← Portfolio Steven Picton · AI Knowledge
Strategy · Corporate Governance

AI Governance
for Boards

Oversight · Accountability · Fiduciary duty 6 sections · Interactive

Most enterprise boards are significantly behind on AI governance — even as their organisations accelerate AI deployment. That gap between adoption and oversight is where legal exposure, reputational risk, and competitive disadvantage quietly accumulate.

31%
of boards say AI is not yet on their agenda — down from 45% in 2024 but still alarming
66%
of directors report "limited to no knowledge or experience" with AI (global survey, 2025)
85%
of boards receive no AI-related metrics or reporting from management
+10.9pp
return on equity advantage for organisations with AI-savvy boards (MIT, 2025)
Why now

AI governance is a fiduciary obligation — not a choice

AI has crossed a threshold. It's no longer an IT project that management handles while the board watches. Organisations are embedding AI into decisions that affect customers, employees, and third parties at scale. Courts, regulators, and shareholders are beginning to hold boards accountable for that. Oversight of AI is increasingly treated as a core director duty — on par with financial and cybersecurity oversight.

Legal reality

AI washing and fiduciary exposure are real and growing

The SEC has already pursued enforcement actions against companies for false AI capability claims — treating it as securities fraud. Courts are actively adjudicating AI liability cases. The EU AI Act creates board-level accountability for non-compliance. Delaware courts' evolving oversight duty case law — though not yet AI-specific — establishes that boards can be liable for failing to oversee mission-critical operational risks.

The question is no longer whether boards are responsible for AI risk. It's whether they can demonstrate they exercised reasonable oversight when things go wrong.

The opportunity

Well-governed AI is a competitive advantage

MIT research (2025) found that organisations with AI-savvy boards outperform peers by 10.9 percentage points in return on equity — while those without board-level AI literacy are 3.8% below their industry average. Governance isn't just about avoiding downside. Boards that govern AI well enable faster, more confident, more scalable deployment — because they've built the trust and process to move further without stumbling.

Uncomfortable truth

Most boards don't know what they don't know

Only 39% of Fortune 100 companies disclosed any board-level AI oversight as of 2024. Fewer than 25% have board-approved AI policies. In most organisations, management is moving fast and the board is hoping it's going well. That's not oversight — that's optimism.

The most common failure in AI governance is blurred accountability — boards that either micro-manage what they should only oversee, or delegate so completely they have no meaningful visibility. The distinction matters legally and practically.

The board — oversight
  • Set the organisation's AI risk appetite
  • Approve the AI governance policy and framework
  • Ensure clear management accountability for AI risk
  • Receive regular, meaningful AI risk reporting
  • Challenge management's AI strategy and risk posture
  • Oversee regulatory compliance (EU AI Act, sector rules)
  • Approve material AI investments and strategy
  • Ensure AI is part of enterprise risk management
  • Maintain appropriate AI literacy at board level
  • Review significant AI incidents and responses
Management — execution
  • Develop and implement the AI strategy
  • Build and operate AI governance processes and controls
  • Conduct AI risk assessments and impact analyses
  • Manage day-to-day AI risk and compliance
  • Define and enforce responsible AI policies
  • Maintain technical documentation and audit trails
  • Report AI risk and performance to the board
  • Own AI vendor and third-party relationships
  • Drive AI literacy across the workforce
  • Respond to AI incidents and near-misses
The critical line

Oversight is not management

A board that deep-dives into model architecture is operating outside its remit. A board that simply accepts "AI is fine" is abdicating its duty. Effective oversight sits in the middle: hard questions, clear expectations, structured reporting, challenging assumptions — but trusting management to execute. The skill is asking the right questions, not having the technical answers.

Who owns AI in management?

Accountability needs a name, not just a function

The most common governance gap: AI risk is "everyone's problem" — which means it's no-one's accountability. The board should know exactly who in the C-suite owns AI risk, what their mandate covers, and how they report. This might be the CTO, a Chief AI Officer, the CRO — but it needs to be named and mandated.

Increasingly, organisations are establishing cross-functional AI Committees at management level — coordinating AI strategy, risk, ethics, and compliance. The board oversees the committee; the committee manages the function.

The questions that separate boards doing genuine AI oversight from those going through the motions. These are what well-advised directors ask — and what management should be able to answer clearly.

