EU AI Act readiness: the first step towards compliance with the AI Act

EU AI Act readiness: the first step towards compliance with the AI Act

EU Act readiness

The AI Act (EU AI Act) has been adopted in the EU and is expected to be incorporated into the EEA Agreement. At the same time, the use of artificial intelligence is growing rapidly in both the public and private sectors.

For many leaders, the question is no longer whether the organisation uses AI, but how much it is used, which processes it affects, and which requirements may become relevant when the regulation takes effect.

The challenge is that many organisations lack sufficient visibility to be able to answer these questions. This is where AI Act readiness comes in.

What is AI Act readiness?

AI Act readiness is a structured assessment of an organisation’s use of artificial intelligence, with the aim of identifying how the AI Act may affect the organisation.

The assessment gives leadership a basis for understanding:

  • which AI systems are in use
  • which processes are affected by AI
  • which parts of the organisation may be subject to stricter requirements
  • which actions should be prioritised going forward

The goal is not to document full compliance with the AI Act. The goal is to gain sufficient visibility and understanding to plan further work in a risk-based manner.

AI Act readiness rådgivere

Why should organisations start now?

For most organisations, the greatest challenge will not be writing documentation or establishing new procedures. The greatest challenge will be understanding how artificial intelligence is actually being used within the organisation.

The larger the organisation, the more difficult this becomes.

AI is used today through:

  • generative AI tools such as ChatGPT, Copilot and Gemini
  • AI features in existing business systems
  • analytical and decision-support tools
  • supplier solutions that contain AI functionality

Many organisations may therefore have a significantly larger AI portfolio than leadership is aware of.

The AI Act does not affect all organisations equally

The AI Act is risk-based, and the implications of the regulation depend largely on how AI is used. This means no one can determine how significant the AI Act will be without first mapping the organisation’s AI portfolio.

What does an AI Act readiness assessment include?

A typical assessment will cover the following.

Mapping the AI portfolio

Which AI solutions exist within the organisation?

Analysis of use cases

Which processes, decisions and tasks are affected by AI?

Assessment of regulatory exposure

Could any of the solutions fall within the high-risk categories of the AI Act?

Assessment of governance and control

Does the organisation have adequate guidelines, roles and processes for AI use?

Identification of measures

Which areas should be prioritised going forward?

AI Act readiness provides a basis for decision-making

It is easy to jump straight into discussions about AI governance, AI policy or ISO 42001.

For many organisations, however, it is difficult to know which actions are necessary before they have gained an overview of the current situation.

An AI Act readiness assessment gives leadership a fact-based foundation for assessing risk, priorities and further work.

For some organisations, the assessment will show that current AI use represents limited regulatory risk. For others, it may reveal the need for more extensive action relating to governance, documentation and internal control.

Vurdering av AI Act

Start with an overview

The AI Act will not affect all organisations in the same way. The significance of the regulation depends on the organisation’s AI portfolio, use cases and risk profile.

Therefore, the first and most important step is to establish visibility.

Organisations that begin this work early will be better placed to meet both regulatory requirements and the continued development of artificial intelligence.

Talk to us about AI management systems

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!

Mirjam Meling

Mirjam Meling

Marketing & Communication Manager

Produces content for Certain QMS on management systems, quality management, information security and AI governance. She works with subject matter experts to communicate complex topics in a clear and practical way.

Quality management with a central framework and local adaptations

Quality management with a central framework and local adaptations

Quality management central frameworks in QMS

When multiple organisations need to collaborate on quality management, a shared challenge frequently arises: how to share structure, requirements and best practice whilst allowing each organisation to adapt the system to its own operations. Whether it involves a group with established HSEQ functions or collaboration between independent organisations, the goal is to strike the right balance between standardisation and local control.

Certain QMS has been developed precisely for this purpose, with a solution that makes it possible to build on a shared quality framework whilst each organisation retains ownership of its own quality management system.

When multiple organisations need to benefit from the same quality framework

In groups and larger organisations with dedicated HSEQ resources, established structures and extensive documentation in the management system typically already exist. The challenge is often to ensure that this content is accessible and straightforward to adopt across all parts of the organisation — across departments and business units.

In alliances and industry collaborations, the starting point is often different. Here, the collaboration typically consists of organisations with limited capacity to develop and maintain a fully functioning quality management system on their own. The need is therefore access to ready-made structures, templates and recommended working methods that can serve as a starting point within their own organisation.

Both situations require a solution that enables quality content to be shared in a structured way, whilst allowing each organisation to adapt the system to its own circumstances and responsibilities.

Support for a shared quality framework with local adaptations

Certain QMS has been developed to support both of these scenarios. The solution can be used both in organisations where shared quality frameworks are defined centrally, and in collaborations where independent organisations have agreed to develop and use shared structures, templates and working methods for quality management.

