A court holds an airline liable for incorrect policy information dispensed by its AI chatbot. A regulator charges two investment firms for falsely claiming their products are AI-powered. A bank's credit model silently disadvantages an entire demographic. These are not future scenarios; they are documented events from the past two years. And in every case, the board was the last to know.
So here is the real question: When did AI last appear as a substantive risk-and-accountability conversation, not just a technology briefing, on your board agenda? If you are pausing, the gap between your AI ambition and your AI governance posture may already be a liability.
Having spent over thirty years leading IT strategy and digital transformation across multinational banks, public-sector institutions, and global consulting firms and now advising boards through my consulting practice, I have observed a consistent pattern. Boards that treat AI as a management or technology concern alone are systematically under-governed for the era we have already entered.
The Governance Vacuum No One is Talking About
AI has moved from experimentation to production infrastructure faster than most governance frameworks can keep up. The EU AI Act began phased enforcement in February 2025. The NIST AI Risk Management Framework is now a baseline expectation cited by regulators and institutional investors alike. And in sectors I have worked in — banking, insurance, healthcare, and telecom — AI already determines credit access, fraud flags, clinical pathways, and customer outcomes.
Yet in most organisations, the board cannot answer a fundamental question: do we even know which AI systems are running inside us right now? This is the governance vacuum. It is not born of negligence — it is born of velocity. AI has been adopted bottom-up, embedded in vendor platforms, and licensed through cloud tools faster than accountability has been assigned.
"If your board cannot name your top five AI systems and your AI risk appetite, you do not have a governance programme. You have a hope strategy."
Seven Questions That Must Become Standing Board Agenda Items
What will AI change materially in 12–24 months and what will we refuse to automate?
Strategy without boundaries is not strategy. The board must define its AI risk appetite—not just what AI it will deploy, but what it will not delegate to machines. In banking, automating credit underwriting entirely is a risk-aperture decision with regulatory and reputational implications. The board must own both sides of that line.
Do we have a complete AI register — including vendor and embedded AI?
Most AI exposure today does not come from proprietary models — it comes from AI features embedded in CRM platforms, lending systems, and contract tools. If the board cannot confirm a comprehensive register covering all three categories — proprietary, vendor, and embedded AI — it cannot govern what it cannot see.
Which systems make high-impact decisions, and are they classified under applicable regulations?
Credit scoring. Hiring. Insurance pricing. Fraud flags. KYC. These are not low-stakes processes. Under the EU AI Act, they are classified as high-risk and are subject to mandatory risk assessments and human oversight requirements. Boards in regulated sectors must know categorically which systems fall under this classification — and whether the controls are commensurate with it.
Can humans meaningfully override, stop, or reverse AI outputs?
Human oversight must be operationally real, not just documented. Automation bias — the tendency to stop challenging AI recommendations over time — is a live risk in every organisation I have advised. The board must ask not whether override mechanisms exist on paper, but whether they are regularly exercised and culturally supported.
Have we tested for GenAI-specific threats?
Prompt injection, data poisoning, and excessive agent permissions are not theoretical vulnerabilities. They are live exposures in enterprise GenAI deployments today. Agentic AI systems — which take autonomous action on behalf of users — further amplify this risk. Most cybersecurity and audit functions are not yet equipped to assess these. The board must demand they become so.
What independent assurance exists for material AI systems?
Internal audit competency on AI is still maturing in most organisations. Boards should require that any AI system involved in consequential decisions undergo independent annual validation, covering fairness, explainability, data provenance, and security. ISO/IEC 42001 provides the certifiable management system framework that enables this assurance to be repeated and audited.
Are our public AI claims truthful and legally reviewed?
'AI washing' — overstating AI capabilities in investor communications or marketing materials — has already drawn regulatory enforcement action. Every external claim about AI-driven efficiency or risk management must be backed by an evidence pack and reviewed by legal counsel. The Audit Committee must explicitly own this question.
The Framework Trifecta: Give the Board a Common Language
The NIST AI RMF's four functions — Govern, Map, Measure, and Manage — give boards a risk vocabulary they can apply directly. ISO/IEC 42001:2023, the world's first certifiable AI management system standard, provides the operational backbone that integrates with existing audit cadences. The OECD AI Principles—fairness, transparency, robustness, and accountability—provide a normative layer that boards can adopt as public commitments. Together, these three frameworks translate AI complexity into the governance language boards already understand.
Board Committee Ownership
Risk Committee → AI risk appetite, system classification, incident governance
Audit Committee → Controls assurance, independent validation, disclosure compliance Nomination / Governance → Board AI literacy, skill gap assessment
Full Board → Quarterly AI Governance Dashboard
What Gets Measured Gets Governed
Governance intent becomes real only when tied to metrics. Every board should receive a quarterly AI governance dashboard tracking five things: AI inventory coverage across all business units; the percentage of high-impact systems with documented risk assessments and operational override controls; AI incident rate and mean time to containment; audit coverage of material systems; and disclosure compliance — the proportion of external AI claims backed by evidence. These are not reporting exercises. They are accountability loops that align board intent with management execution.
Three Takeaways—and an Urgent Call to Act
Takeaway 1: Adopt NIST AI RMF's GOVERN function as your board's AI risk language. Assign explicit ownership across Risk, Audit, and Nomination committees. Every consequential AI system needs a named C-suite owner with a direct reporting line to the board.
Takeaway 2: Commission a comprehensive AI inventory covering proprietary, vendor, and embedded AI across every business unit. If you cannot see it, you cannot govern it — and you cannot defend the organisation when something goes wrong.
Takeaway 3: Implement a quarterly AI governance dashboard as a standing agenda item. Track inventory coverage, assurance levels, incident metrics, and disclosure compliance. What the board measures, management manages. What the board ignores, risk accumulates.
The question is no longer whether to govern AI — regulators, courts, and markets have settled that. The question is whether to govern deliberately, with clear frameworks and accountability, or reactively, after an incident that a structured governance framework could have prevented.
“Governance is not the enemy of AI ambition. It is its most durable enabler. The board that understands this will define the enterprise performance benchmark of the decade ahead.”
What is the most difficult AI governance question your board has confronted? I invite CIOs, CTOs, board directors, and CXO leaders to continue this conversation — because the governance choices made in boardrooms today will determine the AI outcomes we all live with tomorrow.
The question is no longer whether to govern AI — regulators, courts, and markets have settled that. The question is whether to govern deliberately, with clear frameworks and accountability, or reactively, after an incident that a structured governance framework could have prevented.
Disclaimer: The views expressed in this article are those of the author and do not necessarily reflect the views of the publication. |
