01 Sep 2025 26 min read AI Governance

What Boards Need to Know About AI (Without the Hype)

Executive Context

Artificial intelligence (AI) is now a board-level issue, moving from tech buzzword to tangible driver of risk and opportunity. In the past year, hundreds of major companies have begun flagging AI as a material risk in their annual reports – 281 of the Fortune 500 did so, a 473% increase from the prior year[1]. This spike reflects hard lessons from real incidents: a New York City chatbot offered illegal HR advice (telling businesses it was okay to fire workers for harassment complaints)[2]; a healthcare algorithm systematically under-treated Black patients needing extra care[2]; and an online real estate platform’s flawed AI model led to a $300+ million write-off and mass layoffs[3]. In short, the AI “revolution” is here and already creating board-worthy headaches alongside its much-hyped benefits.

Board directors can no longer delegate or defer AI oversight. Regulators and investors are beginning to demand accountability for AI’s impacts. The EU’s groundbreaking AI Act will start banning the most harmful AI practices and imposing strict duties on “high-risk” AI systems from 2025[4][5]. In the U.S., federal agencies are cracking down on “AI washing” – companies making exaggerated or false AI claims – under existing fraud and consumer protection laws[6]. Globally, 70+ jurisdictions have launched over 1,000 AI policy initiatives aligned to the OECD’s Principles for Trustworthy AI[7]. And a coalition of 28 countries just signed the Bletchley Park Declaration, pledging to rein in the risks of powerful “frontier AI” models while fostering safe innovation[8][9].

All this translates into a new mandate for boards. Directors must ensure their organizations harness AI’s benefits (from efficiency gains to new revenue streams) without stumbling into the well-documented pitfalls (bias, privacy breaches, safety failures, etc.). This demands a proactive, informed oversight approach that cuts through tech industry hype. As one governance expert bluntly put it, “AI is quickly becoming a critical responsibility” for boards, yet its fast-evolving, “black box” nature makes traditional oversight challenging[10]. The boardroom will need to raise its technology fluency, ask tougher questions, and insist on credible evidence that AI systems are safe, fair, and under control – not just innovative or profitable. In sum, effective AI oversight is now a boardroom imperative, not a futurist talking point. The sections below provide a clear-eyed, actionable framework for directors to govern AI without the hype.

Board Duties and Scope

Directors have a fiduciary duty to oversee “mission-critical” risks and opportunities – and AI now squarely fits that description[10]. A first step is to clarify where AI oversight sits in the board’s structure. Recent data show boards taking a variety of approaches: in over half of companies, the full board retains primary AI oversight (57%), while others delegate it to an existing committee (17% assign it to the Audit Committee, for example)[11]. Only a minority have created dedicated AI committees so far, and in fact less than 15% of S&P 500 boards even disclosed AI oversight in 2023 – usually tech or risk committees where they exist[12]. Best practice is emerging to treat AI like cybersecurity: the full board should set expectations and periodically review AI strategy and risk, while a committee (Audit, Risk, or Technology) handles deep dives and reports back[13]. Regardless of structure, the board as a whole remains accountable for ensuring AI is managed responsibly.

A glaring challenge is expertise. According to one analysis, fewer than 13% of large-cap boards have a director with AI experience, and two-thirds of boards admit to “limited to no knowledge” of AI matters[14][15]. This skills gap is a liability in the making[16]. Boards should urgently address it by upskilling current directors (through AI education sessions, reading groups, even certification programs) and by recruiting new directors or advisors with relevant backgrounds[17]. Indeed, 40% of boards are rethinking their composition due to AI impacts[18][19]. AI literacy at the board level need not mean coding ability, but directors must grasp key concepts (like machine learning limitations, data biases, model validation) to ask management the right questions. As a Forbes headline warned, “AI-illiterate directors are the new liability” for boards[16].

