Before There Was an AI Act, There Was the Work
Most people who talk about governing AI started paying attention when ChatGPT dropped in November 2022. Gwendolyn Carpenter started paying attention in 1999, when she joined the iSociety project at The Work Foundation - the UK's largest non-governmental research project examining what the internet was doing to public life. She wasn't writing op-eds. She was doing the work.
That instinct - toward institutional change rather than public commentary - has defined her entire career. While the AI governance conversation fills conference stages and Substack feeds, Carpenter has been inside the building. Right now, that building is the European Investment Bank in Luxembourg, where she serves as Head of Artificial Intelligence Division, responsible for the Group's entire AI strategy, its enterprise AI platform, and its compliance with the EU AI Act and DORA regulations.
The EIB isn't just another financial institution. It's the lending arm of the European Union, with a balance sheet that runs to hundreds of billions of euros and a mandate that touches infrastructure, climate, innovation, and cohesion across all 27 member states. When the EIB decides how it governs AI, those decisions reverberate through the institutions it funds, the projects it backs, and the policy frameworks it informs. Carpenter is the person making those decisions.
Worth a read and worth considering when thinking through projects funded by EU funds.
- Gwendolyn Carpenter, on the EU Industrial R&D Investment Scoreboard, LinkedIn 2023That sentence - characteristically dry, characteristically precise - is more or less her public voice. She doesn't do punditry. She does alignment. The detail that the Scoreboard matters specifically "when thinking through projects funded by EU funds" is the tell: she's always thinking about the institutional pipeline, the practical downstream, the place where policy meets investment decision.
The Internet Was New. She Was Already Watching.
It was 1999. Broadband was aspirational. Most of Britain used dial-up. And The Work Foundation had just launched iSociety - a project ambitious enough to examine how an entire technology wave was reshaping the economy, democracy, and everyday life. Carpenter was its Programme Manager.
iSociety ran for five years. It wasn't a think tank vanity project - it was serious interdisciplinary research, pulling together economists, sociologists, and technologists to understand what was actually happening to society as it went online. Carpenter ran programs. She coordinated research. She managed the organizational complexity of the UK's largest independent digital research effort at the exact moment when digital was first becoming real.
That early training in multi-stakeholder, cross-disciplinary coordination - tracking technology's impact not just technically but socially, economically, politically - became her distinguishing skill. She wasn't a technologist. She wasn't a lawyer. She was something rarer: someone who could hold all three in the same frame and produce actionable institutional output.
In 2012, Carpenter co-authored a RAND Europe report recommending a European Cybercrime Centre hosted at Europol. The centre exists. It's called EC3. It's now one of the EU's primary responses to ransomware, child exploitation material, and financial fraud. The document that helped create it is Technical Report TR1218.
The RAND stint is worth dwelling on. The Feasibility Study for a European Cybercrime Centre wasn't a speculative policy paper - it involved on-the-ground research across 15 EU member states, interviewing computer crime units, reviewing existing frameworks, modeling different governance options. The recommendation was specific: centralize under Europol, give it operational mandate, ensure coordination with member states' existing units.
Europol followed the recommendation. EC3 launched in 2013. It now handles major ransomware investigations, coordinates responses to state-sponsored cyber operations, and provides technical support to national law enforcement across the EU. Carpenter's name is in the footnotes, not the headlines. That's how she works.
Smart Cities Were the Lab. The EIB Was the Scale.
Between cybercrime policy and AI strategy came nearly a decade of smart city work inside the EIB's JASPERS advisory framework. JASPERS - the Joint Assistance to Support Projects in European Regions - is how the EIB helps member states actually access EU structural funds. It's unglamorous, complicated, consequential work.
Carpenter advised on smart city strategies and digital innovation ecosystems across European regions. The specifics tell the story: Smart Sligo 2030 in Ireland, RDI investment in Kielce, Poland, urban regeneration programs across multiple member states. These aren't flagship projects in wealthy cities - they're mid-size regional efforts where the gap between EU funding availability and local institutional capacity to deploy it is vast and real.
She was the bridge. Understanding both what Brussels required and what Kielce could actually build - and helping the second one get to the first. That experience of translating between EU policy frameworks and on-the-ground institutional realities is exactly what she now applies to AI Act compliance at the EIB itself.
From TEPSIE project documentation, 2014: "Digital Technology in Social Innovation" - co-authored with Jeremy Millard, Danish Technological Institute. The report examined how digital tools were changing the terrain of social innovation across Europe. Contact: gwc@teknologisk.dk
TEPSIE SYNOPSIS REPORT - EUROPEAN COMMISSION 7TH FRAMEWORK
The TEPSIE chapter is easy to overlook - an EU research project on social innovation foundations, six partner institutions, a dissemination role. But it's the connective tissue. TEPSIE was examining what made social innovation stick across different European contexts, how digital tools accelerated or complicated it, and what policy conditions created the right environment. The same questions, applied to AI, animate her current work.
