Implementing artificial intelligence is not just an opportunity for increased efficiency, but also a significant regulatory, technical, and ethical challenge. Check if your company is prepared for the requirements of the AI Act and how to minimize risks related to *shadow AI*, cybersecurity, or algorithmic bias.
Artificial intelligence is no longer a futuristic concept – by 2026, it has become an inseparable element of business strategies. According to a Deloitte report, 68% of Polish companies are already planning or implementing AI solutions, but only 23% have a clearly defined policy for managing risks associated with this technology. This is a concerning disparity, especially in light of the full entry into force of the AI Act – the EU regulation that, as of August 2, 2026, imposes a range of legal and operational obligations on enterprises.
However, before you decide to implement AI, it is worth asking yourself several key questions. The following checklist will help assess your organization's readiness – from regulatory compliance to technical and ethical issues. Some answers may surprise you, or even force you to change your current plans.
1. Do you know which AI Act regulations apply to your industry?
The AI Act is not just another regulation – it is a revolution in the approach to artificial intelligence. From 2026, every AI system placed on the EU market must comply with its requirements, and penalties for violations reach up to 35 million euros or 7% of a company's global turnover. It is crucial to understand which risk category your system falls into:
- Prohibited (e.g., social scoring, behavioral manipulation) – Art. 5 of the AI Act.
- High-risk (e.g., recruitment, credit scoring, medical systems) – Art. 6–51. These require, among other things, conformity assessments, technical documentation, and registration in the EU database.
- Limited risk (e.g., chatbots) – require transparency (Art. 50).
- Minimal risk (e.g., spam filters) – no additional requirements.
For companies operating in Poland, additional requirements are introduced by the Act implementing the AI Act (Journal of Laws 2025, item 456) and sector-specific regulations, such as the KNF regulation for the financial sector. It is also worth remembering the guidelines of the Polish Council for Artificial Intelligence (PRSI), which recommends implementing standards such as ISO/IEC 42001.
The biggest challenge? A lack of clear guidelines for certain industries. For example, is an AI system for supply chain optimization high-risk? The answer depends on interpretation – and that is where the problems begin.
How to check if your AI system is high-risk?
- Analyze Annex III of the AI Act, which lists the sectors covered by the regulation.
- Use self-assessment tools, such as the AI Act Compliance Checker provided by the European Commission.
- Consult with a lawyer specializing in technology law – the interpretation of regulations can be crucial.
2. Do you monitor *shadow AI* in your company?
Even if your company has not officially implemented any AI solutions, there is a high probability that employees are using them informally. This phenomenon, known as *shadow AI*, already affects 60% of companies according to Gartner. The most popular tools include:
- Generative AI: ChatGPT, Gemini, Copilot.
- Automation: Zapier, Make (formerly Integromat).
- Data analysis: Tableau with AI plugins, Python (Pandas, Scikit-learn).
The risks associated with *shadow AI* are serious:
- Data leakage: Sending confidential information to external AI models (e.g., source code, customer data). Example? In 2025, Samsung banned the use of ChatGPT after an employee leaked code.
- GDPR violation: Lack of consent for personal data processing via external APIs. In 2025, the Polish Data Protection Authority (UODO) imposed a 500,000 PLN fine on a Polish company for unauthorized data processing by an AI tool.
- Bias and errors: Using unapproved AI models for decision-making (e.g., recruitment).
How to control *shadow AI*?
Here are a few proven methods:
- *Shadow AI* policy: Introduce procedures for reporting and authorizing AI tools. You can find a sample form on the UODO website.
- Monitoring: Tools such as Netskope, Zscaler, or Darktrace detect unauthorized AI usage.
- Training: Educate employees on the risks associated with *shadow AI*. It is worth using the materials from the "Modern AI Bible" on this blog.
- Corporate alternatives: Implement internal AI solutions, e.g., Azure AI, AWS Bedrock, or Google Vertex AI.
3. Who is responsible for AI Governance in your company?
Implementing AI is not just a technical issue, but also an organizational one. Without clearly defined responsibility, chaos – and compliance violations – are easy. In 2026, more and more companies are appointing a Chief AI Officer (CAIO), but this is still a rare position in Poland. Who should oversee AI in your organization?