Another duty is setting the tone at the top. Directors should ensure management establishes a clear AI governance framework and ethical guidelines, and that these cascade into training, policies, and culture[20][21]. Boards might formally approve a corporate Responsible AI Policy that codifies principles like fairness, transparency, and accountability, as GlaxoSmithKline’s board did (GSK’s policy has five principles ranging from “Ethical Innovation & Positive Impact” to “Transparency & Accountability”[21]). Beyond paper policies, the board must insist on processes: AI inventory and risk assessments, documented model reviews, incident escalation protocols, etc. (See the Risk Taxonomy & Controls section for specifics.)

Crucially, directors should avoid crossing into management territory even as they increase oversight. The mantra “noses in, fingers out” still applies[22]. This means boards advise, question, and verify; management executes. For example, the board should ask for and review AI risk reports, but not micromanage technical model choices. Maintaining this balance can be tricky with novel tech – a well-intentioned board eager to understand AI may veer into implementation details. Clear charters and role definitions help: management might maintain an AI Risk Committee internally, chaired by a Chief AI Officer or similar, with the board receiving regular updates and having the authority to challenge decisions at a high level.

Key Board Oversight Questions: Boards can use a structured set of questions to frame their oversight of AI initiatives. For instance:

· Strategic Value: “How is management using (or planning to use) AI for competitive advantage? Are we leveraging AI in key functions (product development, operations, customer experience), and what are competitors doing?[23]

· Risk & Responsibility: “What governance and risk controls are in place for our AI systems?” Do we have processes to test AI models for accuracy, bias, cybersecurity vulnerabilities and other risks before deployment? How do we ensure human oversight of high-impact AI decisions?[24]

· High-Risk AI: “Which AI applications in our business are considered high risk, and why?” What data are they trained on, and what could go wrong (e.g. legal, ethical, reputational damage) if they malfunction?[25][26]

· Talent & Culture: “Do we have the right talent and culture for responsible AI?” How are we upskilling employees on AI, and have we defined roles (like an AI governance lead)? Are we fostering a culture where staff can flag AI concerns without fear?[27]

By raising questions like these – and expecting evidence-based answers – boards signal that AI is being treated with appropriate gravity. This engaged oversight also prepares the board to respond to external stakeholders. Institutional investors have started asking pointedly about AI oversight (some shareholder proposals in 2024 even demanded boards formally assign responsibility for AI risks and disclose their approach)[28][29]. In sum, the board’s scope now spans not only embracing AI’s upside but policing its downside. Directors must elevate AI governance to the same level of rigor as financial oversight or cyber risk – it’s now part of the fiduciary remit.

Risk Taxonomy and Controls

AI-related risks are diverse and can be severe. A clear taxonomy of these risks helps boards ensure none are overlooked. Below we outline key risk categories – and the controls or mitigations boards should expect management to deploy for each:

Bias and Discrimination: AI systems can inadvertently perpetuate bias from historical data, leading to unfair or illegal outcomes. For example, Amazon’s experimental hiring AI had to be scrapped after it “taught itself” that male candidates were preferable – even downgrading résumés that mentioned “women’s” activities[30]. Likewise, Apple’s credit card algorithm was accused of offering lower credit limits to women than men with similar qualifications[31][32]. Controls: Robust bias testing and auditing are a must. Frameworks like ISO 23894 (AI Risk Management) specifically guide organizations to assess training data for historical biases, use diverse datasets, and test model outputs for fairness across demographics[33]. Boards should ensure management is conducting bias impact assessments and can show metrics (e.g. error rates or loan approval rates by gender/race) to prove models aren’t discriminating. In high-stakes uses, having an independent AI ethics or fairness audit is advisable. Regulators, too, are sharpening their gaze – the EEOC and CFPB have warned they will penalize biased AI outcomes under existing anti-discrimination laws.
Lack of Transparency (“Black Box” Models): Many AI models (especially deep learning networks) are opaque, making it hard to explain their decisions. This opacity erodes trust and complicates compliance in regulated sectors. A notorious case in healthcare: a widely used ML algorithm for identifying high-risk patients was found to systematically underestimate the needs of Black patients, partly because it relied on flawed proxies (past healthcare spending) that baked in existing inequities[34]. Neither doctors nor the makers fully understood the model’s logic until external researchers probed it. Controls: The board should insist on Explainability measures. Management might employ “XAI” tools – e.g. Local Interpretable Model-Agnostic Explanations (LIME) or SHAP values – to interpret complex model outputs[35]. For critical decisions (medical, financial, etc.), consider simpler, inherently interpretable models if possible[36]. Human review should be mandated for AI-driven decisions that materially affect individuals’ rights (credit denials, job applicant screenings, etc.). The board should also verify that model documentation is in place (data sources, model features, known limitations) – akin to an AI “audit trail” for accountability.
Privacy and Data Protection: AI’s hunger for data can lead to overly invasive practices or massive data breaches. AI models may infer sensitive attributes or leak personal information. A famous cautionary tale was Cambridge Analytica’s misuse of Facebook data to profile and manipulate millions of citizens, highlighting how AI-driven analytics can violate privacy at scale[37]. More recently, generative AI tools have raised alarms by regurgitating chunks of their training data (which might include private text or code). Controls: Boards should ensure compliance with data protection laws (GDPR, etc.) when AI is involved. Techniques like differential privacy (adding statistical noise to outputs), federated learning (keeping personal data on device), and encryption (homomorphic encryption allowing computation on encrypted data) can mitigate privacy risks[38]. Data minimization is key – collect and retain only the data truly needed for the AI’s purpose[39]. Regular privacy impact assessments (PIAs) for AI projects should be standard, with board oversight especially if AI handles customer or employee personal data. If AI systems are ingesting third-party data, boards should ask if proper rights and consents are in place – scraping public data without clear consent, for instance, can lead to legal and ethical challenges (as the facial recognition firm Clearview AI discovered in global regulatory backlash).
Safety and Reliability: In certain applications, AI system failures can cause physical harm or large-scale disruption. Autonomous vehicles and AI-powered medical devices are prime examples – an error can be literally life-threatening. Even in non-physical domains, “AI gone wrong” can wreak havoc: consider the real estate algorithm that overshot on home purchases, forcing fire-sales (Zillow’s $300M loss)[3], or algorithmic trading bots that have triggered flash crashes in financial markets. Controls: Rigorous testing and validation is non-negotiable. AI systems should undergo scenario-based stress tests to see how they handle edge cases. For instance, formal verification methods can mathematically prove certain AI-controlled systems (like an aircraft autopilot) will not violate safety constraints[40]. Red-teaming and adversarial testing can expose how AI might fail under malicious input. Management should also establish fail-safes and human-in-the-loop mechanisms: e.g. an autonomous vehicle should have clear handoff protocols for a human driver or remote operator if the AI encounters conditions it can’t handle. The board should inquire about incident response plans specific to AI – if an AI system does misfire (say, a chatbot goes off the rails with harmful content or a robo-advisor makes a bad trade), is there a procedure to quickly intervene, patch the system, and notify affected parties or regulators if needed? High-reliability organizations (banks, airlines, hospitals) are already used to such drills; AI adds a new layer requiring tech expertise plus cross-functional coordination (IT, legal, PR).
Cybersecurity and Malicious Use: AI systems present new attack surfaces and threat vectors. Adversaries might try to poison training data to skew AI outputs, or exploit known model weaknesses (for example, tricking image recognition with specially crafted inputs). There is also risk of insiders or bad actors misusing AI – e.g. to generate deepfakes, automate phishing, or otherwise supercharge fraud. Controls: Boards should treat AI security as part of cyber risk oversight. Ask management about controls like dataset provenance checks (to prevent training on tampered data) and model resilience testing against adversarial examples. NIST’s guidance suggests organizations should “continuously evaluate AI systems for vulnerabilities and maintain security controls throughout the AI lifecycle”[41]. If using third-party AI services or models, supply chain due diligence is vital – e.g. ensure cloud AI vendors follow strong security practices and that open-source models are audited for backdoors. Some firms are instituting AI model inventories with each model’s criticality and a mapped threat profile. From a policy angle, an Acceptable Use Policy for employee use of external AI (like ChatGPT) is wise, to prevent inadvertent leaks of proprietary data or compliance breaches.
Legal and Regulatory Compliance: AI can implicate a web of laws – consumer protection, employment law, product liability, data rights, intellectual property, and emerging AI-specific regulations. The board must ensure the company’s AI use does not run afoul of these. For example, if an AI marketing tool profiles users in a way that triggers GDPR “automated decision” rules, or a hiring algorithm inadvertently violates equal opportunity laws, the legal exposure is real. The EU AI Act’s risk-based requirements (banning some practices, heavily regulating “high-risk” AI like in hiring or credit) mean companies operating in Europe will need compliance programs for AI systems[4][5]. Controls: Management should integrate AI into the compliance function. This might entail new AI compliance assessments before deploying systems in areas like HR, finance, or customer-facing apps. The board should ask: Are we tracking evolving AI regulations in all our operating markets? If operating in the EU or other strict regimes, has management done a gap analysis of our AI systems against those rules? In the U.S., while no omnibus AI law exists, agencies like the SEC and FTC are enforcing existing laws on AI representations and outcomes. Notably, in 2023 the SEC charged firms for misleading investors about AI capabilities (“AI-washing”)[42] – a reminder that what the company says about AI must be truthful and backed by evidence. One practical control is for Legal to review all marketing and sales language involving AI, to ensure it’s accurate and doesn’t over-promise (or invite lawsuits). Another is contractual risk transfer – when buying AI solutions or data, ensure contracts have appropriate reps, warranties, and indemnities related to AI performance and compliance.
Ethical and Reputational Risks: Beyond hard law, AI can cross ethical lines that spark public backlash or employee dissent. For instance, deploying AI surveillance on workers or AI algorithms that influence public opinion (e.g. social media algorithms amplifying harmful content) can damage trust and brand value. There’s also the macro risk of AI-driven job losses creating reputational issues if not managed responsibly. Controls: Many of these are mitigated by the same frameworks of fairness, transparency, and accountability noted above. In addition, boards should encourage stakeholder engagement around AI – for example, some companies have set up external AI Ethics Advisory Boards including civil society voices, to review controversial use-cases. Scenario planning can help: has management considered how stakeholders (customers, regulators, media) might react to our use of AI X in situation Y? For workforce impacts, boards might request a report on how AI/automation will affect jobs and what the plan is for retraining or transition (a topic of a 2024 shareholder proposal as well)[43][44]. The board’s oversight here connects to ESG concerns – responsible AI governance is increasingly seen as part of the “Social” and “Governance” aspects of ESG, with investors watching closely[45][29].