Where Her Knowledge Lives
Twenty-five years of EU digital policy work isn't evenly distributed. Here's where the depth actually is:
Running AI for a Trillion-Euro Institution
The EIB's AI Division job description is worth reading carefully. It asks for someone to define and execute the Group's AI strategy. Build and operate the Group AI Hub. Lead EU AI Act compliance. Navigate DORA. Manage a multidisciplinary team. Work across the Group - which includes the European Investment Fund (EIF) and the EIB Institute alongside the bank itself.
It is, in other words, not a single job. It's four jobs layered into one: strategist, platform architect, regulatory compliance officer, and organizational change manager. The person doing all four simultaneously is Carpenter.
The EU AI Act is the world's first comprehensive AI regulatory framework. It classifies AI systems by risk, imposes obligations on providers and deployers, and sets hard timelines for compliance. For a financial institution operating at the EIB's scale - deploying AI across lending decisions, risk assessment, project evaluation, operational functions - the compliance challenge is genuinely complex. High-risk system classifications, human oversight requirements, transparency obligations, conformity assessments: all of it needs to be mapped onto a live institutional infrastructure that was built before the Act existed.
That's the work. Not the conference circuit. Not the newsletter hot takes. The actual institutional machinery of making a massive European public bank ready for the AI regulatory era that is already arriving.
The gap between policy text and institutional practice is where most EU regulation either lives or dies. Carpenter's entire career has been spent in that gap.
- YesPress editorial assessmentWhy the Practitioner Beats the Pundit
European AI policy has no shortage of voices. There are Brussels-based think tanks. There are law firms with EU AI Act compliance practices. There are academics who followed the legislative process and newsletters charting every Article. The commentary ecosystem is rich.
What's rarer is the person who has to make it work inside an institution - who doesn't get to write "this is complex" and move on, but has to design the system that handles the complexity, train the team that operates it, and sign off on the compliance assessment that says the institution is ready.
Carpenter has been that person at every stage of her career. She didn't just study the EU cybercrime gap - she produced the report that specified what filling it should look like. She didn't just advise on smart city strategy - she worked with specific cities in specific member states to move specific EU funds through specific projects. Now she isn't just tracking AI Act compliance - she's building the EIB's framework for it from the inside.
The Twitter account with zero posts says more than a thousand threads would. She's not optimizing for visibility. She's optimizing for impact. And at the European Investment Bank, impact means something.
What She Has Actually Done
- Led the Group AI strategy at the European Investment Bank - defining AI architecture, governance, and compliance for one of the EU's most significant financial institutions
- Co-authored the RAND feasibility study (TR1218, 2012) that directly informed the creation of EC3, the European Cybercrime Centre at Europol
- Managed iSociety at The Work Foundation - the UK's largest non-governmental interdisciplinary research project on digital society (1999-2004)
- Led dissemination for TEPSIE - a six-institution European Commission research project on social innovation foundations
- Advised EU member state regions on smart city strategy and digital innovation ecosystems through JASPERS over nearly a decade
- Navigating EU AI Act and DORA compliance simultaneously for a complex financial group structure
- Built and operates the EIB Group AI Hub - the institutional infrastructure for coordinated AI deployment across the Group
25 Years, One Through-Line
Things Worth Knowing
The Twitter Paradox
Joined Twitter in June 2018. Has 70 followers. Has posted exactly zero tweets. Her LinkedIn, meanwhile, has 2,300+ followers and 200+ posts. The medium matters - and she chose the one where her professional peers actually are.
From Dial-Up to Algorithmic Governance
She was examining internet's societal impact in 1999 when most of Britain was on 56k modems. Now she's governing AI deployment at a bank that finances EU infrastructure. The question has changed. Her approach hasn't.
The Europol Connection
EC3 - the European Cybercrime Centre - now responds to ransomware attacks, state-sponsored hacking, and financial fraud across 27 EU member states. One of the documents that made the case for its creation has Gwendolyn Carpenter's name on it.
Luxembourg: The EU's Smallest and Most Consequential Address
The EIB is headquartered in Luxembourg - a country of 660,000 people that hosts the EU Court of Justice, the EU Court of Auditors, and the Secretariat-General of the European Parliament. Power in the EU is often inversely proportional to size.
What She Is Building Toward
Practical AI Act Compliance
The EU AI Act is real, and the compliance clock is running. Carpenter is focused on making it operational inside the EIB - not as a theoretical framework but as actual institutional practice. Conformity assessments, risk classifications, human oversight systems, documentation requirements: the full stack, built for a live financial institution.
Enterprise AI Architecture
The Group AI Hub isn't just a governance overlay - it's an operational platform. Carpenter is building the infrastructure that makes coordinated AI deployment possible across EIB, EIF, and EIB Institute: shared tooling, common standards, coherent strategy across a complex multi-entity group structure.
Institutional Knowledge Transfer
Twenty-five years of EU digital policy means knowing which interventions stick and which ones dissipate. The EIB's AI governance work, if done well, becomes a model for other EU institutions and the financial sector more broadly. That's the long game Carpenter has always played.