Nearly half of employees across Germany, Austria, and Switzerland now rely heavily on artificial-intelligence tools, according to a GoTo study—yet only 38 percent of IT leaders have put an official AI policy in place. The mismatch has fueled a surge in “shadow AI,” where workers adopt unauthorized external applications without company oversight, exposing organizations to data leaks and regulatory penalties.
The problem is acute: 30 percent of staff surveyed say they can no longer perform their jobs reliably without AI assistance. Meanwhile, risks such as prompt leakage and uncontrolled data outflow are mounting. Companies remain liable even when they never approved the tools in the first place, creating a legal minefield just as Brussels imposes its most aggressive compliance deadlines yet.
New EU Deadlines Tighten the Screws
The European Commission has approved the Digital Omnibus Regulation, which amends and accelerates parts of the AI Act. Key deadlines are now set:
- December 2026: Prohibition of non-consensual AI-generated content takes effect.
- December 2027: High-risk AI systems must achieve full conformity.
- August 2028: AI embedded in specific product categories must comply.
A foundational requirement has been in place since February 2025: Article 4 of the AI Act obligates employers to ensure AI competence among staff. Yet only 38 percent of companies currently meet that obligation, the GoTo study found.
The European Data Protection Board (EDPB) has added its own demands, calling for concrete safeguards—including anonymization proofs, resistance testing, and data-protection impact assessments that explicitly address algorithmic risks.
Courts Tighten Liability Stance
Recent German rulings from spring 2026 have sharpened corporate exposure:
- OLG Hamm (12 May): Errors made by a chatbot are attributed to the operator.
- LG München I (28 May): AI-generated texts count as the company’s own statements.
- AG München (13 February): Mere prompting does not establish copyright protection.
Legal experts emphasize that the AI Act also bans manipulative systems and workplace emotion-recognition technology. In critical sectors such as energy and healthcare, companies must coordinate AI Governance with the NIS2 directive on cybersecurity.
CAIOs Lack Teeth, Experts Warn
Seventy-six percent of firms now have a Chief AI Officer (CAIO), but industry observers say many of these executives lack both budget and decision-making authority. Without genuine enforcement power, compliance efforts stall.
Advisers recommend embedding AI risk management into an integrated system aligned with ISO/IEC 42001. GDPR and AI Act audits should share a single framework rather than being handled in silos.
A particular threat on the horizon is “agentjacking,” where attackers exploit manipulated error reports to take over AI agents. Success rates for such attacks stand at 85 percent. Static rights management is no longer sufficient; companies must monitor identities and access paths of their AI systems in real time.