This risk taxonomy is not static – as AI technology evolves, new risks will emerge (e.g. the current attention to “frontier” AI that could produce deceptive content or biological/cyber weapons, as flagged in the Bletchley Declaration[46]). But by establishing a structured view of AI risks now, boards can at least ensure the basics are covered. A useful exercise is to have management present an AI Risk Register mapping all significant AI systems the company uses or provides, the associated risks (from the categories above), and the controls in place for each. The board doesn’t need to review every model, but should sample a few – especially any “crown jewel” AI projects or any classified as high-risk under forthcoming laws – to validate that risk management is not just checkbox compliance but real and effective. Remember, “AI risk management is a key component of responsible AI” and ultimately of maintaining trust[47][48]. Boards that demand a strong risk-control framework will not only reduce downside exposure, they’ll actually enable the organization to innovate with AI more confidently and sustainably.

Assurance and Disclosure

How can a board gain confidence that the AI risks outlined above are truly under control? This is where assurance mechanisms come in – the audits, validations, and disclosures that provide evidence of trustworthy AI. Given AI’s complexity, boards should lean on both internal and independent assurance processes.

One emerging touchstone is the NIST AI Risk Management Framework (AI RMF), which many organizations are using as a voluntary baseline for AI governance[49]. NIST’s framework encourages a lifecycle approach (Govern, Map, Measure, Manage) to identify and mitigate AI risks, and it emphasizes characteristics of “trustworthy AI” like validity, fairness, transparency, security, and accountability[50][51]. Boards can ask management whether they have adopted NIST AI RMF or a similar standard – and if so, to provide a high-level AI Risk Management Policy or charter that codifies these practices. Adopting such frameworks signals a proactive stance and can serve as a common language when reporting to the board.

