Listen to the audio version of this article (generated by AI).
Listen to the audio version of this article (generated by AI).
More importantly, it’s a combined leadership and organizational transformation, and it is happening faster than you think.
Back in 2018, “GDPR” easily won the “word of the year” global contest, although a German linguistic jury actually named it “Das Unwort des Jahres” (the Un-Word of the Year). And that truly reflects the dubious fame the term achieved, as it was associated with confusion and anxiety for businesses.
Whether another signature piece of EU legislation, the AI Act, becomes a similar household name remains to be seen. Yet one thing is already clear: it needs to be taken seriously, and the time to do so is now.
“The biggest misconception coming from firms in Hungary right now is that AI governance starts when the regulator knocks on the door,” George Tilesch, chief AI expert at EY, tells the Budapest Business Journal. “In reality, the real risk has already entered the building through uncontrolled everyday AI use. The AI Act is not simply a compliance story; it is a leadership and organizational transformation story unfolding at unprecedented speed.”
Tilesch and his fellow EY specialists argue that many Hungarian companies continue to frame AI through an overly narrow legal or technological lens, even as the EU regulatory timetable accelerates. The AI Act’s first obligations, including prohibitions on certain AI practices and AI literacy requirements, are already in force, while major obligations for high-risk systems begin applying from August this year. The legal timeline, however, has not yet translated into broad corporate urgency.
According to Adrienn Piskóti, senior manager at EY Law, Hungary’s implementation model focuses primarily on the institutional setup rather than imposing additional substantive requirements.
“Hungary is following a baseline-mirroring approach to the AI Act. Formal gold-plating appears unlikely, but governance expectations, especially in the public sector, may become stricter in practice through internal strategies, guidance and oversight mechanisms,” says Piskóti.
One surprising finding is that Hungarian public institutions appear to be moving faster than parts of the private sector, where executives don’t seem to have realized the importance of the issue.
“Many organizations still think they have time,” says Erik Slooten, partner at EY AI Confidence. “But AI adoption is already changing workflows, decision-making and customer interactions. The organizations that treat AI as a business transformation challenge, not just a legal requirement, will be significantly better positioned.”
The problem, EY argues, is partly behavioral. Businesses tend to respond to visible regulatory pressure, and many executives still do not feel the presence of a functioning AI supervisor demanding evidence, documentation or internal accountability. That creates a dangerous lag between legal obligation and business preparation.
Perhaps the most immediate corporate risk is what EY describes as the evolution of shadow IT into shadow AI, a phenomenon that is no longer lurking but is rather out in the light.
Even firms that formally prohibit AI use often find that employees are already using consumer AI tools on personal devices, through unsanctioned browser services or via embedded functionality in third-party software.
According to János Jenei, senior manager at EY AI Confidence, leaders often underestimate how quickly unmanaged use can create enterprise risk.
“The first governance question should not be which AI model sits in the background, but what business problem employees are already trying to solve with it,” he says.
That risk spans confidentiality, cybersecurity, ethics, operational resilience and data protection. In practice, organizations may already be exposed long before formal enforcement becomes visible. EY’s view is that companies should not wait for audits to begin governance work because AI is already reshaping operating realities.
Rather than launching into complex compliance programs, EY recommends that companies start with a basic but often neglected task: understanding what AI is already being used.
This means creating an enterprise-wide inventory covering approved AI tools, embedded AI functionality in enterprise software, third-party vendor systems, and informal employee usage, including shadow AI.
From there, organizations should classify use cases under the AI Act, assign ownership, establish cross-functional governance and strengthen vendor contracts to secure documentation, oversight and incident-management responsibilities.
“The first question leaders should ask is not ‘Which AI model are we using?’ but ‘What problem are employees already solving with AI?’ Once you understand where AI is already influencing work, governance becomes practical instead of theoretical,” Piskóti adds.
“AI governance is fundamentally organizational governance,” stresses Tilesch. “Companies should prepare for evidence-based scrutiny. Regulators will increasingly ask how AI systems are classified, monitored and controlled, not simply whether they exist.”
For Hungarian executives, the message is increasingly difficult to ignore: waiting for regulators to arrive may be the riskiest strategy of all.
The AI Act may ultimately reshape compliance expectations, but the more immediate challenge is organizational discipline. Companies already using AI, intentionally or not, are effectively operating inside a transformation process that governance structures have not yet caught up with.
“The biggest legal risk for companies is assuming that using a third-party tool transfers responsibility elsewhere. Under the AI Act, organizations must be able to demonstrate oversight, understand their role in the value chain, and show evidence of governance in practice, not only on paper,” Piskóti concludes.
Although concerns persist that the AI Act could burden startups and SMEs, EY experts believe Hungary’s immediate competitiveness risk may be something else entirely: insufficient adoption.
It may not sound surprising, but that doesn’t make it any less true: smaller firms tend to lack the capital, skills and organizational readiness to integrate AI meaningfully into day-to-day operations. In Hungary, this is even more so. The larger challenge, therefore, may be enabling practical, safe adoption rather than imposing heavyweight compliance frameworks from the start.
Here, EY sees potential in regulatory sandboxes, practical guidance, ready-to-use trusted tools and more accessible support ecosystems for smaller businesses, measures that could prevent the EU framework from becoming an innovation bottleneck if implemented effectively. The AI Act itself requires member states to establish national AI regulatory sandboxes by August to improve legal certainty and support innovation, particularly for startups and SMEs.
This article was first published in the Budapest Business Journal print issue of June 5, 2026.
Producing journalism that is worthy of the name is a costly business. For over 30 years, the publishers, editors and reporters of the Budapest Business Journal have striven to bring you business news that works, information that you can trust, that is factual, accurate and presented without fear or favor.Newspaper organizations across the globe have struggled to find a business model that allows them to continue to excel, without compromising their ability to perform. Most recently, some have experimented with the idea of involving their most important stakeholders, their readers.
We would like to offer that same opportunity to our readers. We would like to invite you to help us deliver the quality business journalism you require. Hit our Support the BBJ button and you can choose the how much and how often you send us your contributions.
