Technology Portfolio Management (TPM) Best Practices

Overview

AI regulatory compliance has moved from a planning concern to an enforcement reality. The EU AI Act — Regulation (EU) 2024/1689 — entered into force in August 2024 and is applying its requirements on a staged timeline, with prohibitions on unacceptable-risk AI systems effective from February 2025 and obligations for high-risk AI systems and general-purpose AI models applying from August 2025 and August 2026 respectively. Organizations operating in or selling into EU markets are now subject to binding regulatory requirements for the AI systems they develop, deploy, or use — requirements that include risk classification obligations, conformity assessment requirements, transparency and documentation obligations, and for high-risk systems, registration in the EU AI Act database. (Source: EU AI Act, Regulation (EU) 2024/1689, Official Journal of the European Union.)

This is a technology governance obligation of the same order as the compliance obligations that GDPR, NIS2, DORA, and the Cyber Resilience Act impose on other technology categories. It belongs in the TPM governance framework — specifically in the Technologies Inventory’s compliance profile attributes and in the technology assessment framework’s secondary assessment dimensions — rather than in a separate, disconnected AI compliance process. Organizations that govern AI regulatory compliance within the TPM framework gain the inventory visibility, the assessment integration, and the governance reporting that managing it in isolation cannot produce.

Best Practice

Govern AI regulatory compliance through three integrated disciplines within the TPM framework. Risk classification: assess every AI system and AI platform in the Technologies Inventory against the EU AI Act’s four-tier risk classification framework — Prohibited, High-Risk, Limited-Risk (transparency obligations), and Minimal-Risk — using the use-case and sector criteria the Act specifies for each tier. Record the risk classification as a required attribute of every AI technology record in the Technologies Inventory. AI systems classified as Prohibited must be removed from the portfolio. AI systems classified as High-Risk require conformity assessment, technical documentation, human oversight mechanisms, and registration in the EU database before deployment or continued use. AI systems with transparency obligations require disclosure to end users that they are interacting with an AI system.

Compliance documentation: maintain the technical documentation required by the EU AI Act for every High-Risk AI system in the portfolio — covering the system’s intended purpose, design logic, risk management measures, data governance practices, accuracy and robustness metrics, and human oversight provisions — as a governed artifact connected to the technology record in the Technologies Inventory. Apply the same documentation governance standards to this compliance documentation as to other governance artifacts: named owner, defined review cadence, version control, and audit accessibility. For general-purpose AI models used in the portfolio — large language models, foundation models, and their derivatives — apply the Act’s transparency and documentation requirements for model providers where applicable and the downstream deployer obligations where the organization is deploying rather than developing these models.

Compliance monitoring: include AI regulatory compliance status as a dimension in the technology assessment cycle for all AI platforms and systems, reviewing the classification and compliance posture of every AI technology in the portfolio at least annually and event-driven whenever a material change occurs — a new use case that places the system in a different risk tier, a regulatory guidance update that clarifies an obligation’s scope, or a system modification that affects its risk classification. Connect the AI regulatory compliance monitoring to the broader compliance tracking discipline in the Technologies Inventory described in the Security, Compliance, and Technology Risk subsection, ensuring that AI regulatory risk is visible to enterprise risk governance alongside all other technology compliance obligations.

Benefit(s)

Governing AI regulatory compliance within the TPM framework — rather than in a standalone compliance process disconnected from technology governance — produces compliance outcomes that are more complete, more sustainable, and more efficiently governed. Every AI system in the portfolio is classified against the applicable regulatory framework, eliminating the inventory gaps that standalone compliance processes consistently produce when they rely on business unit self-reporting rather than governed inventory data. Compliance documentation is maintained continuously rather than assembled under audit pressure. And the integration of AI regulatory compliance into the standard technology assessment cycle ensures that compliance status is reviewed and updated as the portfolio and the regulatory requirements evolve, rather than becoming stale between periodic standalone compliance reviews.