AI Governance Is Becoming a Board-Level Responsibility

Executive summary

Artificial intelligence’s development in the past decades has shaken the corporate world, moving it beyond information technology departments and into a wider variety of departments across an organisation, such as governance, risk, legal, and executive leadership. But AI comes with its own risks, meaning regulatory obligations, compliance requirements, and reputational exposure now require direct board attention.

For most of the past decade, due to its previously limited scope, organisations have treated artificial intelligence primarily as an engineering matter. It was managed by data science teams and used primarily to compute budgets, model data, and release schedules. Boards relied on the expertise of lower management involved in the IT departments to manage the detail involving AI, but AI is now being used across all sectors and departments. Its wide accessibility and readily available software like ChatGPT make it easy for any individual to use. However, this has also made the risk of AI being exploited easier, since it no longer requires specialised expertise to use.

Across the world, regulatory developments, documented corporate failures, and increased public scrutiny are placing AI governance directly within the remit of executive leadership and the board. Boards are now required to incorporate AI into the organisation while managing the risks it introduces, which requires the proper frameworks and fluency to be put in place before an incident occurs.

From infrastructure to institutional responsibility

When a bank’s lending algorithm systematically disadvantages applicants from a particular demographic, this is not a data engineering matter. When a healthcare provider’s diagnostic system produces outputs that cannot be explained to a regulator or a patient, this is not a product defect. When a recruitment platform’s screening model penalises candidates on the basis of which university they attended, the resulting liability falls to the board.

In each of these examples, all of which has occurred in recent years, the consequences are institutional rather than technical. Regulatory censure, reputational damage, legal exposure, and loss of stakeholder trust fall within the responsibilities of governance, risk, and executive leadership.

Boards that treat artificial intelligence as a technology matter rather than a governance matter are repeating the error that boards made with cybersecurity fifteen years ago, and many are discovering this only after the fact.

In the early 2000s, organisations generally regarded data security as an IT function. A series of significant breaches, together with the regulatory and legal consequences that followed, established cybersecurity as a standing item on board agendas. AI governance is following a comparable path, although the timeframe is considerably shorter, given that the pace of AI adoption has been significantly faster in recent years.

The regulatory environment

The European Union’s AI Act, which began applying in phases from 2024, constitutes the most comprehensive legal framework for artificial intelligence currently. It classifies AI systems according to risk level, imposes conformity requirements on high-risk applications, and requires transparency and human oversight measures that apply directly to the organisations deploying these systems. Non-compliance carries penalties of up to €35 million or 7% of global annual turnover, whichever is greater, which is a significant amount, especially for SMEs that are directly using AI systems in their organisation.

In the United States, federal agency guidance and state-level legislation continue to develop. The Equal Employment Opportunity Commission has issued guidance addressing employer liability for discriminatory outcomes produced by AI hiring tools. While similarly, the Federal Trade Commission has indicated that algorithmic deception falls within its enforcement remit. Additionally, several states have enacted, or are considering, legislation that requires algorithmic impact assessments for consequential automated decisions.

Regulators in the United Kingdom, Canada, Singapore, Brazil, and Japan are developing or implementing comparable frameworks; South Africa is similarly in the process of drafting national AI policies. Thus, the position taken by governments internationally insists organisations that deploy AI bear responsibility for its outputs, and express that a lack of understanding of how a system operates does not constitute a defence.

Six governance risks requiring board attention

These regulatory frameworks that governments are implementing have the aim of making AI use safer for individuals and companies alike but place the burden of compliance directly on the organisations that use AI. This requires boards to take ownership of the obligations those frameworks impose, while addressing the broader risks that AI deployment introduces across their operations. Some of these risks involved include:

Accountability gaps

When AI causes harm, who is responsible? Boards must establish clear ownership chains from development through deployment and ensure ongoing monitoring for prompts and access.

Compliance exposure

With regulations across the EU, the US, and Asia, boards risk personal liability if their governance structures are absent or performative. Hence, companies should make strict compliance goals to protect themselves and stick to them.

Algorithmic bias

Models trained on historical data can encode and amplify discrimination. Without ongoing auditing, organisations face discriminatory outcomes at scale, which can harm individuals, while damaging the company’s reputation.

Transparency deficits

Regulators, customers, and courts increasingly demand explainability. ‘The model decided’ is not an acceptable answer when consequential decisions affect people’s lives. AI hallucinations, or fake results, can also impact a company’s responses. Companies should double-check the results given by AI.