One master solution – separate quality management systems

A central “master solution” is established, functioning as a shared quality framework with structure, templates and a recommended configuration for the quality management system. The content of the master solution is developed and maintained by a central HSEQ function or a working group with representatives from the various organisations.

Each company receives its own installation of Certain QMS, based on and integrated with the master solution. This provides a shared structure and content, whilst each company has its own users, its own data and full ownership of its own quality work.

In this way, multiple organisations can work within the same quality framework, whilst the system can be adapted to local operations.

How it works

The master solution in Certain QMS can be configured and adapted at several levels, functioning both as a template for system configuration and as a shared starting point for governing documents. These two elements are handled somewhat differently.

Master solution as a template for system structure and modules

Certain QMS consists of several modules for quality management. The master solution can contain ready-made configurations, structures and templates, for example for:

  • Document structure and folder structure
  • Processes and workflows
  • Non-conformity handling and categorisation
  • Risk analyses and risk templates
  • Checklists
  • Annual planners and scheduled activities

When a local installation is created, this configuration is copied from the master solution and used as the starting point for the organisation’s own quality management system.

Once the local installation has been established, the organisation is free to:

  • Modify structures
  • Adjust processes
  • Add or remove content
  • Adapt the system to its own operations

If improvements or changes are subsequently made to the master configuration, these can be transferred to local installations as required — but this is carried out as a managed update, initiated by the system administrator.

This gives the organisation full control over its own quality management system, whilst retaining the option to adopt improvements developed centrally.

Governing documents: continuous synchronisation and local extension

For governing documents, the solution is more dynamic — precisely because this is content that often needs to be kept up to date across organisations.

Documents managed in the master solution are shared with local installations through continuous synchronisation. The system checks at regular intervals whether there are new or revised documents to be made available locally.

 

Examples of governing documents often managed centrally:

  • Top-level policies for quality, HSE and internal control
  • Shared procedures for non-conformity handling and improvement work
  • Guidelines for risk assessment and use of risk matrices
  • Requirements for documentation, traceability and archiving
  • Emergency procedures and notification routines
  • Routines for training and competence assurance
  • Audit programmes and methodology for internal audits
  • Guidelines for supplier follow-up and procurement
  • Templates for work instructions and checklists

 

When documentation is updated centrally:

  • Local users are notified by email
  • They are informed which documents are new or changed
  • It can be assessed whether local adaptations need to be updated

At the same time, each organisation is free to add its own local documents that are not linked to the master solution.

How local extensions work in governing documents

For documents originating from the master, a simple and clear model is used for local adaptation:

The main body of the document is locked for editing, but a dedicated field is available for local clarifications and additions. When this is used, the document is referred to as an extended document.

In this way, the following are preserved:

  • Shared wording and requirements in the main document
  • Whilst local practice can be clearly and correctly documented
Certain QMS eksempel styrende dokument med lokal tilpasning

Example of a governing document where the main content is managed centrally, whilst local clarifications are added in a dedicated field as part of an extended document.

Two purposes – one solution

The master solution in Certain QMS thus supports two distinct needs:

  • as a template for system configuration and quality structure, where local installations are built on a shared foundation
  • and as a shared source for governing documents, with ongoing updates and clear handling of local adaptations

This provides both flexibility in system use and confidence that shared requirements and procedures can genuinely be kept up to date across organisations.

Mirjam Meling

Mirjam Meling

Marketing & Communications Manager

Produces content for Certain QMS on management systems, quality management, information security, and AI governance. She collaborates with subject matter experts to communicate complex topics in a clear and practical way.

Hallucinations, bias and black boxes: the AI risks leaders need to understand

Hallucinations, bias and black boxes: the AI risks leaders need to understand

AI risk

Artificial intelligence is finding its way into an ever-growing number of business processes. Employees use AI to write, analyse, summarise, search for information and generate decision support. Many organisations are also experimenting with AI solutions that integrate with internal systems, documents and workflows.

For many leaders, AI feels primarily like a new type of software. But this is precisely where much of the challenge lies. AI works in a fundamentally different way from most of the systems organisations are accustomed to managing and controlling.

Traditional software follows rules. AI works with probabilities. Traditional systems are built to be predictable. AI is built to handle uncertainty. This gives rise to risks that many leaders have not previously had to contend with.

Lack of determinism and predictability

Most IT systems are deterministic. This means that the same input normally produces the same output.

If a customer orders a product, the order is recorded. If an invoice is overdue, a reminder is sent. If a user lacks access, they cannot log in. The system does what it is programmed to do.

Modern AI works differently. A language model is not built around fixed rules for every possible situation. It is trained on enormous volumes of text and calculates which responses are statistically most likely based on what it has learned.

The result is that AI can solve tasks it has never explicitly been programmed to handle. At the same time, its behaviour becomes less predictable. Two people can ask roughly the same question and receive different answers. Small changes in phrasing or context can significantly affect the outcome.

This is not necessarily a flaw in the technology. It is a characteristic of how modern AI works. But it means that AI must be assessed differently from traditional systems built around fixed rules and predictable processes.