Strategy & value
Strategy What AI systems are we currently using — and do we have a complete inventory?
Most boards are surprised by how many AI systems are already operating across their organisation — often adopted by individual business units without central oversight. An AI inventory is the foundation of every other governance activity. If management can't answer this question confidently, that's itself a governance finding.
Strategy What is our AI risk appetite — and has the board formally approved it?
Risk appetite for AI should be explicit, board-approved, and connected to the broader risk framework. It defines what risks the organisation will accept in pursuit of AI value, and where the red lines are. Without a formal statement, management has no mandate to guide decisions — and the board has no baseline to assess whether they're operating within bounds.
Strategy How is AI creating measurable value — and are we tracking it?
Boards should apply the same discipline to AI investments as any capital allocation. What's the business case? What metrics define success? What's the ROI against implementation and governance costs? Without this, AI becomes a cost centre that grows without accountability — or a source of risk not generating commensurate value.
Risk & compliance
Risk Do any of our AI systems fall within the EU AI Act's high-risk categories?
This is not a question management should still be working out. If the organisation uses AI in employment, credit, essential services, education, or law enforcement contexts, it almost certainly has high-risk systems — with a compliance deadline of August 2026. The board should know whether a classification assessment has been completed, what it found, and what the remediation plan is.
Risk What is our exposure if an AI system causes harm to a customer or employee?
Liability from AI harm can arise from product liability, discrimination claims, data protection breaches, or regulatory penalties. The board should understand the organisation's most significant AI liability scenarios, whether they're adequately insured, and whether the incident response plan has been stress-tested.
Risk Have we conducted AI impact assessments across our portfolio?
An AI impact assessment evaluates each system against potential harms to individuals, groups, and the organisation. Required under the EU AI Act for high-risk systems (Fundamental Rights Impact Assessment) and best practice across the portfolio. The board should know which systems have been assessed, what risks were identified, and how they're being managed.
People, culture & capability
People Who in management is accountable for AI risk — and what is their mandate?
If the answer is "the CTO broadly" or "it's shared," that's a governance gap. The board should be able to name the individual responsible for AI risk management, confirm their mandate is adequate, and ensure they have direct access to the board when needed — not just filtered through the CEO.
People Does this board have sufficient AI literacy to discharge its oversight responsibilities?
The most uncomfortable — and most important — question. You cannot oversee what you don't understand. Boards should honestly assess collective AI literacy, identify gaps, and address them through director education, external advisors, or board composition decisions. The EU AI Act includes explicit AI literacy obligations. Regulators and litigants will ask whether the board had the competence to perform its oversight role.
People How are we ensuring AI is being used ethically across the workforce?
Responsible AI isn't just a technical control — it's cultural. The board should understand what policies govern employee use of AI tools, how they're enforced, what training exists, and how ethical concerns are surfaced and escalated. Without clear guidance, employees make their own decisions — and that's where data leakage, bias, and misuse typically originate.

Governance without structure is just intention. Effective AI governance requires clear board-level ownership, defined committee responsibilities, and a reporting rhythm that gives the board meaningful visibility without drowning in operational detail.

Committee ownership — who oversees what
Committee
AI oversight responsibilities
Key questions to ask

Full Board

AI risk appetite, material AI strategy decisions, significant investments, major incidents, regulatory actions

Are we deploying AI in line with our strategy and values? What is our AI risk appetite?

Audit / Risk Committee

AI risk frameworks, regulatory compliance, internal audit of AI controls, third-party AI vendor risk, EU AI Act obligations

Are our AI controls adequate? Are we compliant? What does the audit trail show?

Remuneration Committee

AI used in performance evaluation or pay decisions — ensuring AI isn't introducing bias into compensation processes

Is AI influencing pay or promotion decisions? Is that lawful and fair?

Nomination / Governance Committee

Board composition and AI expertise gaps, director AI education, succession planning for AI-related executive roles

Does the board have adequate AI literacy? Who do we need to add?

ESG / Ethics Committee

AI's impact on people — workforce, customers, communities — bias and fairness, environmental impact of AI infrastructure

Is our AI treating people fairly? What is our AI's environmental footprint?

