The AI Officer: Does Your Company Need One?
No law mandates an AI officer the way the GDPR does for data protection. Here is why the role still makes sense, and what the EU AI Act and ISO 42001 really require.
In short
The EU AI Act does not mandate a dedicated AI officer, unlike the GDPR for data protection officers. But it does require clearly assigned responsibilities: the EU AI Act demands competent human oversight for high-risk AI, ISO/IEC 42001 requires clearly defined roles, and top management remains accountable. A named person or small committee is almost always the simplest way to assign that responsibility.
Auf Deutsch lesen: deutsche Fassung
"Do we need an AI officer, the way we have a data protection officer?" The honest answer: there is no legal obligation to appoint one. But the role almost always makes sense.
No legal obligation, unlike the DPO
Under certain conditions, the GDPR requires companies to appoint a data protection officer. The EU AI Act knows no comparable, legally mandated "AI officer." So anyone waiting for an appointment obligation will wait in vain, and waste valuable time in the meantime.
What the law and the standard do require
- EU AI Act: deployers of high-risk AI must assign human oversight to competent people and define responsibilities (among others, Art. 26). The AI literacy obligation (Art. 4) also needs someone to organise it.
- ISO/IEC 42001: the standard requires clearly defined roles and responsibilities for AI, as well as accountability of top management. Responsibility must be assigned and documented.
In other words: there is no obligation to appoint a specific person, but there is an obligation to assign responsibility clearly. And that needs someone to own it.
What the role actually does
- Maintain an overview of all AI systems in use (an inventory).
- Initiate and track risk and impact assessments.
- Maintain the AI policy and ground rules, and organise training (AI literacy).
- Act as a point of contact, internally as well as for clients, auditors and supervisory authorities.
- Build a bridge between management, IT, data protection and the business units.
One person or a committee?
For small and mid-sized companies, a single named person in a part-time role is usually enough, ideally with a short line to management and close ties to data protection and information security. In larger or heavily regulated organisations, a small AI committee works well. What matters is not the title, but that responsibility is assigned unambiguously and documented in a way others can follow.
One thing stays true: top management carries the responsibility. The AI officer coordinates and takes operational load off leadership, but does not relieve management of its accountability.
AI governance is not made by a title, but by the clear, documented assignment of responsibility. An AI officer is the simplest path to get there.
Frequently asked questions
Is an AI officer legally required?+
No. Unlike the GDPR with its data protection officer, the EU AI Act does not require you to appoint an AI officer. However, responsibilities and human oversight must still be clearly regulated.
Can the data protection officer take this on as well?+
Partly yes, given the proximity to data protection and risk. But watch out for sufficient capacity and possible conflicts of interest, since AI governance is considerably broader than data protection alone.
What does ISO 42001 say about the role?+
ISO/IEC 42001 requires clearly defined roles and responsibilities for AI, as well as accountability of top management. A named responsible person or a committee is exactly what implements this.
Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & ISO/IEC 27001 Lead Auditor (PECB)
Last updated: 27 May 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.
Sources & further reading
Questions about your own case?
In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.