Hallucinations and factual errors

One of the most widely discussed risks of generative AI is hallucinations.

The term describes situations where an AI model produces information that appears plausible and convincing but is actually incorrect. The model can fabricate sources, references, events, quotations or facts without understanding that the information is false.

For many leaders, this is an unfamiliar type of error. When an accounting system calculates the wrong VAT, it is perceived as a system fault. When an AI model presents incorrect information, it can do so in a way that appears both logical, well-structured and professionally credible.

The problem is therefore not simply that AI can be wrong. The problem is that the errors are often difficult to detect.

This is because language models are not built to assess what is true. They are built to generate the most probable answer based on the patterns they learned during training. In most cases, this produces impressive results. But when the model lacks information or misunderstands the context, it can produce answers that appear correct without being so.

Diskusjon om AI risiko

Data quality, bias and skewed outcomes

AI models are a product of the data they learn from.

If the underlying data is incomplete, outdated or contains systematic biases, this will often affect the results the model produces. This applies both to general language models and to organisation-specific AI solutions that are trained or fine-tuned on internal data.

Bias is one of the most commonly used terms in AI risk. It describes situations where a model systematically favours or discriminates against certain groups, perspectives or outcomes.

In practice, the challenge is often more complex than the model simply being “biased”. The model largely reflects the patterns it finds in the data it has been exposed to. If historical data contains biases, AI can perpetuate or amplify them.

Data quality is therefore not only about having correct data. It is also about representativeness, relevance and context. Two models using the same technology can produce very different results depending on the data they are built on.

Lack of explainability and transparency

In many organisations, it is important to be able to explain why a decision was made. This is particularly true in quality, audit, compliance, information security and other areas where traceability is central. AI challenges this principle.

Many modern models function as what is often referred to as a “black box”. You can observe which data goes in, and you can see the result that comes out. But it is not always possible to explain exactly how the model arrived at its conclusion.

This does not mean that AI is necessarily uncontrollable. But it does mean that explainability is often weaker than in traditional rule-based systems.

The more advanced the model becomes, the more difficult it can be to understand which factors influenced the result. For organisations that depend on documentation, audit trails and verifiability, this represents a new type of challenge that many have not previously encountered.

AI risikostyring rådgiver

Automation bias and over-reliance

Perhaps the most underestimated AI risk is not about algorithms or technology. It is about people.

Automation bias is an established term in decision support research, describing people’s tendency to place excessive trust in recommendations from technological systems.

This phenomenon is not new. It has been observed in everything from aviation to medical diagnostics. But generative AI makes the issue more pressing than ever.

When an AI model delivers fast, well-formulated and apparently intelligent responses, it is natural to attribute high value to its recommendations. Over time, people can become less critical and spend less effort on their own assessments.

The risk is therefore not necessarily that AI makes decisions independently. The risk is that people gradually begin to trust the technology without carrying out the professional quality assurance the situation demands.

The better AI becomes at communicating, the more important it becomes to remember that a persuasive answer is not necessarily a correct one.

A technology with new strengths – and new weaknesses

Artificial intelligence represents a significant technological leap, but it also introduces a risk landscape that differs from that of traditional software.

Hallucinations, bias, lack of explainability and automation bias are not necessarily signs that the technology is performing poorly. On the contrary, they are often a consequence of how modern AI is built and why it is so powerful.

For leaders, the task is therefore not to become experts in machine learning or neural networks. It is to understand that AI has different characteristics from the systems organisations have traditionally worked with.

The better one understands these characteristics, the better placed one is to assess both the opportunities and the limitations the technology brings.

Talk to us about AI management systems

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!

Mirjam Meling

Mirjam Meling

Marketing & Communication Manager

Produces content for Certain QMS on management systems, quality management, information security and AI governance. She works with subject matter experts to communicate complex topics in a clear and practical way.

Quality management in the power and energy sector

Quality management in the power and energy sector

Certain quality management system kvalitetsarbeid kraft og energibransjen

The power and energy sector is characterised by a level of responsibility that extends far beyond the individual organisation. Grid companies and energy companies manage critical infrastructure, national security and emergency preparedness, often with small organisations and limited resources.

At the same time, strict requirements apply to documentation, traceability, risk management and compliance with laws and regulations. This includes requirements related to emergency preparedness, the handling of grid-sensitive information and compliance with regulations, where availability, confidentiality and information governance are central elements.

Quality management in the sector is not generic

When the quality management system becomes a side project

In this context, quality management is not an administrative support function but a prerequisite for safe operations. Nevertheless, many organisations find that in practice the quality management system becomes something that “sits alongside” the actual day-to-day work. Procedures are documented but rarely used. Checklists exist but lead a life of their own. Risk analyses and emergency plans are seldom updated – not because they are unimportant, but because many quality management systems are not adapted to the need for continuous use in an operational environment. This is a particular challenge in a sector where emergency plans, exercises and measures under the Power Emergency Preparedness Regulation require that documentation is actually up to date, accessible and known throughout the organisation.

