Governance · The law

The regulator is not your oversight strategy

Laws like the EU AI Act are starting to require a human over high-risk AI. That is a floor, and a welcome one. It is not a strategy. Treating compliance as the whole of your oversight is how you pass an audit and still fail the people the system decides about.

As the EU AI Act comes into force, meaningful human oversight of high-risk AI is moving from good practice toward legal requirement. That matters, and building human oversight in Amsterdam, under the first serious AI law, is part of why I work where I do. But a law sets a minimum, and a minimum met is not a problem solved. The regulator can require that a human is in the loop. Only you can make that human's oversight real.

What the law asks for

Broadly, that high-risk AI systems allow for meaningful human oversight, that a person can understand and, where needed, override the system. The framing is deliberately about capability, the human must be able to intervene. It does not, and cannot, guarantee that they do. That gap, between a power granted and a power exercised, is exactly where oversight becomes theater, law or no law.

Why the floor is not enough

Because you can satisfy the letter of an oversight requirement with a reviewer who has three seconds and a confirm button, and the law will be met while the oversight is empty. Compliance proves the loop exists. It does not prove anyone in it has the time, context, and authority to change an outcome. That is a design choice you make above the legal line, or fail to.

Build above it

Treat the law as the start. Measure whether your oversight is exercised, not just present, and build the patterns that make it hold. The organizations that do this will not only clear the regulation, they will be trusted in a way the bare-minimum compliers never are.