AI Officer vs DPO: Defining roles in AI governance

According to McKinsey’s latest global survey on AI, over 75% of organisations now use AI in at least one business function. As adoption accelerates, questions around accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. and oversight are becoming more pressing. 

Many organisations are beginning to formalise their AI governanceThe framework of policies, processes, and roles that ensure Artificial Intelligence (AI) is developed and used responsibly, ethically, and in compliance with applicable laws, societal expectations, and corporate values.  structures by expanding their Data Protection Officer (DPO) responsibilities or appointing a dedicated AI OfficerAn individual responsible for overseeing the ethical, legal, and effective use of Artificial Intelligence (AI) within an organisation.. But which approach is most effective? 

This blog, based on insights from our recent webinar MINDING THE MACHINES: AI Officer vs DPO, explores the evolving relationship between the two roles. It examines where their responsibilities overlap, how they differ, and how organisations can build governance that supports both compliance and innovation.  

• What is an AI Officer? 
• Why do we need an AI Officer? 
• Can a DPO manage AI governance? 
• Comparing AI Officers and DPOs 
• Who should lead AI governance? 
• Practical steps for organisations 

What is an AI Officer?

The AI Officer (AIO) is a senior role responsible for ensuring an organisation uses artificial intelligenceThe use of computer systems to perform tasks normally requiring human intelligence, such as decision-making, speech recognition, translation etc. safely, ethically, and legally. It’s an emerging position, created in response to growing regulatory scrutiny and rising ethical expectations. The EU AI ActThe EU Artificial Intelligence Act was approved by the EU Council on 21 March 2024. A world-first comprehensive AI law, intended to harmonise rules for the development, deployment, and use of artificial intelligence systems across the EU. has been a major driver, setting formal obligations for organisations that develop, deploy, or distribute AI systems across the EU. 

However, although regulation is shaping AI governance expectations, many organisations still face capability gaps. The skills and expertise needed to design and implement effective AI frameworks remains in short supply.  

Why do we need an AI Officer? 

As AI becomes embedded across business operations, organisations are realising they need clear accountability and coordinated oversight. An AI Officer provides that by defining and implementing governance frameworks, ensuring AI initiatives align with business objectives and keeping ahead of evolving regulatory requirements. 

AI Officers can transform compliance from a reactive task into a competitive advantage by: 

• Future-proofing AI compliance
  Anticipating regulatory change and adapting governance frameworks to stay ahead of new requirements.

• Building trust and transparency
  Embedding ethical principles and responsible practices into every stage of AI development and deployment.

• Connecting organisational silos
  Bridging legal, technical, and operational teams to create unified oversight and consistent innovation. 

Without this central point of accountability, AI projects risk fragmentation, underinvestment, and unmanaged risks. An AI Officer provides the structure and oversight needed to harness AI’s potential while ensuring systems are safe, compliant, and aligned with organisational values. 

AI Officer responsibilities

The EU AI Act doesn’t formally define an AI Officer, but forward-thinking organisations are already shaping this role to meet their needs. AIOs work across technical, legal, and operational teams to ensure systems are developed and used responsibly, in line with organisational values and legal obligations. 

In practice, AI Officers may be responsible for: 

• Developing and implementing AI governance frameworks 
• Overseeing AI Impact Assessments (AIIAsA structured process used to identify, assess, and mitigate potential risks associated with an AI system before and during its deployment. An AIIA evaluates factors such as fairness, transparency, privacy, and accountability, helping organisations demonstrate compliance with AI regulations and responsible innovation practices.) and ongoing risk management 
• Ensuring compliance with AI legislation, such as the EU AI Act, and maintaining supporting documentation 
• Embedding ethical principles such as fairness, transparency, and accountability in business practices 
• Coordinating with relevant regulatory and oversight bodies 
• Managing incident reporting and ensuring appropriate corrective actions 

Demand for AI governance expertise is rising faster than the available talent pool. Organisations are seeking professionals who combine legal and regulatory knowledge with technical literacy and strong ethical awareness — a combination that remains rare in the market. As a result, many companies are choosing to upskill their existing compliance or data protection teams or engage external expertise to bridge the gap while the profession matures. 

Can a DPO manage AI governance?

Under the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR), the Data Protection Officer’s core responsibilities are well established: monitoring compliance, maintaining key documentation, and acting as the contact point for supervisory authorities and data subjects. These duties naturally extend into AI governance where systems processA series of actions or steps taken in order to achieve a particular end. personal dataInformation which relates to an identified or identifiable natural person.. 

DPOs are well-positioned to: 

• Ensure lawful data use in AI development and deployment 
• Embed Privacy by Design principles into AI workflows 
• Support transparency and explainability requirements 

However, the risks posed by AI often extend beyond privacy. Many systems raise broader ethical questions around bias, accountability, environmental impact, and human oversight — areas that generally sit outside the DPO’s traditional remit.  

