The Incident That Must Not Happen
Problem
What is the one thing a utility's board tells its management must never happen? Ask the question directly and the answer comes back fast: a public incident. The board worries less about a fine or an audit finding than about a headline. For a regional electricity provider serving an entire region, the AI conversation did not begin with a regulation at all. It began when the regulator started scoring them on AI governance the same way it already scores them on cyber security, and when the board issued a directive that a public or political failure involving AI was simply unacceptable.
The company sits squarely inside the definition of critical infrastructure, and if they operated within an EU member state their high-risk obligations under the AI Act would be unambiguous. They understood this perfectly well. They also understood that scoring themselves with a privacy-style questionnaire, marking 148 out of 150 and moving on, would collapse on contact with a real incident or a real auditor. Awareness was never the gap. What they lacked was a credible, defensible way to show that AI risk across the organization was genuinely being managed before something went wrong.
Solution
It turns out the defensive posture makes the strongest possible foundation for governance, because it forces the question that matters: what could go wrong here, and what have we done about it? The company adopted Modulos to build a risk taxonomy grounded in their own use cases rather than a generic checklist. Every AI system entered a single register, and each one received a risk classification, a named owner, and a documented set of controls mapped to the frameworks they already trusted.
Because Modulos maps one control many-to-many across frameworks rather than running parallel checklists, the same governance work that satisfied their existing cyber security standards also produced the evidence a future AI Act assessment would demand. The defensive posture then gets a mechanism that competitors cannot match. Agentic Runtime Inspection (ARI™) lets the team define a compliance check in plain English and schedule an agent to run it against connected systems, so the quarterly manual audit becomes continuous verification and any drift surfaces in the test result rather than hiding in a log. The board got what it had actually asked for. It got a sentence it could say with a straight face and prove on any given day: we know where our AI risk lives, and we are managing it right now. The sooner an organization can demonstrate that continuously, the more a future incident becomes a managed event rather than a crisis.
Our board gave us one instruction that mattered above all the others. Do not let us end up in the news for the wrong reasons. Modulos gave us a way to show, system by system, that the risk is owned and controlled rather than hoped away.
— Head of AI Governance, Regional Electricity Provider