Case Study

Iveco Group introduces a structured governance for Responsible AI

Discover how Iveco Group has made Responsible AI a guiding principle of its projects by adopting a governance and risk management model in line with European regulatory requirements.

Artificial Intelligence
Responsible AI
AI Governance
Compliance

The challenge

Define an AI Governance model in line with European regulations, capable of managing risks in a structured way and allowing teams to innovate safely and in full compliance.

Scenario

Governing the adoption of AI in an evolving regulatory context

The adoption of Artificial Intelligence is now a strategic driver of innovation for companies, which use it to increase operational efficiency, improve the quality of products and processes, and support increasingly data-driven decisions. In parallel, the evolution of the European regulatory framework – particularly the EU AI Act – is introducing stricter requirements in terms of risk management, transparency, accountability, and security of AI systems.

In this context, Iveco Group, one of the leading global players in transportation, specialized in the design and production of commercial vehicles, is accelerating the development and use of Artificial Intelligence solutions to support various business functions. The growing variety and complexity of use cases, along with the need to ensure regulatory compliance and consistency with the Group's organizational model, has highlighted the necessity for a structured approach to AI Governance. For Iveco Group, it has therefore become essential to adopt a clear and operational model to oversee AI projects, ensuring traceability and compliance throughout the entire lifecycle.

The design of a complete AI Governance model and the implementation of a supporting tool

Spike Reply has supported Iveco Group in defining and implementing a model of AI Governance and Responsible AI, integrating it into the OneTrust AI Governance platform to make processes more structured, automated, and scalable.

The AI Governance model is based on a centralized process that allows for the inventory and classification of artificial intelligence assets (systems, models, and datasets), collecting and organizing documentation, and maintaining a verifiable history of decisions and approvals. The process is supported by an automated AI Governance tool, based on the OneTrust solution, which, through standardized questionnaires and automated workflows, enables the entire project management cycle that includes AI — from initiation to evaluation, from approval to periodic review — making assessment activities more consistent, repeatable, and manageable at scale. This way, teams can focus on innovation while maintaining high levels of control and compliance.

how we did it

From strategic definition to operational realization

Phase 1 – Design

Spike Reply has collaborated with Iveco Group to define a comprehensive Responsible AI model, including safety guidelines, assessment checklists for the requirements of the AI Act, privacy, and cybersecurity, as well as risk classification criteria for different assets and scenarios. It has also designed a structured inventory of AI systems and models, capable of consistently gathering all the necessary information for the regulatory assessments required by the AI Act. The governance model has been formalized through clear and shared procedures that define roles and responsibilities, rules for development and release, monitoring criteria, and standardized evaluation tools.

Phase 2 – Implementation

The model has been made operational on the OneTrust AI Governance, with the creation of a centralized repository for managing the documentation and evidence required by regulations.

Spike Reply has configured dedicated questionnaires to map use cases and their associated risk levels, implemented automated workflows for the phases of initiation, assessment, approval, and periodic review, and integrated the solution with internal asset management and cybersecurity tools. Finally, the model has been extended to ongoing AI projects, ensuring consistency in evaluations and a uniform compliance approach throughout the organization.

Results

AI Governance: compliance, traceability, scalability

Iveco Group now has a structured and centralized AI Governance model, fully aligned with the AI Act and integrated into OneTrust AI Governance, to effectively and responsibly manage the evolution of projects.

Enhanced
compliance

model and processes aligned with the requirements of the AI Act, privacy, and cybersecurity.

Greater
traceability

verifiable history of decisions, approvals, and evidence supporting assessments.

More
efficient

faster, more consistent, and repeatable evaluations thanks to checklists, questionnaires, and automated workflows.

Improved risk
management

risk-based classification and control measures throughout the entire lifecycle of AI systems.

Scalability
operational

the ability to manage a growing number of AI projects in a consistent, responsible, and compliant manner.

Iveco Group

Iveco Group N.V. (EXM: IVG) is the home of unique people and brands that energize your business and your goals to progress towards a more sustainable society. Each of the seven brands is a reference player in its specific industrial field: IVECO, a pioneering brand of commercial vehicles that designs, produces, and markets heavy, medium, and light commercial vehicles; FPT Industrial, a global leader in providing a wide range of advanced propulsion technologies for the agricultural, construction, marine, power generation, and commercial vehicle sectors; IVECO BUS and HEULIEZ, brands of urban, intercity, and tourist buses for mass and premium transport; IDV, for highly specialized defense and civil protection vehicles; ASTRA, a leader in large heavy vehicles for quarries and construction sites; and IVECO CAPITAL, the financial arm that supports all brands of Iveco Group. Iveco Group employs 36,000 people worldwide and has 19 industrial sites and 30 Research & Development centers. More information about Iveco Group is available on the company's website, www.ivecogroup.com

Spike Reply

Spike Reply is the company of the Reply group specialized in cybersecurity and data protection issues. Spike Reply has defined a comprehensive, integrated, and coherent offering to address all aspects related to cyber risk management, from identifying threats and vulnerabilities to quantifying risk, planning, designing, and implementing the corresponding technological, legal, organizational, and insurance countermeasures.