Fear of a 35M fine is nothing next to FOBO. The Fear Of Becoming Obsolete.
Of the 2,850 finance pros in my community. 75% started out using AI like a fancy Google Search.
So I know the real night-fear isn't ‘security’. It's writing policy for tools you don't know how to use. While secretly feeling like you're falling behind.
To help you get ahead I’m running this free Masterclass with Oracle NetSuite. You'll see:
- How to turn a messy spreadsheet into a board-ready dashboard (in under 5 minutes)
- How AI can post journal entries for you (before you arrive at your desk on Monday)
- How to build a Claude Skill that runs your analysis every week (without you having to stitch together 27 CSV exports)
You'll leave with a week-by-week, 30-day roadmap. Plus our 37-page Ultimate Guide to Building an AI Finance Team – from AI overwhelm to AI confidence – free for joining.
Make sure to save your free seat here before it’s gone.
| Join for Your 30-Day Roadmap + Guide Here |
A €35M Fine
The €35M EU AI Act fine has been all over the CFO press. More specifically, €35M or 7% of global annual turnover (whichever is higher – Full applicability: 2 August 2027.
But, unless you’re running a Tier 1 European bank, the fine probably isn't coming for you.
What should worry you is this…
Around half your team is already using AI tools at work without telling you. On personal phones, personal laptops. You can't see this, you can't audit it, and you can't govern it.
So, when the audit committee asks "how is your team using AI?" (and they will) the €35M number won't be on the agenda. Your visibility into your own team's AI use will be.
But the good news is, I found someone to solve this for you.
"AI without governance is improvisation. And improvisation in finance can get very expensive."
Christophe Atten said this in our recent AI Finance Club governance masterclass.
He runs AI governance for a conservative Bank in Luxembourg. So if anyone is qualified to give advice on this, it is him!
|
|
He's built the governance framework that he lives by every day.
Samsung's 2023 incident is the example he speaks about a lot. This is where engineers pasted proprietary code into ChatGPT, and once data is exposed to a public model, you cannot retrieve it.
Samsung's response was to ban external AI, which Christophe says probably made secret employee AI usage (shadow IT) worse, not better.
Plus, you may have also seen the January 2024 Arup case? Where a finance employee was tricked by a deepfake of the CFO into making 15 transfers totaling $25 million!
It’s super important to protect yourself against bad actors.
But this should not stop you from being able to get the amazing benefits of AI in Finance.
So. Christophe’s framework starts with a 3-legged chair and ends with 4-gates.
It's the closest thing I've seen to a governance protocol a CFO can run (without a legal team taking 6 months to draft a 60-page policy).
The 3-Legged Chair
|
|
Christophe builds on a foundation he calls the 3-legged chair. Policy, people and technology. If one leg is missing, the chair falls over.
Policy without tools is unenforceable.
Tools without policy create blind trust.
People without either create shadow AI (using it without the company knowing).
You need all three to succeed.
This is similar to COSO's frameworks that set the precedent decades ago – Internal Control in 1992, Enterprise Risk Management in 2004. Multi-gate, audit-style controls have been governing financial decisions ever since.
And Germany's financial regulator BaFin made the same move in December 2025: it now classifies AI as ICT risk under DORA, meaning banks must govern AI like any other ICT system, not in a separate "AI framework".
That's the part the audit committee will recognize. That fact that you're not just inventing AI governance.
You're extending the controls you have already.
Your 4-gate AI governance framework
|
|
Run any new AI use case in your finance function through these 4 gates.
The promise: you keep moving fast, you keep AI use visible, and you can answer the audit committee with evidence (whilst protecting yourself from fines).
Christophe walks through these using the same example – a CFO who wants to use Copilot to draft variance commentary on Excel data. I'll use the same example so you can see what each gate looks like in practice.
Gate 1: Name the use case + the human owner
Don't start with the tool. Start with the use case.
Write down what the AI is going to do ("Copilot drafts the monthly variance commentary from the P&L Excel file") and assign one named human owner. Not IT – the function leader.
The CFO owns the variance commentary. The Head of FP&A owns the forecast model. IT supports the tool, but the business function owns the result.
Gate 2: Classify the data the AI will use
Now run a risk assessment on the data the use case will use.
For the variance commentary example, the question is: "Does Copilot need full access to the P&L with sensitive margin data and customer-level detail? Or can you restrict it to aggregated information only?"
Most use cases don't need the highest-risk data. Restricting access at this gate is the most effective control you can put in place.
Gate 3: Test the prompt against old data
This is the gate Christophe is strictest on. "You don't just go live."
Take your variance commentary prompt and run it against December's actuals from last year. You already know what the right output looks like (your team produced it at the time). So compare what Copilot drafts to what your team actually delivered.
Do this for a few months of historical data. If the prompt is stable across multiple periods, it's ready. If it's hit-and-miss, the prompt isn't ready. Fix it before it goes live.
Then get someone to sign off before deployment.
Gate 4: Schedule the review on day 1, not after the first error
Set the review date when you deploy, not after something goes wrong.
The model might not change. But your data will. Your business strategy will. The macro context will. A prompt that worked perfectly in January 2026 may produce nonsense in January 2027 because the underlying business has changed.
Christophe's rule: book a quarterly review for every deployed use case, in the calendar, on day 1. Then the owner from Gate 1 leads the review.
You can run all 4 gates inside one Excel template. Christophe's own version is a single tab – owner, risk classification, data sources, deployment status, next review date. Not a 60-page policy.
So when the audit committee asks "how is your team using AI?", that one tab is your answer.
The One Thing to Remember
Don’t let the unlikely future threat of a €35M fine stop you.
Be the CFO leading AI adoption in 2026. The one who already answered "how is your team using AI?" because you put it on a tab in a shared workbook already.
So this week, I want you to do this. Create your workbook with the columns – owner, risk class, data sources, deployment status – then Pick ONE AI use case to update the workbook with.
This way you’re one step closer to using AI to generate results, and one step further away from worrying about how people use it.
Best,
Your AI Finance Expert,
– Nicolas
P.S. – Was this useful? Hit reply and let me know (I read all replies)
P.P.S. – Which AI tools can your team use with confidential data? The answer is here → The Blueprint to Using AI for Finance in 2026 (ft. Shawn Kanungo)
