Dear Reader,
In January 2021, the Dutch cabinet resigned over an algorithm.
Between 2012 and 2019, the Dutch tax authority ran a fraud detection system that scored childcare benefit recipients for risk of fraudulent claims. It combined data from tax records, benefits databases, and immigration files. It flagged roughly 26,000 families. Many had their benefits revoked and were ordered to repay tens of thousands of euros. The scoring logic was proprietary — affected families could not see what had caused the decision.
The system disproportionately targeted non-Dutch citizens and low-income households. The Hague District Court ruled in February 2020 that it violated Article 8 of the European Convention on Human Rights. EUR 30,000 per family was offered as initial compensation. Some families had lost their homes.
The model scored what it was designed to score. The failure was that nobody was accountable for the consequences — not the vendor, not the department, not the algorithm. It ran for seven years before a court stopped it.
The Dutch case is not unique. Australia’s Robodebt scheme (2015-2019) used automated income averaging to calculate welfare debts. The arithmetic systematically overstated what recipients owed. Approximately 469,000 debt letters were issued. At least ten suicides were correlated with the notices. Settlement: AUD 1.56 billion. In the UK in 2020, an exam-grading algorithm downgraded roughly 40% of A-level grades, disproportionately affecting state school students. It was reversed within four days.
Different countries, different systems. The same pattern: automated system deployed without validation. No meaningful human review during operation. Opacity by design. Disproportionate harm to vulnerable populations. Change only under public pressure.
Why public sector is different#
Algorithmic decision-making in the public sector is structurally different from enterprise AI: the citizen cannot walk away. If a bank’s credit model treats you unfairly, you can try another bank. If the tax authority’s fraud model freezes your account, there is no alternative provider.
In enterprise, accountability is a business risk. In public administration, it is a constitutional obligation. A government decision must be lawful, reasoned, and challengeable. When an algorithm shapes that decision, all three requirements still apply. In most EU member states, the infrastructure to enforce them does not exist.
What is already deployed#
Poland — STIR (tax fraud detection). Operated by KAS through the National Clearing House since 2017. Three-level analysis on financial transactions: daily cash flow risk assessment, network analysis of suspicious relationships, and risk profiling against statistical baselines. In 2019 it processed more than 11 million transactions covering approximately 4 million entities. It can freeze bank accounts for 72 hours without notification, extendable to three months.
The algorithm’s criteria are classified as state secrets. NIK has conducted zero audits of the STIR algorithm.
Netherlands — Algorithm Register. After the toeslagenaffaire, the Dutch government built the most ambitious algorithmic transparency infrastructure in Europe. As of December 2025: 1,245 algorithms from 289 government organisations. An independent analysis by Algorithm Audit found that 53% of high-impact algorithms lack impact assessments. Risk classifications are inconsistent — the same type of system receives different ratings depending on which municipality operates it.
France — CFVR and CAF. The tax authority has operated predictive profiling for audit prioritisation for years, applied to millions of returns annually. The CAF runs automated screening for benefit eligibility with limited public documentation. The Defenseur des Droits published a 2024 report documenting the gap between France’s legal framework and operational reality.
The EU AI Act and public sector#
The AI Act classifies a broad range of public sector AI as high-risk under Annex III: eligibility for public assistance and benefits (5a), law enforcement profiling and recidivism scoring (6a-6e), migration and asylum processing (7b-7d), administration of justice (8a), and influence on democratic processes (8b). Any AI that profiles natural persons is always high-risk — no exception.
Public sector deployers carry heavier obligations than private enterprise. Article 27 requires a Fundamental Rights Impact Assessment before first deployment: affected groups, specific risks, oversight measures, and governance for when risks materialise. Results must be submitted to the market surveillance authority. The AI Office has not yet published an official FRIA template.
Article 86 gives citizens the right to “clear and meaningful explanations of the role of the AI system in the decision-making procedure and the main elements of the decision taken.” For public sector AI, this sits on top of existing administrative law obligations to provide reasoned decisions.
Compliance deadline: 2 August 2026. Pre-existing public sector systems get an extension to 2 August 2030.
Poland’s specific problem#
STIR is the only Polish public sector algorithmic system with significant public documentation. It is almost certainly not the only one in operation — KAS alone runs additional risk-profiling tools, and the May 2025 law authorising facial recognition in public spaces without judicial approval suggests further deployments. Nobody knows the full count, because Poland has no inventory and no register. That is the problem.
KRiBSI, Poland’s designated market surveillance authority for the AI Act, was approved in February 2026. Budget: 27 million PLN per year. It is embedded in the Ministry of Digital Affairs — not an independent agency. Seventy expert positions are planned by 2027.
NIK has no AI-specific audits in its 2026 work plan (70 control topics, none covering algorithmic systems). The Ministerstwo Cyfryzacji has published no guidance for public administration on algorithmic accountability.
