The impact of AI on corporate governance

| Insights

COMPLIANCE & RISK MANAGEMENT | March 2026

In this edition of the Compliance & Risk Management Newsletter, professionals from Andersen’s 231/Privacy Service Line have explored the impact of AI on corporate governance, highlighting the growing importance for companies to adopt appropriate technical and organisational measures to mitigate the risks associated with the use of AI, thereby improving their governance and resilience.

Corporate criminal liability in case of offences related to the use of AI-based systems

Corporate liability may arise where the use of AI-based systems becomes an instrument for committing predicate offences: for example, cybercrimes (unauthorized access, unlawful data processing), market manipulation, or breaches of workplace health and safety regulations where improperly configured algorithms affect production processes.

The adoption of automated solutions does not mitigate organizational fault; on the contrary, it requires stronger safeguards. Companies must be able to demonstrate that they have assessed AI-related risks, defined clear responsibilities within AI governance, and implemented controls over datasets, output quality, and the traceability of algorithmic decisions. In this context, the 231 Model should be updated by integrating: mapping of AI-driven processes, technical and legal validation protocols, and dedicated reporting flows to the Supervisory Body (OdV). Staff training on the responsible use of AI tools is equally crucial.

GDPR and AI ACT: an integrated approach to protect personal data

In the European digital landscape, the protection of personal data now requires an increasingly integrated approach. The interaction between the GDPR and the AI Act is crucial for the responsible and ethical development of artificial intelligence, as it aims to ensure that technology, in particular systems based on artificial intelligence (AI), is developed in a way that respects people’s fundamental rights. Integrated management of these two regulations therefore makes it possible to address the critical issues associated with automated systems: from the necessity of explainability of decisions to the prevention of bias, from proper impact assessment to the definition of roles and responsibilities among developers, suppliers and users.

In operational terms, this means strengthening governance by carrying out specific risk assessments, defining clear and transparent internal procedures and training staff in data protection, cybersecurity and AI.

The classification of AI systems based on risk: high-risk AI systems.

The European regulation on artificial intelligence (AI Act) identifies high-risk AI systems in view of their potential impact on the health, safety and fundamental rights of individuals. These systems are not prohibited, but their placing on the market is subject to strict compliance requirements. High-risk AI systems include toys, lifts, radio equipment, pressure equipment, recreational craft equipment, cableway installations, medical devices, in vitro diagnostic medical devices, motor vehicles and aircraft, as well as systems intended to be used as safety components of critical digital infrastructure and installations for the supply of water, gas, heating and electricity. These systems must be designed and developed in such a way that they can be used under the constant supervision of natural persons. In addition, periodic controls are required to verify that they meet high standards of safety, in line with the objectives of the European digital strategy to make AI both innovative and reliable.