The use of artificial intelligence in businesses is no longer a topic for the future. AI is already being used to draft emails and proposals, analyse documents, retrieve information, prepare reports and automate an increasing number of repetitive business processes.
From a management perspective, this creates an important shift: the question is no longer whether a company should use AI, but whether its use is controlled, secure and supported by a clear business case.
The European Union's Artificial Intelligence Act, or the EU AI Act, adds a timely dimension to this discussion. Some obligations are already in effect, including requirements related to AI literacy. From 2 August 2026, transparency-related AI rules will begin to apply, alongside broader enforcement of the regulation.
This does not mean that every company needs to establish an extensive compliance programme before August. It does mean that any company already using AI, or planning to adopt it more widely, should know where AI is being used, what data it relies on, who is responsible for it and what controls are in place.
Below are five questions that CEOs and business owners should be able to answer before making their next investments in AI.
1. Where is AI already being used in our company?
In many companies, the first AI project does not begin with a board-level decision or a formal development initiative. It begins when an employee uses a publicly available AI tool to draft a customer email, summarise a contract, create marketing content or analyse sales information.
That is not necessarily a problem. The problem arises when management has no overview of which tools are being used, what information is entered into them, and which tasks or decisions depend on AI-generated results.
The first practical step does not need to be technical or expensive. A company can begin by creating a simple AI use inventory that records:
- which department or process uses AI;
- which tool or solution is being used;
- what types of data are entered into it;
- whether the output is used as assistance for a person or directly affects a decision;
- who is responsible for that particular use case.
This type of overview helps distinguish lower-risk use cases, such as idea generation or internal text editing, from situations where AI touches customer data, employee information, financial decisions or other sensitive processes.
When a company does not know where AI is already being used, it becomes difficult to assess its value, cost or risk.
2. Do we know which AI use cases require greater attention?
Not all AI solutions carry the same level of significance. AI that helps an employee improve meeting notes is not comparable to a solution that assesses job applicants, influences a credit decision, processes health data or interacts with a customer in a way that may make it unclear whether they are communicating with a machine.
The EU AI Act follows a risk-based approach. The greater the potential impact on people's rights, safety or access to important decisions and services, the greater the need for documentation, oversight, logging and control.
For companies, this means that an AI use inventory alone is not enough. For each more significant use case, it is worth asking:
- Does the AI interact directly with a customer or employee?
- Does the person need to know that they are interacting with AI?
- Is AI-generated content published in the company's name?
- Does the solution influence someone's employment, access to a service or another significant decision?
- Does the AI initiate actions in other business systems?
For example, a customer service chatbot, AI-generated content intended for public distribution, or an AI agent that sends emails and changes information in business systems requires a different level of control from an internal idea-generation tool.
It is also important to understand that August 2026 is not the same deadline for every AI-related obligation. At the European Union level, the timeline for more detailed requirements applying to certain high-risk AI systems has been postponed. However, this does not change the fundamental question for businesses: before expanding the use of AI, a company must understand the risks each solution introduces.
3. Are our data and access rights under control when using AI?
An AI solution can only be useful if it has access to the information it needs. At the same time, this is also where some of the most significant business risks arise.
An employee may copy customer data, a quotation, an internal report or a contract into a public AI tool without considering whether this is permitted. An internal AI assistant may gain access to documents that not every user should be able to see. An AI agent may make queries in systems where its activity should be strictly limited.
Before adopting AI more widely, companies should therefore consider at least three topics.
First, what data does the AI use? Is it public information, internal working material, customer data, personal data or business-critical information?
Second, on whose access rights does the AI operate? A well-designed solution should not disclose information to a user if that user would not otherwise have access to it.
Third, where does the data go and what is retained afterwards? A company needs to understand whether entered information is logged, used for model development, transferred to third parties or kept within an environment controlled by the company.
At Itronauts, we see that proper control over data, access rights and technical architecture is what separates a genuinely usable business solution from an initial demo. For example, we have carried out a technical audit of an AI solution for a university, assessing areas such as the configuration of the AI agent and its knowledge base, access management, content safety restrictions, logging and cost control. These questions are not relevant only to the public sector or large organisations. The same principles apply to any company that wants to use AI in its everyday operations.
4. Who is responsible for AI outputs and actions?
AI can draft text, provide recommendations, analyse documents or initiate actions in other systems. Responsibility, however, cannot be assigned to AI.
For every significant AI solution, a company should clearly define:
- who owns the solution from a business perspective;
- who is responsible for its technical operation and security;
- when a person must review AI output before it is used;
- in which cases AI may act automatically;
- what happens when the AI makes a mistake.
This is especially important in the case of AI agents. While traditional automation generally follows predefined steps, an AI agent may analyse a situation, choose an appropriate action, use different tools and carry out a process consisting of several steps.
For example, AI may help process an incoming enquiry, find the required information, draft a response and save the result in a customer relationship management system. This can deliver a significant efficiency gain, but only when it is clear which actions may happen automatically and which require human approval.
In practice, the value of AI does not have to mean full automation. In many cases, the most commercially sensible solution is one where AI completes a large share of time-consuming preparatory work, while a person confirms a critical decision or any external communication.
5. Can we demonstrate that AI creates value and operates under control?
The success of an AI solution should not be measured by how impressive the demo looked or by how many employees tried the tool once. From a business perspective, AI must deliver measurable results.
This requires agreeing, from the beginning, on what will be measured. For example:
- How much does the amount of manual work decrease?
- Does response or processing time improve?
- Does the number of errors decrease?
- Can employees spend more time on higher-value activities?
- Is the cost of operating the solution justified by the value it creates?
Traceability is equally important. When AI provides an incorrect answer, relies on an inaccurate source or performs the wrong action, the company must be able to understand afterwards what happened. This may require logs, usage statistics, error notifications, cost tracking and regular reviews.
AI is rarely a one-off project that can simply be left running after implementation. Models change, data changes, business processes change and user behaviour changes. As a result, AI solutions also require ongoing management and control after deployment.
What should a company practically do before August?
A business leader does not need to begin with dozens of documents or a complex compliance programme. A sensible starting point could be the following:
- Create an overview of where AI is already being used within your company.
- Identify the use cases that involve sensitive data, customers, employees or important decisions.
- Check whether data, access rights and responsibilities are clearly addressed in these processes.
- Define in which activities a person must remain in the decision-making loop.
- Establish metrics and logs that allow you to assess the actual value and reliability of AI.
The outcome of this exercise does not need to be a lengthy document. A valuable result is a clear understanding of where AI is already helping the business, where risks exist and which one or two use cases it would make sense to develop further.
AI adoption requires both ambition and control
AI enables Estonian companies to reduce manual work, make business processes faster and provide better service to their customers. However, the benefits only materialise when the technology is connected to a clear business objective, appropriate data, defined responsibility and measurable results.
The EU AI Act gives companies an additional reason to review their current use of AI. Yet even without regulation, doing so would be a sensible management decision.
Itronauts helps companies map their existing AI use and related risks, assess requirements arising from regulation, and design, build and operate AI solutions that create genuine business value.
If you need support with AI adoption or would like to assess the associated risks, you are welcome to contact us at info@itronauts.com.