This is where an AI Officer adds value. Working alongside the DPO, the AIO bridges compliance, innovation, and technical governance, ensuring AI initiatives not only meet legal obligations but also align with wider business goals and ethical standards. 

Learn more about the role of a DPO under the GDPR. 

Comparing AI Officers and DPOs

Data Protection Officer and AI Officer roles share several areas of alignment within AI governance: 

• Data governance and accountability: both ensure data-driven systems are transparent, fair, and auditable 
• Risk assessment: DPOs lead Data Protection Impact Assessments (DPIAs) and AIOs oversee AI Impact Assessments (AIIAs), each identifying, documenting, and mitigating risk 
• Awareness and training: both promote a culture of responsible data use and help teams understand their compliance obligations 

Despite these shared areas, the two roles take distinct approaches to governance and compliance: 

In practice, the two roles complement one another and require collaboration. The DPO ensures privacy and data protection remain central to AI strategy, while the AI Officer focuses on wider governance and risk management, helping organisations innovate responsibly. 

Who should lead AI governance? 

There is no one-size-fits-all model. The right approach depends on your organisation’s size, structure, and AI risk profile – that is the level of potential impact your AI systems have on people’s rights, safety, or access to services. 

Lower-risk organisations:

For organisations using AI in limited or low-impact ways, your DPO can usually cover AI-related responsibilities, supported by cross-functional teams and targeted training. 

High-risk sectors:

In industries such as Healthcare, Finance, or Recruitment, where AI systems can directly affect individuals’ wellbeing, financial outcomes or employment opportunities, a dedicated AI Officer may be essential to manage oversight and compliance. 

What matters most is not job titles but clear accountability. Regulators expect organisations to be able to demonstrate who is responsible for AI governance and how key decisions are made. Effective coordination between DPOs, AI Officers, and senior leadership is crucial to make sure AI systems are transparent, compliant, and well-managed. 

Practical steps for organisations

Whether your organisation decides to appoint an AI Officer or not, now is the time to strengthen your governance foundations as AI becomes part of everyday operations. The following steps outline best practices for a responsible and accountable approach: 

• Review internal governance structures
  Map existing oversight functions to understand where AI governance currently sits. Identify who is responsible for compliance, ethics, and risk.

• Identify overlaps and gaps in accountability
  Determine where responsibilities between data protection, technology, and ethics teams intersect, and where gaps could expose the organisation to regulatory or reputational risk.

• Define who leads what
  Assign clear ownership for privacy, transparency, and ethical use of AI. Whether these sit with the DPO, AI Officer, or another function, document and communicate them clearly.

• Build capability
  Invest in training and cross-functional collaboration. Encourage shared learning between legal, technical, and operational teams. This will be critical for demonstrating accountability under both the GDPR and forthcoming AI legislation. 

Frequently asked questions 

What does an AI Officer do?

An AI Officer oversees the responsible use of artificial intelligence within an organisation. They develop AI governance frameworks, coordinate AI Impact Assessments (AIIAs), and ensure that systems align with legal, ethical, and organisational standards.  

What is the difference between an AI Officer and a Data Protection Officer? 

The DPO focuses on compliance with data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data. and safeguarding individual rights. The AI Officer’s remit is broader, covering ethical AI use, organisational risk management, and alignment with AI-specific regulations such as the EU AI Act.

Who is responsible for AI compliance?

Responsibility for AI compliance depends on the organisation’s structure and the nature of its AI systems. Under the EU AI Act, providers and deployers of high-risk AI systems must implement robust compliance frameworks and assign clear accountability for meeting regulatory obligations. This may involve roles such as AI Officers, Data Protection Officers, compliance leads, or dedicated governance committees working together to oversee AI risk and regulatory adherence. 

What skills does an AI Officer need?

AI Officers typically combine legal and regulatory understanding with technical literacy and strong ethical awareness. Key skills include risk assessment, data governance, stakeholderAn individual with an interest or concern in something (i.e. a Social Worker, Healthcare Professional, Headteacher etc. in respect of the welfare of a child). communication, and familiarity with AI regulation.

How can a DPO prepare for AI governance?

DPOs can start by understanding how AI systems within their organisation process personal data, updating Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (DPIA) templates to reflect AI-specific risks, and collaborating with technical teams to embed Privacy by Design. 

Can one person act as an AI Officer and DPO?

In smaller or lower-risk organisations, the DPO may also act as the AI Officer, provided they have the right expertise and independence. For larger organisations or those developing high-risk AI, separating the roles can help manage accountability and workload more effectively and prevent conflict of interest between business need and individual privacy rights. 

The DPO Centre provides a full range of AI governance and data protection services – from outsourced AI Officers and Data Protection Officers to EU AI Act Readiness Assessments and AI Impact Assessments. Contact us  to find out how our team can help your organisation manage AI responsibly and compliantly.  

In case you missed it…

• Compliance with the AI Act Part 4: Essential strategies
• AI Impact Assessments: What are they and why do you need one? 
• Using AI for DSAR responses: What every organisation should know