Francesco Faenzi lists five AI governance questions

Francesco Faenzi used an X thread on May 20 to argue that many companies claiming to have AI governance would fail a basic test once the EU AI Act is applied. He said organizations should be able to answer five concrete questions about ownership, use cases, risk review, evidence and escalation. He framed the issue as an operational one rather than a branding exercise, warning that undocumented exposure will become a compliance problem. The post landed as European regulators continue publishing implementation guidance for the bloc’s AI law. ### What was Faenzi’s core claim? Francesco Faenzi wrote on X that if an organization cannot answer five governance questions “clearly, consistently, and publicly,” it does not yet have real AI governance. The post, published on May 20, said the EU AI Act will force companies to move from general principles to named accountability, documented controls and traceable decisions. Faenzi said the coming regime will convert “exposure into regulatory liability.” That phrasing matched a broader feature of the EU AI Act, which sets obligations for providers and deployers of certain AI systems and links them to documentation, transparency, record-keeping and cooperation with authorities. (eur-lex.europa.eu) ### What are the five questions companies are supposed to answer? Faenzi’s thread said companies should be able to identify who owns AI governance internally, which systems and use cases are in scope, what risks have been assessed, what evidence supports compliance, and how incidents or exceptions are escalated. (x.com) The thread presented those questions as a minimum operating standard, not a checklist for future drafting. (eur-lex.europa.eu) The emphasis on named owners and documented evidence aligns with the structure of the EU AI Act. For high-risk systems, the law sets requirements around risk management, data governance, technical documentation, record-keeping, transparency to deployers, human oversight, and post-market monitoring. ### Why does the EU AI Act matter to this argument? Regulation (EU) 2024/1689 was adopted on June 13, 2024 and published in the Official Journal on July 12, 2024. (x.com) The law creates a bloc-wide framework for the development, placing on the market, putting into service and use of AI systems in the European Union. Article 50 of the law sets transparency obligations for certain AI systems, including systems that interact directly with people and systems that generate synthetic content. (artificialintelligenceact.eu) Separate provisions for high-risk systems require providers and deployers to maintain documentation and logs and to support oversight and reporting duties. The European Commission said on May 8, 2026 that it had published draft guidelines on Article 50 implementation and opened a targeted consultation through June 3. (eur-lex.europa.eu) The Commission said the guidelines are meant to help authorities, providers and deployers apply the transparency rules “in a consistent, effective and uniform manner.” (artificialintelligenceact.eu) ### What does this mean for companies using AI now? Companies already deploying AI do not need to wait for every guidance document to be finalized before mapping systems, assigning owners and preserving evidence. Faenzi’s thread urged firms to document their risk questions and mitigation steps now, and to do so publicly where appropriate. The Commission has also launched support measures ahead of full implementation, including the AI Pact and an AI Act Service Desk, to help organizations prepare for the law’s obligations. (digital-strategy.ec.europa.eu) That gives companies a formal channel for early compliance work while sector-specific interpretation continues to develop. ### What should readers watch next? June 3, 2026 is the current deadline for stakeholder input on the Commission’s draft Article 50 transparency guidelines. (x.com) Further Commission guidance on general-purpose AI providers has also been issued in recent weeks as the EU builds out the rulebook around the Act. (digital-strategy.ec.europa.eu) For companies following Faenzi’s warning, the next concrete test is whether they can produce documented answers now — with named owners, scoped systems, risk records and escalation paths — before regulators or customers ask for them. (x.com) (digital-strategy.ec.europa.eu)