A tailored system – not a lack of ambition

Experience from the power and energy sector shows that this challenge is rarely about a lack of will or ambition. It is about whether the quality management system is actually designed for the sector’s structure, responsibilities and ways of working. For power and energy companies, this means choosing a quality management system that not only documents requirements but actually makes them easier to fulfil – in operations, in the field and in emergency situations.

Certain quality management system quality management power and energy sector

Small organisations and major requirements

Many power and energy companies are small and medium-sized enterprises.

They often have few administrative resources, yet are still responsible for:

  • Internal control and document management
  • HSE, emergency preparedness and risk management
  • Compliance with regulations
  • Follow-up of fieldwork, vehicles, equipment and technical installations

In addition, knowledge must be shared, employees kept up to date, and management must maintain oversight, often across roles, disciplines and locations.

Fragmented tools and increasing complexity

The challenge is not a lack of will or competence. The challenge is that many solutions have been developed without sufficient regard for how power and energy companies actually work. The result is often fragmented tools, overlapping documentation and a working environment in which employees must navigate multiple systems to find what they need.

Quality must be a shared working tool

For small organisations, this becomes particularly demanding. When the quality management system is perceived as something separate from the daily work surface, the risk increases that it will only be used by a few – typically quality managers – rather than serving as a shared working tool for the entire organisation.

When the quality management system exists but creates no value

In the power and energy sector, there is rarely a shortage of documentation. Procedures, checklists and routines are often well described and technically sound. Nevertheless, many organisations find that their quality management work does not deliver the desired effect in practice.

The challenge rarely lies in what is documented, but in how it is structured, made accessible and used in everyday work. When the quality management system is perceived as something that exists alongside actual operations, it becomes difficult to ensure that procedures are actually followed, that checklists are used correctly, and that risk and emergency preparedness work is kept alive over time.

Typical signs of this include:

  • Documents that are technically correct but rarely used
  • Checklists completed without a clear link to follow-up and accountability
  • Risk analyses not connected to actual work processes
  • Emergency preparedness documentation that is difficult to locate when needed

When emergency preparedness documentation and information about critical installations is difficult to access in normal circumstances, the risk of mishandling also increases when incidents actually occur – particularly where grid-sensitive information must be shared quickly but in a controlled manner.

Risk to governance, safety and trust

For power and energy companies, where both safety and availability are critical, this is more than a question of efficiency. It is a matter of governance, compliance and trust – both internally and externally. Experience from the sector shows that quality management only creates real value when structure and use are adapted to the organisation’s actual responsibilities, ways of working and risk exposure.

This is precisely where the difference between a quality management system that merely exists and one that genuinely supports operations and emergency preparedness becomes clear. In the next section, we take a closer look at what characterises value-creating quality management in the power and energy sector.

Certain quality management system quality management power and energy sector

Value-creating quality management starts with structure – not volume of documents

In the power and energy sector, it is easy to end up with quality management systems that grow in scope but not in value. New requirements lead to new documents, new routines and new checklists – often without making the overall picture clearer or more usable.

Value-creating quality management takes the opposite approach: structure first, then content. It requires a system built to reflect the organisation’s actual structure, responsibilities and risk profile – not a generic folder or document structure. This is precisely the gap that Certain QMS is built to address: one coherent structure that makes quality management achievable in everyday work – not just correct on paper.

Certain QMS: One integrated system for operations and follow-up

Certain QMS has been developed with this as a central professional starting point. The system is built to connect documents, processes, risk, non-conformances, checklists and annual planning cycles in one coherent structure. This makes it possible to view quality management as a whole, where requirements, measures and follow-up are linked together, and where these connections are visible to both management and employees.

The combination of module interplay and the ability for controlled sharing and local adaptation is one of the main reasons why many power and energy companies choose Certain QMS.

The master solution in practice – shared governance and local adaptation

In the power and energy sector, there is often a strong need for shared practice and clear governance, while at the same time the operational reality varies significantly between companies. Many are organised within corporate groups, partnerships or alliances where responsibilities, regulations and emergency preparedness must be understood in the same way, while actual implementation takes place locally. To achieve this in practice, a model is needed that both provides a shared professional foundation and allows room for local adaptations. This is what we refer to as a master solution – an overarching solution that manages shared content and structure, and which can be distributed in a controlled manner to subsidiary companies.

One solution per company – one shared master

In Certain QMS, this is addressed by giving each company its own solution, tailored to its own organisation, operations and responsibilities. At the same time, a separate master solution can be established that functions as an overarching professional level. This master is used to manage shared structures, procedures, checklists and documentation that are intended to set norms across companies, whether within a corporate group or a sector partnership.

