are you building AI or buying AI? the answer determines which regulations apply and most companies haven't asked the question.
The operational mode of AI adoption. Build posture: the organisation trains or adapts AI models, taking on provider obligations under the EU AI Act. Consume posture: the organisation uses AI via third-party APIs or SaaS, taking on deployer obligations. A single organisation may operate in both postures simultaneously. Posture determines which regulations apply, which controls are required, and which evidence must be produced.
Why It Matters
Posture is the first strategic decision in AI governance because it determines everything that follows. The EU AI Act assigns fundamentally different obligations to providers (those who build AI systems) and deployers (those who use them). A provider must conduct conformity assessments, maintain technical documentation of the entire system lifecycle, implement quality management systems, and register high-risk systems in the EU database. A deployer must ensure human oversight, monitor the system in operation, and report serious incidents. These are not overlapping obligations. They are structurally different governance requirements.
The problem is that most organisations have not made an explicit posture decision. They assume they are consumers because they use third-party APIs. But the moment they fine-tune a foundation model, they become providers under the EU AI Act. The moment they substantially modify a system’s intended purpose, they become providers. This shift happens in engineering teams, without visibility to legal or compliance functions, and without triggering the additional governance requirements that provider status demands.
A 2025 survey by the European AI Office found that 41% of organisations using AI could not categorise themselves as providers or deployers under the EU AI Act. They did not know their posture. This is not a theoretical gap. It is a compliance gap that determines which regulations apply and which controls are required. An organisation that governs itself as a deployer when it is actually a provider has the wrong controls, the wrong evidence, and the wrong regulatory posture.
The Stress Test
A regulator asks whether your organisation is a provider or deployer of AI systems under the EU AI Act. Your legal team says “deployer” — you use third-party models via APIs. The regulator then examines your AI portfolio and discovers that three teams have fine-tuned foundation models for specific use cases, one team has trained a proprietary model from scratch, and two teams have substantially modified the intended purpose of deployed systems. Under the EU AI Act, all of these activities make the organisation a provider for those specific systems.
Your governance framework was designed for deployer obligations. You now need provider-level controls for six systems. You have none. The posture assumption was never validated. That is the finding.
In the Wild
Bloomberg trained BloombergGPT, a 50-billion-parameter large language model purpose-built for financial NLP tasks, using Bloomberg’s proprietary financial data. This was an explicit Build posture decision: Bloomberg chose to train its own model rather than consume a general-purpose model via API. The decision triggered a different set of governance requirements: training data provenance, model documentation, bias evaluation across financial domains, and ongoing monitoring of model performance against financial benchmarks. A Consume posture would have required none of these controls.
Same organisation, same use cases. The posture decision changed the entire control framework. Build demands provider-level governance. Consume demands deployer-level governance. The controls are not interchangeable.
Multiple NHS trusts procured AI diagnostic tools from third-party vendors under a Consume posture. The trusts treated these deployments as technology procurement, not as AI system deployments. As deployers under the EU AI Act, they were responsible for human oversight, ongoing monitoring, and serious incident reporting. Most trusts had procurement processes but no AI-specific deployer controls: no mechanism to monitor model performance post-deployment, no protocol for serious incident reporting to the AI Office, and no evidence that human oversight requirements were met in clinical workflows.
Consume posture is not passive. It carries specific obligations that procurement processes alone do not satisfy.
Samsung engineers uploaded proprietary semiconductor source code and internal meeting transcripts to ChatGPT for code review and summarisation. The organisation’s de facto posture was Consume: employees used a third-party API without organisational governance. The incident exposed proprietary intellectual property to a third-party model provider with no contractual data protection guarantees for the specific use case. Samsung subsequently banned internal use of generative AI tools and began building internal alternatives.
Consume posture without supply chain controls means your proprietary data enters a system you do not govern. Samsung’s response was to shift from Consume to Build. That is a posture decision driven by a governance failure.
How to Govern It
Posture is not a label. It is a governance decision with regulatory consequences.
Within the AI Control Index, posture is governed at the Strategy layer (L1):
- Posture Declaration — Every AI system must have an explicit posture declaration: Build, Consume, or both. This declaration is made at the system level, not the organisation level, because a single organisation may operate in both postures across different systems.
- AI Actor Classification — The posture declaration maps to the EU AI Act’s role taxonomy: provider, deployer, importer, distributor, or authorised representative. Each role carries specific obligations.
- Control Activation — Build posture activates provider controls: conformity assessment, technical documentation, quality management, and registration. Consume posture activates deployer controls: human oversight, operational monitoring, incident reporting, and supply chain governance.
- Posture Drift Detection — Engineering teams may shift from Consume to Build without governance visibility (e.g., fine-tuning a consumed model). The framework includes controls to detect posture drift: any modification of a third-party model triggers a posture reassessment.
- Supply Chain Implications — Consume posture activates S3 (Supply Chain) controls: vendor assessment, contractual data protection, SLA monitoring, and third-party risk management.
When It's Relevant
Posture is relevant the moment an organisation begins using AI in any form. It is the prerequisite for every other governance decision. Without posture, you cannot determine which regulations apply. Without regulations, you cannot determine which controls are required. Without controls, you cannot produce evidence. The governance chain starts with posture.
Posture governance becomes critical when:
- The organisation operates in a jurisdiction subject to the EU AI Act
- Engineering teams fine-tune or adapt third-party models
- The organisation uses AI via third-party APIs for business-critical functions
- The AI portfolio includes both custom-built and third-party AI systems
- A regulator asks whether the organisation is a provider or deployer
Related Terms
References
- [1] European Parliament and Council (2024) Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act). Articles 3, 6, 16, 26. Official Journal of the European Union.
- [2] Wu, S., Irsoy, O., Lu, S., Dabravolski, V., Dredze, M., Gehrmann, S., Kambadur, P., Rosenberg, D. and Mann, G. (2023) ‘BloombergGPT: A Large Language Model for Finance’, arXiv preprint, arXiv:2303.17564.
- [3] European AI Office (2025) AI Act Implementation Survey: State of Readiness Among EU Organisations. European Commission.
- [4] Ray, S. (2023) ‘Samsung Bans ChatGPT After Employees Leak Proprietary Data’, Forbes, 2 May.
- [5] ISO/IEC 42001:2023. Information Technology — Artificial Intelligence — Management System. International Organization for Standardization.
- [6] NIST (2023) Artificial Intelligence Risk Management Framework (AI RMF 1.0). National Institute of Standards and Technology, U.S. Department of Commerce.
- [7] Bommasani, R., Hudson, D.A., Adeli, E., et al. (2022) ‘On the Opportunities and Risks of Foundation Models’, arXiv preprint, arXiv:2108.07258v3. Stanford Center for Research on Foundation Models (CRFM).
AI Control Index v6.0 · Glossary · June 2026 · i-DEPOT 158508 (BOIP) · CC BY-NC-ND 4.0
By Jeroen Janssen, Apparens