Increasingly, external certification and audits will play a role in AI assurance. Notably, the world’s first AI management system standard, ISO/IEC 42001:2023, was published recently to provide a structured way for organizations to “ensure responsible development and use of AI systems,” with requirements on leadership oversight, risk planning, ongoing monitoring, and continuous improvement[52][53]. Forward-looking companies (like some in finance and tech) are already seeking ISO 42001 certification as a mark of AI governance maturity[54]. Boards need not get into the weeds of ISO clauses, but if your management claims to follow “best practices,” an ISO certification is one way to validate it. Even more interesting, the British Standards Institution (BSI) just released a companion standard (BS ISO/IEC 42006:2025) – the first standard for certifying the AI auditors themselves[55][56]. This standard sets competency criteria for firms that audit AI systems, aiming to prevent a “wild west” of unqualified AI audit providers[57][58]. In practical terms, within a year or two we may see Big Four firms and others offering formal AI audit reports somewhat akin to financial audits[59]. Boards should stay alert to this trend – credible third-party validation of AI systems (for bias, security, etc.) could become a differentiator in the market and a requirement from business partners or regulators.

Internally, assurance functions like compliance, internal audit, and risk management need to evolve to include AI. For example, the board’s Audit Committee should verify that Internal Audit has added AI controls to its audit plan – whether auditing the development process of AI models, the data governance around AI, or adherence to stated AI policies. Some companies have created “model risk management” teams, originally for financial models, now expanded to cover AI algorithms enterprise-wide, providing independent review and challenge to data science teams. The board should inquire: Do we have clear second-line and third-line roles for AI oversight? (Second-line meaning risk/compliance monitoring; third-line being internal audit). If management asserts that the AI is too novel for existing auditors to understand, that is a red flag – it suggests skills need to be built or external experts brought in.

Transparency is another pillar of assurance. Both regulators and investors are calling for AI-related disclosure. The U.S. NTIA (National Telecommunications and Information Administration) has noted that “robust evaluation of AI capabilities, risks, and fitness for purpose is still emerging” and calls for an ecosystem of independent AI system evaluation and “more information” about AI systems to enable trust in the marketplace[60]. In practice, companies can expect pressure to publish transparency reports on their AI use. Indeed, in the 2024 proxy season, multiple shareholder proposals asked companies like Apple, Microsoft, and Meta to report on their AI governance, ethical guidelines, and impacts – some earning 40%+ support[61]. Boards should get ahead of this by ensuring that public disclosures (e.g. annual report, sustainability report) discuss the company’s approach to AI opportunities and risks. Any claim the company makes about AI in earnings calls or marketing must be truthful – remember the SEC’s first “AI-washing” enforcement was against a CEO who falsely claimed AI capabilities[62]. To avoid such missteps, board oversight of AI disclosures** is key. The board (or Audit Committee) should review significant AI-related statements and ensure they align with reality. If the company starts branding products as “AI-powered,” directors might even ask for a demo or explanation to see that it’s not vaporware.

On the flip side of disclosure, boards should also consider trade secrecy and IP around AI. Not every detail can or should be made public – there is a balance between transparency and protecting competitive advantage. The board can guide management on where that line lies, and encourage engagement with industry initiatives that develop best-practice reporting formats (like model cards, factsheets, or the OECD’s AI system classification). Regulators might soon mandate specific AI disclosures (for example, the EU AI Act will require providers of high-risk AI to register their systems in an EU database and provide information on risk mitigation[63]). Companies that build good internal documentation now will find it easier to comply and to earn stakeholder trust.

