow

1. Build your inventory

Register every AI system your organization uses — including third-party services with embedded AI. Focus on purpose and data categories, as these drive classification. The goal is comprehensive visibility, not perfection. A rough inventory of 20 systems is infinitely more valuable than a perfect description of 3.

2. Classify risk tiers

Let the classification engine map each system to the correct tier. Review the results, paying close attention to anything flagged as unacceptable or high risk. Override where context warrants it, with documented justification. Your risk distribution chart should have zero unclassified systems when this step is complete.

3. Address unacceptable systems immediately

Any system classified as unacceptable risk is a prohibited practice under the AI Act. Either demonstrate — with documentation — that the classification does not apply to your use case, or begin decommissioning. There is no grace period for prohibited practices.

4. Run assessments for high-risk systems first

Generate DPIAs and bias audits for every high-risk system. Review findings, assign mitigation measures to specific owners with deadlines, and track them to completion. Then work down to limited-risk systems.

5. Generate compliance documents

Create model cards for all registered systems. Add transparency labels for limited-risk systems. For high-risk systems, prepare conformity declarations and technical documentation. Publish everything and note the validity dates.

6. Monitor the dashboard weekly

Watch for: compliance score dropping below 80, new regulatory alerts (especially critical ones), documents approaching expiry, and newly registered systems that need classification. The dashboard is designed to make a weekly check take minutes, not hours.

7. Reassess when systems change

AI systems evolve — models are retrained, data sources shift, deployment contexts expand. Any material change should trigger a reclassification and a fresh assessment. Keep your documents current with each change.

The Bottom Line: Governance as a Business Asset

The EU AI Act does not require perfection. It requires demonstrable governance — evidence that your organization knows what AI systems it operates, understands the risks, has assessed them, and has documented its compliance posture.

For companies that treat this as a burden, it will always feel like one — a cost center, a checkbox exercise, a drag on velocity.

For companies that treat it as a business asset, it becomes a differentiator. Enterprise clients choosing between two SaaS vendors will pick the one that can produce model cards, bias audits, and conformity declarations on demand. Regulated industries will only work with partners who can demonstrate AI governance. Investors and acquirers are beginning to factor AI risk into due diligence.

PrivacyForge's AI Governance module gives you the structure to build this asset systematically — from the first system you register to the hundredth, from the first classification to the annual reassessment, from the first model card to the complete audit-ready portfolio.

The dashboard is the starting point. Register your first AI system, and the rest follows.