Ethical failures

Beyond legality, stakeholders expect AI use to align with the company’s stated values. Ethical misalignment erodes trust with employees, customers, and investors.          

Reputational damage

AI failures travel fast. A discriminatory outcome, a biased recommendation engine, or a misused data practice can produce a reputational crisis that outpaces legal exposure.

Establishing meaningful board oversight

There is a distinct difference between performative and substantive AI governance, and boards that fail to distinguish between the two leave their organisations exposed. Issuing an AI ethics statement, or appointing a Chief AI Officer, without corresponding structural oversight does not constitute governance. Effective governance requires boards to move from passive awareness to active accountability. This does not mean every director needs to have technical expertise in machine learning, but rather it requires the board to ask the appropriate questions, to commission the appropriate structures, and to hold management accountable for providing credible answers.

Board guidelines to address in AI governance

  • Establish an AI risk committee or extend the mandate of the existing audit and risk committee to include AI, with dedicated agenda time and access to independent technical advisors.
  • Commission an internal inventory of AI and automated decision-making systems in use across the organisation, classified by risk in line with applicable regulation.
  • Make algorithmic impact assessments a requisite for any AI system that makes or materially influences decisions affecting customers, employees, or other third parties.
  • Mandate human oversight mechanisms in operational practice, not solely in policy, for all high-risk AI applications.
  • Approve an internal AI use policy covering third-party model use, employee use of AI tools, data handling, and incident response.
  • Establish an escalation and incident response pathway for AI-related failures, with defined accountability at board, executive, and operational levels.
  • Invest in board-level AI literacy through structured briefings and external advisors, while retaining independent judgement rather than deferring to those whose interests may not align with the organisation’s.

Internal policy as a governance requirement

Public discussion of AI governance often ignores the internal policy environment. Organisations deploy AI in two main directions: externally, in products and services offered to customers, and internally, in tools used by employees. Both carry governance obligations, but internal deployment is commonly overlooked.

Generative AI tools have been adopted within organisations at a pace that governance structures cannot catch up with. Employees routinely use large language models for drafting, analysis, research, and decision support, often without formal guidance on what data may be shared, how outputs should be verified, or what limitations apply. This represents a systemic risk affecting intellectual property, data privacy, regulatory compliance, and professional liability.

A credible internal AI policy addresses each of these areas: permissible use cases, data classification rules, requirements for human review, vendor assessment processes, and employee training. Developing such a policy requires cross-functional input from technology, legal, human resources, risk, and operations, together with board-level endorsement to ensure it carries the necessary authority.

The transparency challenge

AI presents boards with a challenge that does not arise in the same form with other technologies: the opacity of complex models. A board can review a financial model in detail, but some cannot yet review a deep learning system used for credit decisions in the same way. As a result, the systems with the greatest capability are often the most difficult for governance structures to scrutinise, while being the most consequential to scrutinise effectively.

Organisations should be able to explain how AI decisions are reached, and this requirement should be embedded directly from the point of procurement and development. Additionally, auditing AI models, whether through internal teams or external specialists, should be a standard operational requirement.

Reputational exposure

For many organisations, the reputational dimension of AI governance carries greater immediate consequence than the regulatory dimension. Public tolerance for AI-related failures involving bias, discrimination, or misuse of personal data has declined significantly as awareness of these issues has increased. Incidents that would previously have remained within specialist coverage now routinely attract public attention.

This changes the calculation boards must apply to AI risk. Reputational risk does not resolve when a case concludes. If damage is done to communities, it harms multiple parties, including the organisation accountable.

Organisations with demonstrable governance structures, rather than policies that exist only on paper, are better positioned to respond when an incident occurs. The distinction between a crisis that is managed and one that escalates frequently depends on the quality of the governance infrastructure in place beforehand.

A narrowing window for proactive governance

Boards currently have an opportunity to address AI governance proactively rather than in response to an incident. Regulatory timelines continue to advance, litigation concerning AI outcomes is increasing, and institutional investors and proxy advisors are beginning to incorporate AI governance into their assessments of board quality and organisational risk. Organisations that establish robust governance structures now are likely to gain advantages in regulatory relationships, talent retention, and stakeholder trust that will be difficult to replicate later.

In conclusion, the boards best positioned to manage this are boards that recognise AI has altered the risk landscape, that establish governance structures proportionate to that change, and that ensure those structures function in practice rather than serving a primarily symbolic purpose.