Reporting rhythm

What good AI reporting to the board looks like

The board should receive structured AI reporting at minimum quarterly for high-risk AI. Good reporting covers five areas: progress against AI strategy and key value metrics; compliance programme status (EU AI Act milestones, regulatory developments); AI risk posture (inventory status, high-risk systems, residual risks); significant incidents, near-misses, and remediation; and emerging external threats (regulation, litigation trends, third-party risks).

Only about 15% of boards currently receive AI-related metrics. That means 85% are making oversight decisions without data.

Framework

The three lines model applied to AI

First line: Business units and AI teams — own the risk, operate the controls, implement responsible AI day to day.

Second line: Risk, compliance, legal — set the framework, provide oversight, challenge the first line, ensure regulatory compliance.

Third line: Internal audit — independently verifies the first and second lines are working. AI should be on the internal audit plan. The Audit Committee oversees this layer.

Emerging role

The Chief AI Officer (CAIO)

A growing number of large organisations are appointing a dedicated Chief AI Officer — a C-suite role that owns AI strategy, governance, and risk across the enterprise. Where this role exists, it typically has a direct line to the board or risk committee. Where it doesn't, the board should understand who functionally carries that responsibility — and whether their mandate, resources, and seniority are adequate.

The vocabulary of boardroom AI conversations — terms you'll encounter in governance documents, regulatory guidance, and director briefings.

AI Risk Appetite
The board's formal tolerance statement
A board-approved statement defining the level and types of AI-related risk the organisation will accept in pursuit of its objectives. Without a defined appetite, management has no mandate and the board has no baseline to assess compliance. Distinct from risk tolerance (operational limits) and risk capacity (maximum absorbable risk).
AI Washing
The new greenwashing — with legal teeth
Making false, misleading, or exaggerated claims about AI capabilities, ethics, or governance. The SEC has already pursued AI washing as securities fraud. Boards must ensure management's external AI communications — in investor materials, marketing, ESG reporting — are accurate and defensible.
Fiduciary Duty
The legal baseline for directors
The legal obligation of directors to act in the best interests of the company and shareholders. Courts are treating AI oversight as part of this duty — particularly where AI failures cause material harm or where directors failed to implement any oversight mechanism for mission-critical AI systems.
Oversight Duty (Caremark)
The US case law baseline
Delaware corporate law doctrine establishing that directors must implement reasonable systems to stay informed about material risks — and that failing to do so is itself a breach of duty. Legal practitioners are actively applying Caremark to AI governance: a board with no AI oversight mechanism has legal exposure when AI harms occur.
AI Literacy
Required — not optional
Sufficient understanding of AI concepts, capabilities, and risks to discharge oversight responsibilities. The EU AI Act includes explicit AI literacy obligations. For directors, literacy doesn't mean technical expertise — it means being able to ask the right questions, interpret management's answers, and identify when something doesn't add up.
Three Lines Model
Structured defence-in-depth
A governance framework with three accountability layers: first line (business units own and manage risk), second line (risk and compliance set frameworks and oversee), third line (internal audit provides independent assurance). Applied to AI, it gives boards a structured way to verify controls are working — not just that policies exist.
Chief AI Officer (CAIO)
Named C-suite accountability
A senior executive responsible for AI strategy, governance, risk, and ethics across the enterprise. Growing rapidly but not yet universal. Where this role doesn't exist, someone else is carrying the responsibility — the board should know who, with what mandate, and whether it's adequate.
AI Inventory
The governance foundation
A comprehensive register of all AI systems used, deployed, or procured by the organisation — including third-party and embedded AI. Records each system's purpose, owner, risk tier, data inputs, and governance status. Required for EU AI Act compliance. You cannot govern what you cannot see.
Material AI Risk
What rises to board level
AI-related risk significant enough to warrant board awareness and oversight. Materiality thresholds should be formally defined. Indicators include: EU AI Act high-risk classification, significant customer or employee impact, potential regulatory penalty, or reputational exposure at scale.
Human Oversight (AI)
Mandatory for high-risk AI
The requirement that humans retain meaningful ability to understand, monitor, intervene in, and override AI decisions — mandatory under EU AI Act Article 14 for high-risk systems. At board level, it's an accountability question: who catches AI errors, and do they have the authority and capability to act?

The real conversations that happen in boardrooms and with C-suite sponsors. Depth and specificity here — not just framework awareness — is what builds credibility and opens engagements.

