Enterprises are adjusting IT operations and governance frameworks in response to increased regulatory scrutiny of AI-driven IT service management (ITSM). New compliance requirements-covering transparency, model risk management, and data privacy-are now enforceable across multiple jurisdictions. CIOs and IT procurement teams are reexamining vendor selection processes and internal governance structures to address these obligations.
Background
The EU Artificial Intelligence Act took effect on August 1, 2024, with full enforcement for high-risk AI systems set for August 2, 2026 . The Act mandates documentation, traceability, and human oversight for AI applications, including those within ITSM workflows , as stated by the EU Artificial Intelligence Office {{}}{{}}{{}}{{}}. In the US, the Texas Responsible Artificial Intelligence Governance Act (TRAIGA) becomes effective January 1, 2026, imposing requirements for model risk and transparency on AI systems impacting Texas residents {{}}. In Canada, the Office of the Superintendent of Financial Institutions (OSFI) released Guideline E-23 in September 2025, introducing mandatory enterprise-wide model risk management. Documentation and monitoring expectations take effect May 1, 2027 {{}}.
Details
ITSM deployments are facing heightened audit scrutiny. According to industry analysis, beginning in 2026, AI governance within ITSM will become a formal audit requirement rather than a best practice. IT teams will be required to maintain thorough registers of AI models, documenting training data, ownership, risk assessments, retraining schedules, and decision logs. These records, often referred to as "AI cards" or model fact sheets {{}}, enable transparency and compliance. Regulatory requirements also mandate human oversight for AI affecting critical operations, bias testing, explainability, comprehensive logging, data minimization, and encryption throughout the AI pipeline {{}}.
Gartner's survey, reported by CIO.com, indicates that more than 70% of IT leaders identify regulatory compliance as a top challenge when deploying generative AI, with fewer than 25% expressing strong confidence in their governance and security capabilities {{}}.
The EU AI Office has issued guidance and templates aligned with the AI Act's schedule. Enforcement for general-purpose AI is set for August 2, 2026, with initial obligations, including transparency for foundation models and logging for high-risk systems, starting in August 2025 {{}}{{}}.
Outlook
Enterprises are expected to advance governance-by-design frameworks and require vendors to meet compliance maturity standards during procurement. As audits increase and enforcement begins, CIOs and ITSM leaders must ensure full traceability for AI-driven workflows and implement policy controls throughout the model lifecycle, from development to deployment.