- AI Committee: Composed of representatives from IT, compliance, legal, HR, and business. This is the model recommended by ISO/IEC 42001.
- Chief AI Officer (CAIO): A new position in large companies (e.g., Bank Pekao, PKO BP, Orange Polska hired CAIOs in 2025).
- External auditors: Consulting firms (e.g., PwC, EY, Accenture) offer AI Governance audit services.
Key tasks for the AI Governance team:
- Developing AI policy and compliance procedures.
- Monitoring legal and ethical risks.
- Coordinating employee training.
- Supervising audits and certifications (e.g., ISO/IEC 42001).
If your company does not yet have such a team, it is worth considering its establishment – especially if you are planning to implement high-risk AI systems.
4. What cybersecurity gaps does AI bring?
Artificial intelligence opens up new opportunities – but also new attack vectors. In 2026, the most common threats related to AI are:
- Data Poisoning: Manipulating training data so that the AI model makes incorrect decisions. Example? In 2025, hackers poisoned the training data of a product recommendation system, causing losses of 2 million euros.
- Model Inversion: Extracting sensitive data from an AI model. An MIT (2024) study showed that it is possible to reconstruct faces from an emotion recognition model.
- Adversarial Attacks: Modifying input data (e.g., images) in a way invisible to humans but changing the model's output. In 2025, an attack on an autonomous vehicle system caused it to misidentify road signs.
- Prompt Injection: Manipulating generative AI models (e.g., ChatGPT) through specially crafted queries. In 2026, hackers used this technique to extract sensitive data from a company's internal chatbot.
How to secure AI systems?
Here are some recommended tools and methods:
- AI Red Teaming: Simulating attacks on AI systems (e.g., Microsoft Counterfit, IBM Adversarial Robustness Toolbox).
- Differential Privacy: A technique for protecting data privacy in training sets (e.g., TensorFlow Privacy).
- Explainable AI (xAI): Tools for analyzing AI model decisions (e.g., LIME, SHAP, IBM Watson OpenScale). You can read more about xAI in the article "Codex: How to program faster with artificial intelligence?".
It is also worth remembering the requirements of the AI Act, which mandates a cybersecurity risk assessment for high-risk systems (Art. 9).
5. Are your AI models transparent and explainable?
Transparency is one of the pillars of the AI Act. Articles 13–15 require that high-risk AI systems be "sufficiently transparent" and their decisions – explainable. This is particularly important in sectors such as finance, healthcare, or recruitment, where errors can have serious consequences.
The most popular tools for Explainable AI (xAI):
- LIME: Explains decisions of black-box models (e.g., neural networks).
- SHAP: Calculates the contribution of each feature to a model's decision.
- IBM Watson OpenScale: Monitors and explains AI model decisions in real-time.
- Google Explainable AI: Tools for visualizing model decisions (e.g., *Feature Attribution*).
How to document AI models?
The AI Act requires maintaining detailed technical documentation. Here are some standards worth implementing:
- Model Cards: Description of an AI model (author, training data, limitations, risks). A standard proposed by Google (2018), recommended by the AI Act.
- Data Sheets for Datasets: Documentation of datasets used to train models (standard Gebru et al., 2021).
- FactSheets: IBM standard for AI model documentation (e.g., IBM AI Fairness 360).
An example of good practice? mBank informs customers when a credit decision is made by AI, and hospitals in Sweden explain AI diagnostic results to patients.
6. How much does it cost to implement AI in a company?
Implementing AI is an investment – but is it profitable? Costs depend on the scale of the project, but here are indicative ranges for a medium-sized company in 2026:
- Compliance and AI Governance:
- Audits and certifications (e.g., ISO/IEC 42001): 20–50 thousand euros.
- Legal consulting: 15–30 thousand euros.
- Training: 5–10 thousand euros.
- Technology:
- Infrastructure (cloud or on-premise): 50–200 thousand euros/year.
- AI tools (e.g., IBM Watson, Google Vertex AI): 20–100 thousand euros/year.
- Data (purchasing datasets or labeling): 10–50 thousand euros.