Finally, consider leveraging the burgeoning AI assurance ecosystem. In the UK, the government is explicitly cultivating an AI audit and evaluation industry, noting that a thriving “AI assurance ecosystem” will underpin public trust and even be an economic opportunity akin to the £4 billion UK cybersecurity assurance sector[64][65]. Organizations can pilot new assurance tools – for instance, hiring “red teams” to attack their AI models for vulnerabilities, or using nascent AI audit software that scans for bias or compliance issues. Boards should foster a mindset in management that seeking assurance is not a burden but an investment in confidence. As BSI’s digital director noted, without credible assessment there’s a risk of a wild west with “radically different levels of evaluation” – whereas standardized certification can “differentiate credible AI governance implementations from unchecked claims”[56][66]. In plain terms: assurance builds trust for customers, investors, and business partners. A company that can show, say, an external AI fairness audit certificate or compliance with OECD AI Principles will have a reputational edge. Boards should encourage management to be transparent but not naive: share meaningful information about AI efforts, get independent checks, and be honest about both progress and remaining challenges.

In summary, assurance and disclosure are how boards move from “we hope our AI is okay” to “we know our AI is responsible”. By insisting on audits, certifications, and clear reporting, directors create accountability loops that penetrate the black box mystique of AI. It’s a powerful way to cut through hype – with facts and verification.

Case-Style Vignettes

To illustrate the board oversight challenges around AI, here are three brief case vignettes drawn from real-world scenarios (with identifying details anonymized) – each highlighting lessons for directors:

Case 1: The Biased Recruitment Engine – A large enterprise rolled out an AI tool to screen résumés, aiming to speed up hiring. Within a year, complaints emerged that qualified female applicants were being overlooked. An internal audit confirmed the worst: the AI had “learned” from past hiring data (skewed male) and was systematically downgrading women candidates[30]. The board, blindsided, faced an urgent question: how did this slip through? Post-mortem revealed that no bias testing was done pre-deployment, and reporting to the board had framed the AI as a success (“increased efficiency”) with no mention of demographic impacts. Outcome: The tool was scrapped amid public fallout. The board instituted new approval gates for AI in HR, requiring bias audits and explicit board sign-off before any future algorithm affects employment decisions. Lesson: Even well-intentioned AI can inject hidden bias. Boards must demand rigorous validation of AI that touches personnel or customers, and insist on balanced metrics – not just efficiency gains, but fairness and compliance checks. If a dashboard of AI KPIs had been presented (e.g. selection rates by gender vs. benchmarks), the issue might have been caught early.

Case 2: The $300 Million Algorithmic Bet – A digital platform in the real estate sector developed an AI model to algorithmically purchase and flip homes at scale. The board, enticed by promises of AI-driven growth, approved major capital for this initiative. But the model’s pricing predictions proved aggressively wrong when market conditions shifted. The company ended up with a glut of overvalued inventory, ultimately writing down over $300 million and firing the division’s staff[3]. Outcome: Investors lambasted the board for lack of oversight on this “AI experiment.” In response, the board commissioned an outside review of the fiasco. Findings showed there had been warning signs (the model was often off in certain regions) that management downplayed, and no contingency plan if the model faltered. The board has since added an AI expert advisor to its ranks and requires scenario stress-testing for any AI that can drive major balance-sheet decisions. Lesson: Strategic bets on AI need just as much board scrutiny as any big investment. Directors should press for independent model validation and ask management, “What’s our exit strategy if the AI’s assumptions stop holding?” In this case, a simple sensitivity analysis or pilot phase might have revealed the model’s volatility before it scaled up. Boards must ensure AI projects undergo the same rigor (ROI analysis, risk scenario planning, external due diligence) that a large M&A or CAPEX project would – no exemptions just because it’s AI.

Case 3: The AI Hype that Hooked a Regulator – A fast-growing tech company proudly advertised its new platform as “AI-powered” in investor presentations. Its CEO touted proprietary AI algorithms as a competitive moat. In reality, the platform’s functionality was only partly AI-driven, with much still rules-based or manual. The SEC caught wind of discrepancies and launched an inquiry, suspecting investors had been misled[42]. It turned out certain claims (e.g. “fully automated by AI”) were exaggerated by marketing, and no one in the C-suite or board rigorously vetted these statements. Outcome: The SEC charged the company with misrepresentation (“AI-washing”). The fallout included fines and a hit to credibility. The board responded by implementing a new review process for any external AI claims – basically an AI truth-in-advertising policy requiring General Counsel and CTO sign-off. They also beefed up public disclosures about what their AI actually does, to reset expectations. Lesson: In the age of AI hype, boards must be skeptical of grand claims and ensure honest communication. If “AI” is a selling point, directors should ask for a briefing on how AI is used and its limits. This case underscores that governance of AI includes governance of AI narratives – what the company says about AI can create legal liabilities. A savvy board will verify that marketing’s portrayal of AI matches reality on the ground.

