Skip to content
Vol. I · No. 251
Mon · 8 Jun
A Daily Lexicon of Trustworthy Data
No. 248
248·02 · Business Sense RequiredNo. 248 · 28 May 2026 · 2 min

New AI rules ask you to govern data you never classified. The bill comes due first.

The obligation assumes an inventory the organization skipped. The inventory is the project.

EvidenceThe EditorReality Tax

The new AI obligations are written as if every organization already knows what data it holds, where it came from, and whether it is fit for purpose. Most do not. That gap is not a strategy problem. It is a classification project deferred for a decade.

What happened: the rules now assume a data inventory. The EU AI Act's Article 10 requires high-risk systems to train, validate, and test on data sets governed for relevance, representativeness, bias, and — to the best extent possible — freedom from error, applying from 2 August 2026. The voluntary, widely adopted NIST AI Risk Management Framework encodes the same expectation across its Govern and Map functions: name accountability, then document each system's context.

Why it matters: each requirement presumes work that precedes AI. You cannot certify a training set as representative of a population you never defined, screen it for bias against categories you do not record, or attest to lineage you never captured. Phrased as an AI control, the prerequisite is plain classification, ownership, and lineage — the inventory that never got a budget line absent a deadline.

What it reveals about the field: data nobody would classify for governance turns urgent the moment a regulation attaches a date and a penalty. The readiness assessment, the model card, the bias audit each wrap one question: did anyone ever know what the data was. AI did not create the obligation, only the deadline that priced the deferral.

What to watch: watch which budget the work lands in. If "AI readiness" funds the classification and lineage effort governance could never get approved alone, the regulation worked as a forcing function. If it funds only documentation asserting a control nobody built, the bias audit will surface what the missing catalog implied.

The takeaway

Treat AI readiness as a data-classification and lineage project with a regulatory deadline, not a strategy. The deadline is the only new part.

The claim, mapped

  1. The EU AI Act's Article 10 requires high-risk AI systems to use training, validation, and testing data sets governed for relevance, representativeness, bias, and to the best extent possible completeness and freedom from error.

    supports01

  2. The EU AI Act entered into force on 1 August 2024 and phases in obligations, with core high-risk obligations applying from 2 August 2026.

    supports0301

  3. The NIST AI Risk Management Framework organizes AI governance through functions including Govern (accountability and roles) and Map (documenting an AI system's context and dependencies).

    supports02

  4. These obligations presume data classification, ownership, and lineage that organizations must establish independently of the AI system itself.

    context0102
Sources
01
EU Artificial Intelligence Act (artificialintelligenceact.eu) — Article 10: Data and Data Governance2024-07-12 · Tier 1 · primaryHigh-risk systems require training, validation and testing data sets that are relevant, sufficiently representative, and to the best extent possible free of errors, with governance covering bias examination and mitigation.
02
NIST AI Resource Center — AI Risk Management Framework: Core (Govern, Map, Measure, Manage)2023-01-26 · Tier 1 · primaryThe Map function establishes the context to frame risks related to an AI system; Govern defines roles, responsibilities, and accountability structures for AI risk management.
03
European Commission (Shaping Europe's digital future) — AI Act — Regulatory framework for AI2024-08-01 · Tier 1 · primaryThe AI Act entered into force on 1 August 2024 and phases in obligations; high-risk AI systems are subject to strict obligations including dataset quality, logging, documentation, and human oversight before market entry.
Mark this entry
Marginalia · 0 notes

No notes yet. The margin is open.

Sign in to add a note. The margin is moderated — we keep it useful, not cruel.

Related entries
Business Sense Required
Privacy law says keep less. The model says keep everything. Nobody wrote down what "it" is.

Minimization is a sentence about purpose. Most firms never finished the sentence.

Process Debt
Article 10 Quietly Bills You for the Data Catalog Nobody Funded

The EU AI Act's data-governance clause assumes lineage, provenance, and bias records most teams were never resourced to keep.

Owner Missing
Everyone shipped data products. The decision rights never left the building.

The catalog filled with products. The org chart did not move an inch.