The KPA — Poland’s administrative procedure code — requires that decisions include a reasoned justification. An algorithm whose criteria are classified as state secrets cannot provide one. This is a constitutional problem: the citizen’s right to understand the grounds of a decision versus the state’s claim that revealing the algorithm would compromise its effectiveness. No Polish court has tested it. In the Netherlands, it took seven years and a cabinet resignation to surface it.
Canada offers a reference point. Its Directive on Automated Decision-Making (2019) defines four impact levels with escalating obligations — at the highest level, a human decision-maker is mandatory and the algorithmic impact assessment must be published. The framework has been operational across federal departments for seven years. Poland has no equivalent.
The Briefing#
Poland approves AI Act enforcement body — embedded in Ministry
Poland’s KRiBSI was approved by the Standing Committee of the Council of Ministers on 12 February 2026. Budget: 27M PLN annually, 70 expert positions by 2027. The choice to embed the authority within a ministry rather than establish it independently raises questions about regulatory independence when the government is itself a deployer of the systems being regulated.
Most enterprises cannot tell you how many AI agents have access to their systems
Fortune reported that while most enterprises can account for every human user with access to financial systems, few can do the same for AI agents. Autonomous agents are proliferating across business functions without governed identity, enforceable access controls, or lifecycle governance. According to an EY survey cited in the piece, 64% of companies with annual turnover above $1 billion have lost more than $1 million to AI failures. Only 21% of executives reported complete visibility into agent permissions, tool usage, or data access patterns. The accountability gap that this issue describes in the public sector is the same gap now opening across enterprise AI — systems acting without a clear owner.
80% of organisations report risky AI agent behaviours
An enterprise AI security briefing compiled data showing 80% of organisations reported risky agent behaviours including unauthorised system access and improper data exposure. The average enterprise has an estimated 1,200 unofficial AI applications in use, with 86% reporting no visibility into AI data flows. Shadow AI breaches cost $670,000 more than standard security incidents due to delayed detection. Stanford’s Trustworthy AI Research Lab found that model-level guardrails alone are insufficient: fine-tuning attacks bypassed Claude Haiku in 72% of cases. Technically specific controls — input validation, action-level guardrails, reasoning chain visibility — add what governance documents alone cannot.
US federal AI regulatory landscape diverges from EU approach
Baker Botts analysed a series of March 2026 federal deadlines triggered by Trump’s December 2025 Executive Order on AI. The Commerce Department must evaluate existing state AI laws and identify those deemed “onerous.” The DOJ’s AI Litigation Task Force is preparing to challenge state laws in federal court. Colorado’s AI Act — which requires reasonable care to prevent algorithmic discrimination in high-risk systems — is specifically named. The contrast with the EU’s approach is direct: where the AI Act builds a unified regulatory framework, the US is moving to dismantle state-level protections before any federal floor exists.
Two questions worth asking#
If a government algorithm froze your company’s bank account tomorrow, what would you be able to challenge? STIR can do this — 72 hours, no notification, extendable to three months. The scoring criteria are classified. Under the KPA, you are entitled to a reasoned justification for any administrative decision. An algorithm whose logic is a state secret cannot provide one. The same readers who build AI governance frameworks for their own organisations are subject to public sector AI that has none.
Does the institution making decisions about you know what AI systems it is running? The AI Act requires a complete inventory before August 2026. Canada has required one since 2019. The Netherlands built a national register. Poland has not started. If the public institutions that regulate your industry cannot list their own algorithmic systems, the governance asymmetry runs in both directions — they are asking you to comply with standards they have not applied to themselves.
The window#
Public sector AI accountability is not a future problem. STIR has been freezing bank accounts since 2017. The Netherlands has been scoring benefit recipients for over a decade. The systems are operational. The governance is not.
The real deadline is not regulatory. It is the moment when a system produces harm at a scale that forces a political response. In Australia, that cost AUD 1.56 billion. In the Netherlands, it cost a government.
Poland has a tax fraud algorithm that can freeze bank accounts on the basis of classified criteria, no independent audit of that algorithm, and a newly approved oversight body with 70 planned staff and EUR 6.2 million per year to supervise all AI across all sectors. The question is whether the gap closes before or after the incident that forces it to.
Until next issue,
Krzysztof
Sources: AlgorithmWatch: Poland STIR VAT Fraud · Algorithm Audit: Dutch Algorithm Register Analysis (December 2025) · Dutch Algorithm Register · The Hague District Court: SyRI Ruling (February 2020) · Defenseur des Droits: Algorithms, AI Systems and Public Services (2024) · Canada: Directive on Automated Decision-Making · Interface EU: Poland AI Act Implementation · EU AI Act: Annex III · EU AI Act: Article 27 (FRIA) · EU AI Act: Article 86 (Right to Explanation) · Australian Royal Commission into the Robodebt Scheme (2023) · Fortune: The AI Risk Few Organisations Are Governing (March 2026) · Help Net Security: Enterprise AI Agent Security (March 2026) · Baker Botts: March 2026 Federal AI Deadlines