IT governance, cybersecurity and digital transformation in Belgiumcontact@itselect.be
Start IT diagnostic
AI Act ยท Premium resource

Operational model for AI regulatory readiness.

A practical governance canvas to turn AI Act preparation into execution: AI inventory, risk classification, ownership, evidence, supplier controls, indicators and a 90-day roadmap.

Download the PDF modelAssess my IT maturity
90dPragmatic readiness roadmap.
7AI governance workstreams.
RACIDPO, CISO, Legal, IT and business roles.
EvidenceAudit pack and traceability.

Why an AI Act operating model?

The AI Act is not only a legal topic. For organizations, the real difficulty is to know which AI uses exist, who owns them, which risk category applies, which evidence is available and how decisions are monitored over time.

The Selection ICT model turns the topic into an operating framework: a use-case register, risk classification, decision workflow, supplier requirements, security controls and a measurable roadmap.

2026 attention point. EU obligations apply progressively. The framework must therefore remain alive: organizations should monitor the legal text, guidelines, harmonised standards and AI Office guidance.

The 7 workstreams

1. Governance & accountability

  • Appoint an executive AI sponsor.
  • Set up a lightweight AI committee.
  • Clarify decisions, risk ownership and escalation.

2. AI use-case inventory

  • List tools, models, prompts, automations and suppliers.
  • Identify data used and business purposes.
  • Assign a business owner.

3. Risk classification

  • Exclude prohibited practices.
  • Identify high-risk or sensitive use cases.
  • Document limited-risk and minimal-risk usage.

4. Data, security & GDPR

  • Check personal data, confidentiality and lawful basis.
  • Assess cyber and data leakage risks.
  • Document protective controls.

5. Suppliers & models

  • Embed AI requirements into procurement.
  • Review documentation, hosting, logs and subcontracting.
  • Track general-purpose AI models used by the organization.

6. Documentation & evidence

  • Keep decisions, controls, approvals and incidents.
  • Prepare a compliance file per critical use case.
  • Connect AI Act, GDPR, security and IT governance evidence.

30 / 60 / 90-day operational roadmap

Days 1-30

Frame and inventory

Validate the sponsor, identify visible and shadow AI usage, detect sensitive data, block unacceptable use and create the first register.

Days 31-60

Classify and secure

Classify use cases, formalize minimum controls, update procurement rules, prepare evidence templates and launch AI literacy actions.

Days 61-90

Industrialize governance

Install the AI committee, publish indicators, monitor exceptions, onboard critical suppliers and prepare the continuous improvement roadmap.

Recommended deliverables

  • AI use-case register.
  • AI risk classification grid.
  • AI supplier questionnaire.
  • AI governance RACI.
  • Approval workflow for new AI uses.
  • AI incident and exception log.
  • Evidence pack per critical use case.
  • Monthly regulatory readiness dashboard.

Management indicators

To make compliance visible, Selection ICT recommends a simple dashboard: percentage of inventoried use cases, percentage of classified use cases, number of blocked or exception-based use cases, supplier assessment coverage, AI literacy coverage, declared AI incidents and closed corrective actions.

Official sources to monitor

European Commission - AI Act
AI Act Service Desk - implementation timeline

Move from compliance intent to operational control.

The goal is not to produce another document, but to install measurable, accountable AI governance aligned with business reality.

Download the modelBack to resources