When a director asks: "Surely AI governance is management's job — why should the board be involved?"
The board is responsible for overseeing the management of all material risks — and AI has become a material risk for most organisations. When an AI system causes discrimination, a data breach, or a significant failure, regulators and shareholders will ask what the board knew and what it did about it. That's not a question management can answer on the board's behalf. The board can't claim oversight without evidence of engagement — and you can't govern what you don't understand. This is why board AI literacy and structured AI reporting are no longer optional.
When a CEO says: "We have responsible AI policies in place — we're covered."
Policies are a starting point, not a destination. The real questions are: Has the board formally approved those policies? Are they enforced in practice, or are they aspirational documents on an intranet? Has anyone tested whether the controls actually work? Does management report AI risk to the board regularly? Only about 15% of boards currently receive AI-related metrics — meaning in most organisations, the policy exists but the oversight loop is broken. A policy without board visibility is governance theatre, not governance.
When a board chair says: "We don't have anyone with AI expertise on the board."
That's the most common and most honest starting point — and it's addressable through three levers: director education (regular AI briefings from management, external experts, or structured programmes), external advisors (bringing AI governance expertise into the boardroom without changing composition), and longer-term board refreshment (adding a director with relevant expertise at the next opportunity). The goal isn't for every director to become a data scientist. It's for the board collectively to ask the right questions and recognise when answers don't stack up. That's achievable with the right support.
When a risk committee chair asks: "What should we actually be getting in our AI reporting?"
Effective AI board reporting covers five areas: strategy progress (are we getting value from AI investments?), compliance status (EU AI Act milestones, regulatory developments), risk posture (what's in the inventory, what are the high-risk systems, what's the residual risk?), incidents and near-misses (what went wrong and what was done about it?), and emerging threats (new regulations, litigation trends, third-party risks). Most boards get none of this systematically. Establishing that reporting cadence is typically the most valuable first intervention — it creates the information flow that makes all other governance possible.
When a GC asks: "What's our actual legal exposure if an AI system causes harm?"
It's real, multi-vector, and growing. In the EU: fines up to 3% of global turnover for high-risk non-compliance, plus updated product liability rules that can hold providers liable for AI-caused harm. In the US: SEC AI washing enforcement, state-level AI laws (Colorado's AI Act is already in force), and the Caremark doctrine creating board-level liability for governance failures. There's also the plaintiff's bar, actively watching AI discrimination and bias cases. Organisations with documented governance, risk assessments, and incident response will be in materially better shape than those relying on goodwill when a claim arrives.
The framing that opens boardroom doors

Lead with upside, anchor with obligation

The most effective entry point isn't fear — it's the combination of performance and obligation. Boards with AI literacy outperform by nearly 11 percentage points in ROE. Governance isn't a drag on AI adoption; it's the foundation that makes confident, scalable deployment possible. The framing that lands: "The organisations that govern AI well will use it more boldly — because they've earned the right to."

Board-level AI governance is where abstract frameworks meet real accountability. These questions test whether you can apply the concepts — not just recall them.

Recall — the basics
What are the four pillars of board AI governance?
1. Strategy & Ambition — understanding and challenging management's AI strategy, including the risk of NOT adopting AI.

2. Risk & Compliance — ensuring AI risks are integrated into enterprise risk management, not treated as a side project.

3. Accountability & Structure — ensuring clear executive ownership of AI governance and a defined reporting line to the board.

4. Performance & Metrics — receiving regular AI metrics (not just activity reports) that enable genuine oversight of outcomes and risks.
What percentage of boards currently receive AI-related metrics — and why does this number matter?
Only 15% of boards currently receive AI-related metrics. This matters because it means 85% of boards are being asked to oversee a technology they have no visibility into. You cannot govern what you cannot see. The minimum boards should be receiving: ROI by business unit, incident rates and trends, regulatory alignment status, and workforce AI literacy progress. The absence of these metrics is itself a governance failure.
What is a Chief AI Officer — and what makes the role effective vs ineffective?
The CAIO is the senior executive responsible for AI strategy, governance, and risk management. CAIO recruitment has tripled in five years; the US federal government mandates the role in all agencies.

Effective CAIO: clear mandate, decision-making authority, defined relationship with CRO and General Counsel, direct board reporting line.

