Domain	Deadline	Who Is Personally Liable	What Good Looks Like	First 30 Days Action
AI Literacy	Live Feb 2025 Article 4 EU AI Act	CEO / PCF 14 Head of Compliance	Documented, role specific training programme. Evidence of staff competency by AI system type.	Conduct AI inventory. Identify every tool staff use that meets the EU AI Act definition.
Prohibited AI Practices	Live Feb 2025 Article 5 EU AI Act	Board / CEO	Confirmed absence of Article 5 prohibited practices. Documented and board signed off.	Review all AI tools against Article 5 prohibited list. Document findings and obtain board sign off.
Consumer Protection	24 Mar 2026 Consumer Protection Code 2025 + CBI Guidance on Securing Good Consumer Outcomes	Relevant PCF Holder (e.g., PCF-14, PCF-8, PCF-45)	Auditable human in the loop protocols for automated lending or advice decisions. Aligned to CBI Guidance on Securing Good Consumer Outcomes. The CBI cares less about your policy and more about the consumer outcome.	Map every customer facing AI touchpoint. Confirm human override and documented consumer outcome exists at each AI decision point.
Explainability	24 Mar 2026 EU AI Act + Consumer Protection Code 2025	Relevant PCF Holder (e.g., PCF-14, PCF-8, PCF-45)	Documentation answering three questions for every AI decision: what data was used, how it was weighted, why that outcome. This documentation must be pre-emptive. It must exist before the decision is made. Not when the regulator asks.	Implement Explainability Documentation Framework. Build decision template library by use case. Most firms are failing this test right now.
High Risk AI	Aug 2026 EU AI Act Annex III	Board / CRO	AI risk classification register. Early engagement with the CBI Innovation Hub before deploying any Annex III system.	Classify all AI systems against Annex III criteria. Flag high risk systems to board now.
Individual Accountability	Live Now IAF / SEAR (see Credit Union note)	Relevant PCF Holder personally. Note: SEAR (Duty of Responsibility) currently applies to Banks, Insurers and Investment Firms only. For Wealth Managers and Credit Unions, liability stems from the Administrative Sanctions Procedure (ASP) and IAF Conduct Standards.	AI governance explicitly mapped in Management Responsibility Map. For SEAR in scope firms: AI governance as a Prescribed Responsibility in the Statement of Responsibilities (SoR).	Map AI accountability to named PCF Holders in MRM. Confirm SEAR scope with legal counsel. All firms: review Conduct Standards obligations regardless of SEAR status.
Data Provenance	Live Now GDPR + EU AI Act	DPO / CRO	Data Provenance Register covering all AI training data sources, data flows and lineage.	Audit all AI training data sources. Establish provenance register. Identify third party data dependencies.
Operational Resilience	Enforced / Live DORA — fully enforced since 17 January 2025	Board / CTO	AI service providers classified as Critical Third Party Providers where applicable under DORA. ICT risk register reflects all AI system dependencies.	Verify AI ICT Risk is included in the 2026 Digital Operational Resilience Strategy. Not next year. Now.

Credit Union Note: Supervised by the Registry of Credit Unions (RCU), a department within the Central Bank of Ireland. AI governance must integrate directly with the Risk Management Function (RMF) under the Credit Union Act 1997 (as amended). The RCU expects AI to be reflected in the Annual Compliance Statement and the Internal Audit plan. Credit Unions deploying third party AI tools must also address Third Party Risk under the CBI Outsourcing Guidance (2021) — outsourcing does not transfer accountability. SEAR does not currently apply to Credit Unions. IAF Conduct Standards do. Enforcement follows the Administrative Sanctions Procedure (ASP), updated 2023.