Shared ownership of requirements and regulations

The master solution is typically owned by the corporate group or a central professional team, and represents a shared interpretation of requirements, regulations, roles and responsibilities. This is where overarching documents are maintained and developed. Subsidiary companies can import this content into their own solutions, ensuring they always start from the same professional foundation. In practice, this enables faster onboarding of new companies or units, more consistent compliance and less local maintenance work, while each company retains control over its own operations.

Controlled sharing and version management

An important point is that this does not involve uncontrolled copying of documents. The transfer from the master takes place in a controlled manner, with clear ownership and version management. When master content is updated, companies are notified and can decide how the change should be implemented locally. In this way, shared governance is combined with local decision-making authority.

Local specifications without breaking the structure

At the same time, the solution is built to allow each company to extend and supplement shared content with local specifications. Documents sourced from the master can be expanded with local clarifications, additions and descriptions relating to the company’s own installation types, geographical conditions or ways of working. These local adaptations are added without breaking the connection to the shared content and without losing overall visibility.

Example: Shared emergency preparedness and local reality

A grid company can, for example, take a shared emergency preparedness procedure as its starting point, and supplement it with local descriptions relating to its own transformer substations, grid network or emergency response organisation. What is shared remains recognisable, while local responsibilities are clearly documented in the company’s own solution.

Structured flexibility over time

When the master solution is used in this way, it delivers quality management that is both structured and flexible. Corporate groups or partnerships gain visibility, consistency and the opportunity to learn across the organisation, while each individual company retains ownership of its own operations. For the power and energy sector, where requirements are numerous and the consequences of errors can be significant, this provides quality management that is robust, practical and capable of being used correctly – over time.

Certain QMS system quality management power and energy sector

From shared structure to practical application

When quality management is anchored in a clear master structure, the conditions for how the system is actually used within the organisation change. Structure and content are linked in a way that differs from traditional solutions, and quality management becomes more closely tied to real work tasks and responsibilities.

An integrated part of operations and management

For power and energy companies, this means that requirements for internal control, HSE, emergency preparedness and documentation no longer appear as separate activities, but as an integrated part of operations. When shared procedures, checklists and risk descriptions are established at an overarching level, it becomes easier to put them into practice locally – in planning, execution and follow-up.

Clear frameworks in small organisations

This is particularly significant in small and medium-sized organisations, where the same person often has responsibility for several disciplines. When the quality management system is structured in line with the organisation’s actual structure and ownership, the need to “translate” requirements into practice is reduced. It becomes clear what applies, who is responsible and how work should be documented.

When quality management delivers real value

Over time, this means that quality management feels less like an add-on and more like a support in everyday work. Documents are used more frequently, checklists are followed up more systematically, and the connection between risk, measures and operations becomes clearer. This is where many organisations find that quality management begins to deliver real value.

Quality management that supports safe operations and emergency preparedness

In the power and energy sector, quality, safety and emergency preparedness are closely intertwined. Requirements for availability and security of supply mean that errors, deficiencies or unclear responsibilities can have serious consequences. It is therefore essential that quality management not only documents how things should be done, but actually supports the organisation when it matters most.

Emergency preparedness that is accessible when it matters

When the quality management system is built around a shared structure and clear frameworks, it becomes easier to keep emergency preparedness-related documentation up to date and accessible. Risk analyses, emergency plans and operational procedures can be linked directly to the processes and installations they relate to, making them easier to find and use – even under time pressure.

Systematic improvement based on experience

At the same time, this approach provides better conditions for working systematically on improvement. Experiences from incidents, non-conformances or exercises can be followed up in a way that both addresses local circumstances and contributes to cross-organisational learning. Changes made centrally can be communicated in a controlled manner, while local adjustments are documented where they belong.

Supporting the organisation's public service mission

The result is quality management that more effectively supports the organisation’s public service mission. It gives management better oversight, employees clearer frameworks, and the organisation as a whole greater confidence that requirements for safety, emergency preparedness and compliance are actually met in practice – not just in the documentation.

Certain quality management system kvalitetsarbeid kraft og energibransjen

Secure information flow, sensitivity and access in practice

The power and energy sector handles information that in many cases is security-critical. Documentation relating to installations, emergency preparedness, risk assessments and operational procedures must be accessible to those who need it, while at the same time being protected from unauthorised access. This places high demands on how information is structured, shared and managed over time.

Visibility and labelling of sensitive information

For many power and energy companies, there is also a need to make visible what type of information is actually being handled. In practice, this means being able to label documents and risk analyses with varying degrees of sensitivity – for example, grid-sensitive information. In Certain QMS the organisation can itself establish and manage its own register for sensitivity labelling, adapted to internal needs, regulations and risk assessments.

This labelling follows the document and analysis during viewing and sharing, so that users can clearly see what type of information they are handling and take appropriate care in use, sharing and follow-up. This improves compliance in practice – without compromising accessibility for those who actually need the information. This is particularly relevant in work relating to emergency preparedness, incident management and compliance with requirements for the handling of grid-sensitive information.