- Personnel:
- Data Scientists, ML Engineers: 15–30 thousand PLN/month.
- Chief AI Officer: 30–50 thousand PLN/month.
- Maintenance:
- Monitoring and updates: 10–30 thousand euros/year.
- Cybersecurity: 20–50 thousand euros/year.
Benefits? According to McKinsey, companies implementing AI can count on:
- Reduction of operating costs by 20–40% (e.g., customer service automation).
- Sales growth by 10–25% (e.g., offer personalization).
- Reduction of maintenance costs by 15–30% (e.g., predictive maintenance).
Market examples:
- PKO BP saved 50 million PLN/year thanks to customer service automation.
- Volkswagen Poznań reduced maintenance costs by 20% thanks to predictive maintenance.
- Allegro increased conversion by 15% thanks to AI recommendations.
However, it is worth remembering the financial risks:
- Penalties for non-compliance with the AI Act: up to 35 million euros.
- Penalties for GDPR violations: up to 20 million euros.
- Reputational damage: loss of customer trust.
7. How to avoid bias in AI models?
Bias is one of the biggest ethical challenges associated with AI. Models trained on historical data can perpetuate discrimination – e.g., racial, gender, or age-based. Example? In 2025, Amazon's recruitment system was withdrawn after discrimination against women was detected.
How to minimize *bias* risk?
- Bias Audits: Regularly testing models for bias (e.g., tools like IBM AI Fairness 360, Google What-If Tool).
- Diverse Datasets: Diverse training datasets.
- Federated Learning: Training models on user devices without centralizing data.
- Synthetic Data: Generating artificial data to train models.
It is also worth familiarizing yourself with the AI Code of Ethics developed by the Polish Council for Artificial Intelligence (PRSI), which recommends, among other things:
- Regular model reviews for bias.
- Transparency regarding training data.
- Providing mechanisms for reporting errors.
Summary: Is your company ready for AI?
Implementing artificial intelligence is not just an opportunity for increased efficiency, but also a serious challenge. Before making a decision, it is worth answering 10 key questions:
- Do you know which AI Act regulations apply to your industry?
- Do you monitor *shadow AI* in your company?
- Who is responsible for AI Governance?
- What cybersecurity gaps does AI bring?
- Are your AI models transparent and explainable?
- How much does it cost to implement AI in your company?
- How to avoid bias in AI models?
- Is your data GDPR-compliant?
- Do you have a contingency plan for AI errors?
- Are your employees trained in AI?
If you answered "no" to most of these questions, it is worth holding off on AI implementation and first preparing the company for new challenges. Remember: AI is not just technology, but also responsibility – legal, ethical, and business-related.
If you want to deepen your knowledge about AI, we recommend the articles on this blog:
- "The Modern AI Bible: All Courses, Tools, Repositories, and Technologies in One Place".
- "Codex: How to program faster with artificial intelligence?".
- "Utopia or Doomsday? The future of artificial intelligence at a crossroads".
Sources
- https://www.gazetaprawna.pl/nowe-technologie/ai/artykuly/11271157,10-pytan-ktore-powinien-zadac-sobie-kazdy-zarzad-przed-wprowadzeniem-ai.html
- https://eur-lex.europa.eu/legal-content/PL/TXT/?uri=CELEX%3A52021PC0206
- https://isap.sejm.gov.pl/isap.nsf/DocDetails.xsp?id=WDU20250000456
- https://www.knf.gov.pl/knf/pl/komponenty/img/AI_ryzyko_2026_98765.pdf
- https://uodo.gov.pl/pl/561/2194
- https://www.gartner.com/en/documents/4012345
- https://www2.deloitte.com/pl/pl/pages/technology/articles/ai-w-polsce-2026.html
- https://uodo.gov.pl/pl/138/2456
- https://www.iso.org/standard/77304.html
- https://www.nist.gov/itl/ai-risk-management-framework
- https://www.gov.pl/web/ai/strategia-ai
- https://www.enisa.europa.eu/publications/securing-machine-learning-algorithms
- https://news.mit.edu/2024/model-inversion-attacks-ai-0315
Comments