Spend enough time in the engine room of founder-led businesses and the same patterns repeat. Fast teams. Ambitious roadmaps. Constant pressure to do more with less. Over the past year, a new one has joined the list.
AI is everywhere. Governance is almost nowhere.
Not because founders don't care, because they're building, scaling, keeping the wheels turning, and AI slipped into the business the way most tools do in a high-growth environment: quietly, informally, with the best of intentions. A tool here. A shortcut there. A workflow someone automated to save an afternoon. By the time the leadership team notices, AI is already shaping decisions, customer conversations and data flows that nobody can fully see, let alone explain.
For most of the past year, there was a hard date forcing the issue. The EU AI Act's high-risk rules were due to land this August. Then, in early May, EU lawmakers agreed to push it back. The obligations covering the riskiest uses - AI in hiring, AI that scores people, AI inside decisions that affect someone's livelihood, now apply from December 2027. Every serious read is treating the new dates as the planning baseline.
The relief is real.
And it is the wrong instinct.
Three things that did not move with the date.
Plenty still lands before 2027.
The outright bans have been in force since early 2025. The transparency duties - telling people when they're dealing with AI, labelling what it generates - arrive on their own timetable, some of it this December. The extension is narrow. It is not a clean slate.
The regulator was never the real scrutiny.
The buyer's diligence team doesn't work to Brussels' calendar. Nor does the enterprise customer with a procurement function, or the investor sharpening their expectations for the next round. They will ask how AI touches your data, your decisions and your customers - and they'll ask long before December 2027. Forensic diligence always finds the gap if it's there.
Governance built to clear a deadline gets abandoned when the deadline moves.
This is the part my field notes keep circling back to. Governance built only to clear a deadline gets abandoned the moment the deadline moves. Governance built as a capability survives the date changing. It makes the business better now.
What that capability looks like, from inside the businesses I work in.
The riskiest uses are the least visible.
The surprises sit in the corners. A hiring shortlist quietly shaped by a tool. A customer message sent without a human reading it. A scoring model stitched together by a well-meaning team. Sensitive data passing through something that was never built to hold it. Not edge cases - increasingly, the norm.
Ownership sits nowhere.
In a founder-led business, responsibility for AI lands everywhere and nowhere at once - or with "IT", even though the real risk lives in the business. Until someone owns it, it doesn't exist.
Teams aren't asking for policy. They're asking for boundaries.
What's fine. What's not. What needs a human in the loop. What data is off-limits. They want to do the right thing; they just need the frame. A thirty-minute conversation shifts more behaviour than a thirty-page document ever will.
Runway, not reprieve.
The deadline moved. The gap between how AI is used and how it is governed did not.
This isn't a how-to guide. The how is the work I build with teams inside an engagement across the operating rhythm, the governance foundations, and the compliance posture that holds up when someone serious starts looking. But the observation fits on one line.
AI governance was never about slowing down. It is about making sure the business you are building can stand behind the systems it now runs on.
The date will keep moving. The work has to hold up regardless.
Twenty-five years inside founder-led, PE-backed and international scale-ups. Two businesses built, both successfully exited as a shareholder and director. HudsonRoux is the operations, governance and compliance practice he built to bring that operator discipline to the founders walking the same path.
Operations
The system that lets the business run without the founder in every room.
Finance
Built into how I think - not bolted on at the end. 25 years at COO and CFO level.
Governance
Statutory Directorships across two businesses, two M&A processes, UK and US entities.
Compliance
Audited posture across ISO, GDPR, HIPAA, NHS and other international frameworks.
The engine room - four disciplines, one operator.