Roles rather than individuals

When quality management is built on a clear shared structure, it becomes possible to work more systematically with sensitivity and access. Documents and processes can be linked to roles and responsibilities rather than to individuals, and information can be made available where it is actually needed, without losing control. This is particularly important in organisations where employees move between the office, control room and field.

The right information at the right time

In practice, this means that quality management is not only about content, but also about information flow. When documentation is structured correctly from the outset, it becomes easier to ensure that the right information reaches the right person at the right time. At the same time, the risk of sensitive information being shared inadvertently or remaining inaccessible when most needed is reduced.

For management, this provides better governance and oversight. For employees, it provides confidence in their day-to-day work. And for the organisation as a whole, it contributes to strengthening safety, compliance and trust – both internally and externally.

Seamless integration that lowers the threshold for quality management

One of the biggest challenges in quality management is not a lack of good procedures, but that systems feel distant from the everyday work environment. In small and medium-sized power and energy companies, where time and capacity are limited, this is particularly noticeable. The more tools employees have to deal with, the greater the risk that the quality management system will be deprioritised.

Quality in the existing work surface

With an integration to Microsoft SharePoint, quality management becomes accessible within the same work surface that employees already use. Documents, checklists, non-conformances and tasks become a natural part of the working day, rather than something that requires a conscious decision and extra effort. This is especially important for field personnel, who often need quick access to up-to-date information without having to navigate multiple systems.

Better involvement across the whole organisation

For small organisations, this delivers a significant benefit. Seamless access makes it easier to involve the entire organisation in quality management, not just those with specific professional responsibilities. Over time, this contributes to better compliance, more consistent use of procedures and a stronger quality culture.

When accessibility creates value

When the quality management system is actually used, it also becomes a better basis for improvement. Experiences are captured, non-conformances are followed up, and the organisation gains a more realistic picture of its own practice. For many power and energy companies, this is closely connected to the quality management system being accessible where employees already work – for example through SharePoint as an intranet and work surface. When employees can find procedures, complete tasks and report non-conformances without “switching systems” mentally and practically, the threshold for use is lowered. This is where the connection between structure, accessibility and value becomes clear.

When the quality management system sits within the SharePoint work surface, it effectively becomes part of the intranet and everyday work – not a separate specialist system that only a few people visit.

Certain QMS integration

Cross-organisational learning and continuous improvement in the sector

The power and energy sector is characterised by a high degree of collaboration, whether through corporate structures, alliances or industry partnerships. This creates significant potential for cross-organisational learning, but also a risk that experiences remain local if good mechanisms for sharing are not in place.

Shared structure enables shared learning

When quality management is built on a shared structure and shared frameworks, it becomes possible to extract value from this collaboration. Experiences from incidents, non-conformances, audits and improvement work can be used as a basis for developing shared practice further, without overlooking local circumstances. Over time, this helps to raise the standard across the whole organisation, or across multiple companies.

User forums and professional meeting places

User forums and professional meeting places play an important role here. They provide space for dialogue, experience sharing and the prioritisation of improvements that genuinely make a difference in everyday work. When this is combined with a technical and structural solution that supports sharing, continuous improvement becomes more than an ideal – it becomes a practical way of working.

For power and energy companies, this means increased maturity over time, better handling of regulatory changes and greater confidence in the face of new requirements and expectations.

What this means for power and energy companies going forward

Quality management in the power and energy sector cannot be reduced to documentation alone. It is about structure, ownership and use – and about building solutions that genuinely work in a busy and demanding environment. Experience from the sector shows that when these conditions are in place, quality management changes in character from being an obligation to becoming a tool for governance, safe operations and continuous improvement.

For many companies, this starts with asking some fundamental questions:

  • How is quality management structured today?
  • Is it adapted to the organisation’s responsibilities and risk profile?
  • And do the systems provide support in practice – or only on paper?

In a sector where requirements are high and the consequences of errors can be significant, this is not just a question of efficiency. It is a question of robustness, trust and social responsibility. It is also about compliance with emergency preparedness requirements, trust in critical infrastructure and the organisation’s ability to handle both incidents and inspections in a controlled manner.

For organisations that want a quality management system that is actually used, and that can withstand both audits, operations and emergency situations, it is precisely this holistic approach that Certain QMS is built to support.

Since 2021, Netpower has delivered its quality management system to over 20 grid companies through Nettalliansen’s industry solution – a partnership that has given the sector a shared, standardised quality management platform.

Marte Sunde

Marte Sunde

Business Consultant

Marte Sunde is a Business Consultant for Certain QMS, specialising in quality management and HSE systems. She works at the intersection of operational practice and digital solutions, helping organisations implement and improve management systems that ensure compliance, structure, and continuous improvement.

AI policy and clear frameworks for AI use in the organisation

AI policy and clear frameworks for AI use in the organisation

AI-policy

Artificial intelligence is already part of everyday working life in most organisations. Employees use tools such as ChatGPT, Microsoft Copilot and other AI solutions for everything from content production and analysis to customer service and decision support.

