Ask European companies whether they’re ready for the AI Act and nearly all of them admit they’re not. The VerifyWise AI Governance Salary Report 2026 found that 98.5% of organizations consider their AI governance staffing inadequate. Then look at what those same companies actually do about it. This summer my team analyzed 3,519 AI-related job postings across eight EU countries, and for every governance role advertised, we counted roughly seven roles for building more AI.
Everyone already concedes the compliance gap exists. The gap I find more interesting is the one between what companies tell surveys about AI governance and what their hiring budgets show. Surveys measure anxiety. Job ads measure money. And the money is flowing to the side of the business that creates regulatory exposure while the side that manages it waits for headcount.
Why job ads are the honest signal
Anyone can tell a survey they take governance seriously. It costs nothing and it’s the socially correct answer, especially two years into the AI Act era. A job posting is different. Behind every posting sits an approved budget line, a manager who fought for the headcount, and a company committing to pay someone for years. When you want to know what an organization actually prioritizes, read its careers page before its press releases.
That’s the logic behind our study. We pulled a month of AI-related postings from eight countries, Belgium through Sweden, and split them into two camps: people hired to build AI systems and people hired to govern them. The classification is blunt on purpose. It ignores what companies claim about responsible AI and looks only at who they’re paying to show up.
The result was 3,004 builder roles against 446 governance roles. So by its own confession the market is 98.5% understaffed, and by its own behavior it’s hiring one governor for every seven builders. Both numbers can’t be true of a market that’s on top of the problem.
The more confident the country, the wider the gap


If governance hiring simply lagged AI adoption evenly, you’d expect the most AI-mature countries to be closest to balance. We found the opposite. Sweden, home to one of the strongest engineering cultures in Europe, posted sixteen builder roles for every governance role, the widest ratio we measured. France came in at eleven to one. The countries most confident in their technical talent are running the largest deficit against the law.
Ireland sat at the balanced end at 3.5 to one, and even that says less than it appears to. Dublin hosts the European headquarters of most US tech giants, which import governance discipline from global programs and operate under DORA, the EU financial-sector resilience regime, on top of the AI Act. Strip out that imported discipline and I doubt Ireland looks much better than its neighbors.
A second layer of the say-do gap hides inside the governance roles themselves. Fewer than three in ten of them name the AI Act in the job description. Companies are hiring for risk, ethics, model validation, and data protection, all worthy titles, but a role written without the regulation in view rarely produces the conformity assessments and technical documentation the Act specifically demands. Even where the headcount exists, much of it isn’t aimed at the law. The honest readiness number sits below the already low hiring figures.
Then there’s who is doing the hiring. Almost half of governance postings came from enterprises above 5,000 staff, and two-thirds came from financial services and IT consulting, sectors that already ran compliance functions and extended them. Healthcare, which faces some of the Act’s most serious obligations, posted four governance roles across all eight countries in a month. Government administration posted four as well. The organizations with the most sensitive AI use cases are doing the least visible hiring.
The delay is being read as permission
You could argue the market is being rational here. The deadlines moved, after all. The Council gave final approval to the Digital Omnibus on 29 June, pushing the high-risk regime to December 2027 for standalone systems and August 2028 for AI embedded in regulated products. Why staff up now for obligations that land in eighteen months?
Three problems with that. Some obligations never moved: the Article 50 transparency rules still apply from 2 August 2026, next month, and prohibited practices and general-purpose AI rules have been live since 2025. The penalties didn’t move either, and they run up to €35 million or 7% of global turnover for the most serious violations. And governance capacity has a long lead time, which is the part hiring managers consistently underestimate. A specialist hire takes months to recruit in a market where, per VerifyWise, demand grew 150% year over year, and that person then needs the better part of a year to inventory systems, classify them, and build the documentation the Act expects. Count backward from December 2027 and the hiring window is now.
Our data suggests most of the market is counting forward instead. The delay bought companies sixteen months, and the posting volumes indicate they’re spending that time the same way they spent the last sixteen: building.
Where the work goes when nobody’s hired to do it
Regulatory obligations don’t wait for headcount. When a company faces the Act without a governance team, the work still has to happen somewhere, and it lands on outside help. Independent AI governance consultants in mature markets now bill 800 to 2,000 US dollars per day, again per VerifyWise, and day rates like that don’t survive without unmet demand underneath them.
I run a compliance consultancy, so discount my view accordingly, but I don’t think the answer for most companies is winning a bidding war for scarce specialists. The mid-market, which posted a third of governance roles while facing the same law as the enterprises absorbing half of them, mostly won’t build governance teams at all. The realistic path is a framework built on structures many of these companies already have: an ISO 27001 management system, a SOC 2 control set, an existing GDPR program. The Act’s requirements around risk management, documentation, and accountability map onto those foundations more closely than the headlines suggest.
What worries me isn’t the companies choosing that path deliberately. It’s the far larger group whose job postings show no path at all. Their surveys say unprepared while their careers pages say something closer to uninterested, and December 2027 arrives on schedule either way. The say-do gap closes then, whether companies close it themselves or have it closed for them. The full study behind these numbers, including the country-by-country data and methodology, is on our website.


