Patrick Upmann
AI Governance · EU AI Act · Board Advisory
linkedin.com/in/upmann/
Board Edition v4 · March 2026
AI Decision Defensibility Engine™ — v4

Can this AI-supported
decision be defended?

The board question of 2026 is not "Are we using AI?" It is: "If this AI-supported decision is challenged tomorrow — legally, regulatorily, reputationally — can we prove it was made correctly, by the right people, with the right evidence?"

EU AI Act 2024/1689· Validated March 2026· Provider · Deployer · Importer· 8 Governance Dimensions
Legal Notice: This tool is a conceptual board orientation instrument. It does not constitute legal advice, does not replace formal compliance review under EU AI Act Regulation 2024/1689, and does not establish legal conformity or liability exemption. The Business Judgment Rule protects documented, diligent decisions — this tool helps structure that diligence. For binding assessments, engage qualified AI law counsel. — Patrick Upmann, 2026
Optional — Select your industry to pre-load typical AI use cases
Common AI use cases in this sector — click to pre-select below
Assessment — 8 Governance Dimensions
MANDATORY FIRST — Your Legal Role under EU AI Act
What is your organisation's legal role for this AI system?
Provider, Deployer, and Importer carry fundamentally different obligations under the EU AI Act. Boards frequently assume the wrong role — creating a critical governance gap. This determines which duties apply.

High-risk categories under Annex III are marked. GPAI obligations under Art. 51–56 apply to foundation model deployments.

Assessment Phase
The Author

Patrick Upmann

Patrick Upmann advises supervisory boards, executive management, and family-owned businesses on structuring AI governance — with a focus on defensibility, accountability, and regulatory resilience under the EU AI Act. The "Thinking AI vs. Governing AI" framework addresses the decisive gap: companies understand AI strategically, but few can defend AI-supported decisions under legal or regulatory pressure.

Specialised in Provider vs. Deployer obligation mapping, Annex III classification, and board-level accountability architecture under EU AI Act 2024/1689.

Patrick Upmann
linkedin.com/in/upmann/
AI GovernanceEU AI Act 2024/1689 Board AdvisoryProvider / Deployer Annex IIIAIGN OS Family-Owned CompaniesSupervisory Boards
Legal Framework — March 2026
Provider vs. Deployer vs. Importer Art. 3 · Art. 25–29
Fundamental distinction the board must understand. Providers develop AI systems. Deployers operate them. Obligations, liability, and conformity duties differ substantially for each role.
High-Risk Classification Annex III · Art. 9–15
HR, credit, education, critical infrastructure, biometrics: mandatory technical documentation, logs, human oversight, conformity assessment, CE marking (where applicable).
Data Governance Art. 10
Training and operational data must meet quality criteria. Bias testing, data lineage, and dataset validation are legal obligations for high-risk AI — not best practices.
Risk Management System Art. 9 · Lifecycle
Not a one-time audit. Art. 9 requires an ongoing, documented risk management system covering the entire AI lifecycle: design, deployment, monitoring, and incident response.
Conformity Assessment Art. 43–49
High-risk AI systems require either internal or third-party conformity assessment before market placement or deployment. CE marking may apply. Board must verify this has occurred.
Vendor / Third-Party Liability Art. 25
Deployers remain liable for third-party AI systems. Contractual obligations must flow down. "Black box" AI from vendors is not a liability shield — it is a governance gap.
Business Judgment Rule Organisational Liability
Documented, diligent, informed decision-making protects board members from personal liability. This tool structures the documentation required to invoke this protection.
Serious Incident Reporting Art. 72–73
Mandatory escalation to market surveillance authorities. The board must have a named incident owner and a tested escalation protocol — not just a policy document.
Next Steps

From assessing
to defending.

This tool reveals the exposure. Patrick Upmann's board session format closes it: structured role mapping, Annex III classification, liability architecture, and governance documentation — from gap to defensible board position.

Request Board Session Connect on LinkedIn