AI Governance in the Public Sector: A Systemic Approach to AI Management

The integration of artificial intelligence into public administration has long gone beyond PR statements about «digital innovations». Today, it’s a matter of system survival: its operational resilience, legal integrity, and cybersecurity. For Ukraine, which is confidently moving towards the European legislative framework, implementing AI without a clear governance model is not just a technical error, but direct reputational and financial risks.

AI Governance is not a new layer of bureaucracy. It is an architecture of responsibility. It covers the entire lifecycle of a system: from the moment you plan software procurement to its complete decommissioning years later. It’s about real-time risk control.

Regulatory Framework: What the EU AI Act Changes for Public Authorities

The European regulation dictates a strict risk-oriented approach. For the public sector, this means we can no longer simply «launch a chatbot» or data analysis system without preparation. Key requirements include:

• Clear classification of systems by risk level (from minimal to unacceptable).
• Mandatory conformity assessment for high-risk systems.
• Maintenance of detailed technical documentation and logging journals.
• Guaranteeing the human right to explanation: why did the algorithm make this particular decision?
• Implementation of real human oversight (Human-in-the-loop).

It is critically important to embed these requirements at the stage of forming the technical specification, rather than trying to «bolt them on» to an already finished product after launch.

Responsibility Model: Who is Responsible for What?

In the public sector, the key is the distribution of roles between the developer and the public authority, so that in case of an error, there are no «scapegoats». This model consists of three links:

1. Provider (Developer): Responsible for the «engine» — the solution architecture, model quality, technical documentation, and initial safety assessment.

2. Implementer (Public Authority): The one who directly uses the system. They are responsible for the legality of data processing, the quality of datasets, and the actual application of AI results.

3. Oversight Mechanism: Internal audit or regulator that controls compliance with regulations and conducts regular checks.

It is worth highlighting responsibility for bias separately. If a public authority uses incorrect or outdated data from registers, the responsibility for discriminatory consequences falls precisely on the implementer, not on the programmers.

Institutional Function: AI Officer

An effective governance model does not require the creation of new departments but necessitates a defined role for an AI Officer. Ideally, this function is assigned to the CDTO’s office. Such a specialist should:

• Maintain a register of all AI systems within the agency.
• Coordinate AI Risk Assessment.
• Monitor the transparency and «explainability» of algorithms.
• Interact with auditors.

Full Lifecycle of an AI System

AI management should be a cyclical process, not a one-time event. It includes seven key stages:

1. Initiation: Assessment of legal grounds and initial risk analysis.
2. Procurement: Inclusion of EU AI Act requirements in tender documentation.
3. Testing: Bias checks and cybersecurity stress tests.
4. Operation: Continuous performance monitoring.
5. Drift Control: Automatic tracking of changes in data and model (data drift).
6. Audit: Regular external and internal reporting.
7. Decommissioning: Safe removal of the system from operation and archiving of logs.

Cybersecurity and Financial Feasibility

AI systems open up new opportunities for attacks, which is critical in wartime conditions. Protection against «data poisoning» and prompt injection manipulations is needed. AI Governance should become part of the overall information security system (ISO 27001).

The costs for such governance typically range from 5% to 15% of the project budget. This is a small price for protection against lawsuits, millions in fines, and — most importantly — the loss of public trust. For the state, public trust is the most valuable resource.

What’s the bottom line?

Ukraine is integrating into the EU digital market. This means that the architecture of our solutions must be «compliance by design». The IQusion IT team is ready to become your partner in implementing AI Risk Assessment and preparing for the requirements of the EU AI Act, creating not just innovations, but an infrastructure of trust.