When an AI system causes harm, the first question regulators ask is: who's responsible? The answer is more complicated than it sounds. The company that built the model, the company that marketed it, the company that deployed it, and the person who used it all play different roles — with different legal obligations under emerging regulations.
The EU AI Act draws sharp lines between providers, deployers, and users, assigning different compliance burdens to each. Understanding which role you occupy — and when you might occupy multiple roles simultaneously — is fundamental to building a compliant governance program.
This article clarifies the distinction between AI developers, providers, deployers, and users, explains how different regulations assign obligations, and addresses the practical complications that arise when organizations fill more than one role.
Defining the Roles
Developer: builds the model or AI system. Leading organizations have found that addressing this systematically — rather than on a case-by-case basis — produces better outcomes and reduces the total cost of governance over time. Organizations that invest in this capability early build a competitive advantage: they deploy AI faster, with more confidence, and with fewer costly surprises downstream.
The status quo — governing AI with existing IT frameworks — is no longer sufficient. provider: places the system on the market or puts it into service. The key is to match governance rigor to risk level. Not every AI system needs the same depth of oversight — invest your governance resources where the stakes are highest and scale lighter-touch governance for lower-risk applications.
What would happen if this governance control failed? Deployer: uses the system under their authority for their purposes. In practice, organizations that implement this systematically report fewer incidents, faster regulatory response times, and higher stakeholder confidence in their AI deployments.
For governance professionals, the critical consideration here is user: the person who interacts with the ai output. Implementation requires clear ownership, defined timelines, and measurable success criteria. Governance activities without accountability tend to atrophy as competing priorities consume attention. Start with a pilot, measure results, and iterate. Governance practices that emerge from practical experience are more durable than those designed in a vacuum.
How Regulations Assign Obligations
The status quo — governing AI with existing IT frameworks — is no longer sufficient. the eu ai act places different requirements on providers vs. deployers. The key is to match governance rigor to risk level. Not every AI system needs the same depth of oversight — invest your governance resources where the stakes are highest and scale lighter-touch governance for lower-risk applications.
How would you know if your model's performance degraded tomorrow? Providers bear the heaviest burden: conformity assessments, technical documentation, post-market monitoring. In practice, organizations that implement this systematically report fewer incidents, faster regulatory response times, and higher stakeholder confidence in their AI deployments.
A common misconception is that this only applies to large enterprises, but in reality deployers must implement human oversight, monitor for risks, and conduct fundamental rights impact assessments. The effectiveness of human oversight depends on whether the human reviewer has sufficient context, time, and authority to exercise genuine judgment. High-throughput systems that require rapid human review often produce rubber-stamping rather than meaningful oversight. Start with a pilot, measure results, and iterate. Governance practices that emerge from practical experience are more durable than those designed in a vacuum.
The Practical Complications
What would happen if this governance control failed? Many organizations fill multiple roles simultaneously. In practice, organizations that implement this systematically report fewer incidents, faster regulatory response times, and higher stakeholder confidence in their AI deployments.
From an operational standpoint, the key challenge is when you buy ai, you become a deployer — with deployer obligations. Implementation requires clear ownership, defined timelines, and measurable success criteria. Governance activities without accountability tend to atrophy as competing priorities consume attention. Start with a pilot, measure results, and iterate. Governance practices that emerge from practical experience are more durable than those designed in a vacuum.
Fine-tuning or modifying a foundation model can shift you from deployer to provider. Leading organizations have found that addressing this systematically — rather than on a case-by-case basis — produces better outcomes and reduces the total cost of governance over time. Organizations that invest in this capability early build a competitive advantage: they deploy AI faster, with more confidence, and with fewer costly surprises downstream.
The status quo — governing AI with existing IT frameworks — is no longer sufficient. shared accountability vs. finger-pointing: contractual clarity is essential. The key is to match governance rigor to risk level. Not every AI system needs the same depth of oversight — invest your governance resources where the stakes are highest and scale lighter-touch governance for lower-risk applications.
What to Do Next
- Assess your organization's current practices against the key areas covered in this article and identify the top three gaps
- Assign clear ownership for each governance activity discussed — accountability without a named owner is just aspiration
- Establish a regular review cadence (quarterly at minimum) to evaluate whether governance practices are keeping pace with AI deployment
This article is part of AI Guru's AI Governance series. For more practitioner-focused guidance on AI governance, risk management, and compliance, explore goaiguru.com/insights.
