Artificial intelligence in business: do's and don'ts

According to a recent OECD report,¹ the use of these tools in Europe reaches 79%, as they are considered capable of improving efficiency and the quality of managerial decisions. However, concerns about their reliability persist, linked to unclear responsibilities, limited algorithm transparency, and potential effects on workers’ health.

This ambivalence explains the approach of both the European and Italian legislators: AI can increase productivity and work quality, but only if governed by adequate safeguards and effective human oversight. The cornerstone of regulation is the European AI Act², the first example of ad hoc regulation of AI technologies, based on a multi-level risk framework. Italy, on the other hand, approved its AI law last September, strengthening the use of AI³ — especially in the workplace —through specific provisions.

Particular attention should be paid to the AI Act’s prohibition of emotion recognition systems in the workplace (imagine a system that detects whether someone is happy at work or measures a candidate’s stress level during a job interview). Furthermore, systems classified as high-risk—such as those used for hiring or personnel selection, as well as the aforementioned algorithmic management tools—are subject to specific technical and organizational obligations, as well as human oversight.

It is precisely the need for conscious use of AI tools that the Italian AI Law provides specific “do’s” regarding privacy for employers, such as training employees in AI literacy. At the same time, it is advisable to update internal privacy documentation—starting from employee privacy notices and the record of processing activities—to include any processing related to the AI tools in use.

Additionally, employers have information obligations toward employees and trade unions regarding the use of fully automated decision-making or monitoring systems, and must provide dedicated channels to respond to employees’ written information requests within 30 days. In some cases, it is also necessary to conduct an impact assessment on fundamental rights risks, known as a FRIA. Moreover, whenever the use of an AI tool entails even a potential form of remote monitoring of personnel, the protections under the Workers’ Statute remain applicable, including consultation and authorization procedures in coordination with trade unions.

Another key aspect of AI compliance concerns cybersecurity. An AI system can become a new entry point for unauthorized or vulnerable intrusions, affecting both decision reliability and the protection of employee data. In this context, it is important to map AI systems and manage them through internal rules, rather than allowing adoption to occur in a fragmented way, for example through individual IT departments. Operationally, effective corporate AI governance must integrate privacy and cybersecurity considerations and cannot be reduced to simple policies on ChatGPT usage.

Finally, for companies, the real “do” may not be to adopt more AI, but to adopt it thoughtfully. Conversely, what must absolutely be avoided is attempting to halt innovation or relying on little-known tools. In a market where AI becomes a competitive lever, compliance is not a constraint—it is the condition that allows organizations to use algorithms without letting algorithms end up governing the organization.

1. Milanez, A., A. Lemmens and C. Ruggiu (2025), Algorithmic management in the workplace: New evidence from an OECD employer survey, OECD Artificial Intelligence Papers, No. 31, OECD Publishing, Paris. ↩︎
2. Regulation (EU) 2024/1689 ↩︎
3. This refers to Law No. 132 of 23 September 2025, “Provisions and Delegations to the Government on Artificial Intelligence,” also known as the “AI Law”. ↩︎