Ineffective CAIO: buried in the technology team, no board access, jurisdictional disputes with existing CIO/CDO, no authority to say no to a deployment. A CAIO without authority is an expensive placeholder.
Scenario questions
A board member says: "We have an AI ethics policy on our website — that covers our governance obligations." What's your response?
An ethics policy says "we believe in fairness." A governance framework says "here's who is accountable, here's how we test it, here's what happens when it fails."
An ethics policy is a starting point — fewer than 25% of companies have moved beyond it to a board-approved, structured AI governance framework. The gap between them is where AI incidents happen. Ask: "If your hiring AI produced discriminatory recommendations tomorrow — who would know first? Who would decide whether to pause the system? Who would communicate to affected candidates? Who would report to regulators?" If those answers involve committees or teams rather than named individuals, the ethics policy hasn't translated into governance.
A company's AI incident rate has increased 40% over 18 months. Management presents this to the board as "expected growth in AI activity." What questions should the board ask?
AI incidents increased 32% industry-wide in 2024. Growth in incidents with growth in AI use may be inevitable — but the rate matters, as does the trend relative to peers.
The board should ask: Is the incident rate growing faster or slower than AI deployment? What types of incidents are occurring — bias, hallucination, security breaches, performance failures? What is the remediation time for each incident type? Is the incident definition consistent — are we capturing the same types of events we were 18 months ago? And critically: what governance changes has management made in response to the trend? Accepting incident growth as "expected" without asking what's being done about it is passive oversight, not governance.
A board is considering whether to appoint a director with AI expertise. A long-standing director argues the existing board has sufficient technology experience from their IT backgrounds. Who's right?
66% of directors report limited to no AI knowledge or experience. IT experience from the 1990s–2010s doesn't translate to AI governance fluency.
IT experience covers infrastructure, software development, cybersecurity, and digital transformation. AI governance requires understanding of fundamentally different risks: model drift, hallucination, bias amplification, socio-technical failure modes, and the specific regulatory landscape of the EU AI Act. MIT research shows organisations with AI-savvy boards outperform peers by 10.9 percentage points in return on equity. The case for AI expertise on the board is quantitative, not just qualitative — and the AI skills matrix should be an explicit recruitment criterion, not an afterthought.

The research and frameworks behind this guide — drawn from the leading governance bodies, consulting firms, and academic institutions working on board-level AI oversight.

Primary research
Building Enterprise AI Maturity — MIT CISR
Peter Weill, Stephanie Woerner, Ina Sebastian · MIT Center for Information Systems Research · December 2024
The research behind the 10.9 percentage point ROI advantage for AI-savvy boards. Based on a 2022 survey of 721 companies supplemented with 2024 executive interviews. One of the most cited quantitative studies on AI governance and financial performance.
Elevating Board Governance Through AI Posture and Archetypes
McKinsey & Company · December 2025
McKinsey's analysis of how boards can evolve their AI governance — based on interviews with directors from 75 boards. Covers board AI posture, committee structures, and the gap between AI adoption and oversight.
Strategic Governance of AI: A Roadmap for the Future
Deloitte LLP · Harvard Law School Forum on Corporate Governance · April 2025
Deloitte's AI Governance Roadmap applied to the board context — including guiding questions for each governance domain and the board's role in strategy, risk, accountability, and performance.
Standards & frameworks
Director Essentials: Implementing AI Governance
National Association of Corporate Directors (NACD) · 2025
The NACD's practical framework for board AI oversight — including the 4-pillar model, survey data on board AI activities, and scenario-specific guidance for directors.
ISO/IEC 42001:2023 — AI Management Systems
International Organization for Standardization · 2023
The certifiable AI management system standard. Sets requirements for governance structures, risk management, and accountability that boards can use as a benchmark for assessing management's AI governance programme.
Further reading
AI Governance: A Guide to Responsible AI for Boards
Diligent Institute · January 2026
Current survey data on board AI governance readiness, including the finding that only 29% of organisations have comprehensive AI governance plans. Covers global regulatory context including EU, UK, US, and APAC approaches.
Using AI in the Boardroom — New Opportunities and Challenges
PricewaterhouseCoopers · Harvard Law School Forum · November 2025
PwC's 2025 Annual Corporate Directors Survey findings on how boards are using AI in their own governance processes — and the opportunities and risks that creates.