At the same time, new questions are arising:

  • Which AI tools can employees use?
  • Which data can be shared with AI services?
  • How do we quality-assure content generated by AI?
  • Who is accountable if AI contributes to incorrect decisions?

An AI policy is often the first step organisations take towards creating clear frameworks for the use of artificial intelligence.

What is an AI policy?

An AI policy is a governing document that describes how artificial intelligence should be used within the organisation.

Its purpose is to give employees and leaders clear guidelines for the safe, responsible and effective use of AI tools. The policy helps to reduce risk whilst making it easier to adopt the technology in a controlled manner.

A good AI policy should not hinder innovation. It should make it safer to use AI.

Certain QMS

Why do organisations need an AI policy?

Many organisations already have employees using AI on a daily basis, often without the organisation having decided how the technology should be used.

This can lead to challenges relating to:

  • Sharing of confidential information
  • Data protection and the handling of personal data
  • Incorrect or misleading content generated by AI
  • Lack of documentation of how decisions were made
  • Inconsistent practice across departments and employees

An AI policy provides a shared framework that reduces uncertainty and makes it easier to adopt AI in a responsible manner.

What should an AI policy contain?

There is no universal template that suits every organisation, but most AI policies cover the following areas.

Purpose and scope

The policy should describe why the organisation uses AI and who the guidelines apply to. This typically includes employees, leaders, consultants and contractors.

Approved AI tools

The organisation should define which AI solutions are approved for use. This makes it easier to control security, data processing and compliance with internal requirements.

Information handling

A central point is which types of information may be shared with AI tools.

Many organisations prohibit the sharing of, for example:

  • Personal data
  • Customer data
  • Trade secrets
  • Confidential information

Quality assurance of AI-generated content

AI can produce incorrect, incomplete or fabricated information. The policy should therefore make clear that employees are always responsible for checking and quality-assuring results before they are used further.

Responsibility and ownership

It should be clear that AI is a tool, not a decision-maker. Responsibility for decisions and actions remains with people.

Compliance with legislation and regulation

The policy should describe how the organisation relates to relevant regulation, including the General Data Protection Regulation (GDPR), sector-specific requirements and any requirements linked to the AI Act.

Is an AI policy enough?

For many organisations, an AI policy is a good place to start.

But as the use of artificial intelligence grows, the need for more structured governance will often increase.

Leaders will then need to be able to answer questions such as:

  • Where is AI being used in the organisation?
  • Which risks have we identified?
  • How do we follow up on AI-related incidents?
  • How do we document decisions that are influenced by AI?
  • How do we ensure compliance with new regulatory requirements?

These are areas that are normally addressed through AI governance or an AI management system.

From AI policy to AI governance

An AI policy describes which rules apply.

AI governance is about how the organisation manages, follows up and improves its use of artificial intelligence over time.

In the same way that organisations work systematically with quality, information security and data protection, many will eventually establish structures for governing AI.

For organisations that want to work more systematically in this area, ISO 42001 has established an international framework for the governance of artificial intelligence.

AI policy

Summary

An AI policy is often the first and most important step towards the responsible use of artificial intelligence. It gives employees clear guidelines, reduces risk and makes it easier to adopt AI in a safe manner.

At the same time, leaders should be aware that a policy alone is rarely sufficient when AI becomes a significant part of the organisation’s processes and decision-making. Over time, many organisations will need more structured AI governance and a comprehensive AI management system.

Talk to us about AI management systems

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!

Mirjam Meling

Mirjam Meling

Marketing & Communication Manager

Produces content for Certain QMS on management systems, quality management, information security and AI governance. She works with subject matter experts to communicate complex topics in a clear and practical way.

What is AI governance – and why do organisations need it?

What is AI governance – and why do organisations need it?

AI governance

Artificial intelligence is becoming a natural part of working life. Employees use ChatGPT for content production, developers use AI assistants for programming, and a growing number of IT systems are incorporating built-in AI features.

For many organisations, this is happening faster than the establishment of guidelines, accountability and control mechanisms. The result is that AI is being adopted without management necessarily knowing how, where or for what purposes the technology is being used.

“AI governance” has become one of the most important terms in artificial intelligence. In simple terms, it concerns how organisations manage, control and follow up on their use of AI.

What does "governance" actually mean?

Governance is a term used in areas such as quality, information security, data protection and corporate management. It describes how an organisation establishes accountability, rules, processes and control mechanisms to ensure that an area is managed in the desired way.

When we talk about AI governance, it is therefore not about the technology itself, but about how the organisation manages its use of artificial intelligence.

What does AI governance mean?

AI governance is about establishing rules, accountability, processes and control mechanisms for how artificial intelligence is used within the organisation.

The goal is not to limit innovation or prevent the use of AI. On the contrary, AI governance is about facilitating safe, effective and responsible use of the technology.

