The Governance Gap

The first wave of enforcement inquiries under the Colorado AI Act and EU AI Act has arrived. They did not begin with dramatic regulatory action. They began with letters — requests for documentation of specific decisions, specific oversight mechanisms, specific authorization records. Standard inquiry letters.

What the letters revealed was consistent: organizations had governance intent but not governance infrastructure. They had written policies describing what their AI systems should do. They had not built the infrastructure that produces records of what those systems actually did. The gap between the policy and the record is the governance gap — and it is where enforcement exposure concentrates.

This is not a story of organizations that ignored the regulations. Most organizations receiving these letters took AI governance seriously as a legal and strategic matter. They hired counsel. They updated privacy policies. They held internal governance meetings. They did not, in most cases, understand that compliance evidence is produced by infrastructure — not by intent.

What the Inquiries Are Finding

The pattern across enforcement inquiries in the July–October window is consistent. Organizations had documentation for five requirement categories. In all five, the documentation described intent rather than evidence:

The governance gap in this table is not a documentation failure. It is an infrastructure failure. Each requirement in the left column requires records that are produced automatically, continuously, and contemporaneously by systems designed to produce them. Policy documents describe what those systems should do. They do not produce the records themselves.

Why Intent Is Not Sufficient

Governance intent is valuable. Organizations with clear intent about how their AI systems should behave are in a better position than organizations without it. Intent defines the requirement. It does not satisfy it.

The regulatory standard for consequential AI systems is behavioral, not aspirational. A human oversight requirement is met when human oversight occurred and was documented — not when an organization intends for it to occur. An impact assessment requirement is met when an assessment was completed, documented, and linked to the system assessed before deployment — not when an organization has a general assessment policy.

Intent describes what organizations want their systems to do. Evidence describes what they actually did. Regulators asking about specific decisions or specific periods need the latter. The governance gap is the distance between those two things. Closing it requires infrastructure, not documentation.

Who Is In the Best Position

Organizations that built governance infrastructure before the enforcement window are responding to inquiry letters in under 24 hours. The records exist, are retrievable by decision ID or date range, and are formatted for regulatory review. These organizations are not worried about this period.

Organizations in the second tier — compliance intent, insufficient infrastructure — are in the 60-day cure window under Colorado. The cure requires demonstrating that the gap has been addressed, not merely describing how it will be. This means building infrastructure quickly, under observation, with enforcement timelines running in parallel. It is achievable but expensive.

The question for organizations not yet in an inquiry is whether they wait. The enforcement timeline is not synchronized — organizations are not all receiving letters simultaneously. The window between now and a potential inquiry letter is the most efficient time to build governance infrastructure. Building it before the letter is an order of magnitude less expensive than building it after.

What Governance Infrastructure Actually Requires

Closing the governance gap requires four things. Contemporaneous capture: records created at the time the regulated event occurs — the decision, the review, the authorization, the assessment — not reconstructed after the fact.

Decision linkage: each record connected to the specific decision it documents. Oversight records that cannot be linked to specific decisions are not evidence that any specific decision received oversight.

Delegation chain logging: for AI systems with multiple agents or automation layers, the full chain of authorization from the originating instruction to the terminal action — with what scope was active at each step.

Tamper-evident retention: records maintained with integrity protections that satisfy the evidentiary standards regulators apply. A log that can be modified after the fact is not evidence in an enforcement context.

These are infrastructure properties, not documentation properties. They require systems designed to produce them — not systems producing outputs that organizations then attempt to document manually.