An AI governance programme should help the organisation to:

  • use AI in a controlled manner
  • manage risks associated with AI
  • meet relevant legal requirements
  • protect information and personal data
  • ensure quality and reliability in AI-based processes
  • document how AI is used and followed up

In short, AI governance is about managing artificial intelligence in the same way that organisations already manage quality, information security and data protection.

Why has AI governance become important?

In just a few years, AI has moved from being a niche technology to a tool used by employees across almost every function.

Leaders use AI for analysis and decision support. Marketing teams use AI for content production. HR uses AI in recruitment and competence development. Developers use AI for code generation and testing.

At the same time, both the risks and the requirements for control are increasing.

The need for AI governance is growing rapidly, driven in part by the following.

Generative AI is already in use within the organisation

Even where the organisation has not introduced its own AI solutions, employees often use AI tools on their own initiative. This can create challenges relating to security, quality and compliance.

AI influences decisions

When AI is used for decision support or to automate processes, it becomes important to understand how results are generated and what limitations the technology has.

Data protection and information security

AI systems often process large volumes of data. Without clear guidelines, sensitive information can be shared with external services or used in ways that are not in line with the organisation’s requirements.

New regulatory requirements

EU AI Act introduces new requirements for organisations that develop, supply or use AI systems. Although the requirements vary according to risk and use case, the direction is clear: AI must be governed and documented.

Requirements from customers and partners

More organisations are already beginning to ask questions about how their suppliers use artificial intelligence. Just as information security and data protection have become part of procurement processes, AI governance will become an increasingly important topic.

The risks of using AI without governance

AI can create significant value, but uncontrolled use can also lead to problems.

Sharing of sensitive information

Employees may inadvertently share confidential information with AI services without being aware of how the data is processed.

Hallucinations and misinformation

AI can generate content that appears correct but contains errors or fabricated information. If used uncritically, this can lead to poor decisions or reduced quality.

Lack of traceability

In many organisations, there is no overview of which AI tools are in use, who is using them or what tasks they are being used for.

Discrimination and bias

AI models can produce outputs influenced by biases in training data or algorithms. This can have consequences for, amongst other things, recruitment, customer handling and decision-making processes.

Breaches of internal guidelines

Without clear rules, different departments may develop their own practices for using AI. This makes it difficult to ensure consistent governance and control.

Certain QMS rådgivning

What does an AI governance programme include?

An AI governance programme does not need to be complex, but it should cover a number of key areas.

Roles and responsibilities

The organisation must define who is responsible for AI-related decisions, follow-up and risk management.

Guidelines and AI policy

Employees need clear frameworks for what AI can be used for, which tools are approved and how information should be handled.

Risk assessments

The use of AI should be assessed in the same way as other technology solutions. Risks relating to security, data protection, quality and compliance must be identified and managed.

Training

Employees must understand both the opportunities and the limitations of AI. Many of the risks are linked to a lack of competence and incorrect use.

Control and follow-up

The organisation should establish mechanisms for following up on how AI is used and ensuring that guidelines are adhered to.

Documentation

It should be possible to document which AI solutions are in use, for what purposes and what assessments have been made.

Supplier management

For organisations using external AI solutions, it is important to assess suppliers in the same way as other critical system suppliers.

How does AI governance relate to ISO 42001?

ISO 42001 is the world’s first international standard for artificial intelligence management systems.

The standard describes how organisations can establish, maintain and continually improve an AI management system.

Many of the elements that make up AI governance can be found in ISO 42001, including:

  • roles and responsibilities
  • risk management
  • management of AI systems
  • documentation
  • monitoring and improvement
  • competence and training

For organisations seeking a structured and recognised approach to AI governance, ISO 42001 provides a concrete framework to build on.

How to get started with AI governance

Many organisations already have a solid starting point.

If you have established management systems based on ISO 9001, ISO 27001 or similar standards, there are often processes and ways of working that can be extended to cover AI.

A good first step is to map:

  • which AI tools are currently in use
  • which processes are affected by AI
  • which risks are relevant to the organisation
  • which guidelines are missing

    The organisation can then establish the necessary roles, guidelines and control mechanisms as part of the existing management system.

    As a technology company with experience in both management systems and the practical use of AI, we often find that the challenge is not solely about documentation. Equally important is understanding how AI is actually being used within the organisation, which processes are affected, and how the technology can be governed in a way that creates value without introducing unnecessary risk.

    Our consultants have extensive experience in establishing and improving management systems based on, amongst others, ISO 9001 and ISO 27001. At the same time, we work in a technology company where AI is used actively in development, operations and internal work processes. This combination enables us to connect the requirements of the standards with the practical reality organisations face.

    Certain QMS rådgivning

    Talk to us about AI management systems

    We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!

    Mirjam Meling

    Mirjam Meling

    Marketing & Communication Manager

    Produces content for Certain QMS on management systems, quality management, information security and AI governance. She works with subject matter experts to communicate complex topics in a clear and practical way.