These vignettes underscore a common theme: robust board oversight could have either prevented the issue or mitigated its impact. Biased AI hiring could be caught with proactive audit and reporting; an overzealous AI strategy could be reined in by informed questioning and phased testing; AI marketing spin could be checked by board insistence on integrity. Directors should internalize these cautionary tales. They aren’t sci-fi scenarios but today’s news. As one director quipped, “AI oversight is learned the hard way if not learned the first way.” By anticipating such issues, boards can turn each potential case study into a success story rather than a disaster.

Metrics the Board Should Ask For

One practical way for boards to cut through vague assurances is to demand concrete metrics and key performance indicators (KPIs) on the organization’s AI activities. Just as boards track cyber risk via metrics (like number of incidents, time to patch critical vulnerabilities, etc.), they should establish a dashboard for AI oversight. Here are critical metrics and artifacts directors should consider requesting:

Inventory and Criticality: Number of AI systems in use (enterprise-wide) and how many are classified as “high risk.” For each high-risk AI, boards might see a one-page summary with its purpose, criticality level, and risk owner. (E.g., “AI systems in production: 47; of which 5 deemed high-risk per internal criteria – see risk heatmap.”) This gives a scope of AI footprint.
Performance and Accuracy: Accuracy or error rates of key AI models, ideally segmented by important subgroups or cases. For instance, if an AI is approving loans, what is its false denial rate overall and for protected classes? If a medical AI is detecting tumors, what’s its sensitivity and specificity? The Stanford AI Index reports that while AI adoption is high (78% of organizations used AI in 2024[67]), many struggle to measure AI performance beyond raw accuracy. Boards should push for benchmarking against acceptable thresholds. If an AI fraud detector is only catching 70% of fraud with a false alarm rate of 5%, is that meeting our risk appetite? Trend these metrics over time to catch drift or degradation.
Fairness and Bias Metrics: Relatedly, outcome parity metrics – e.g. disparate impact ratios (the rate of favorable outcomes for minority group vs majority group) in AI-driven decisions. If hiring or credit or healthcare outcomes are produced by AI, boards should see at least annual fairness reports. Metrics like “no significant difference (≤±5%) in loan approval rates by race after controlling for credit score” can indicate fairness[33]. If there is a gap, what mitigation steps are taken?
Incident and Error Tracking: Number of AI incidents or near-misses. Companies should institute internal reporting of AI errors (model gave a clearly wrong output, or a user complaint about an AI decision, etc.). A simple metric: “X AI incidents recorded this quarter, vs Y last quarter; all resolved with no significant harm.” An AI Incident Database analysis found over 600 AI incidents reported publicly in recent years[68] – boards want to ensure none from their company become headline #601. Time-to-detect and time-to-remediate for AI errors are also valuable metrics.
Model Robustness and Security: Adversarial robustness tests passed. For example, “all customer-facing AI models undergo adversarial testing; 92% of tests show model behaves as expected under perturbation; 8% revealed vulnerabilities now being fixed.” If the company runs “red team” exercises on AI, summarize findings to the board (e.g. “no successful manipulation of trading algorithm in latest red team test” or “chatbot content filters caught 95% of disallowed inputs, 5% got through – improving filter rules”).
Compliance and Audit: Percent of AI models that have undergone risk assessment or audit. If you have a policy that every high-risk AI gets an independent review, measure compliance with that. E.g., “100% of AI in HR and Finance audited in last 12 months; 80% of customer-facing AI had third-party bias & privacy review.” Also track closure of audit findings: “of 10 issues identified across AI audits, 9 are closed, 1 in progress.”
Resource and Training Metrics: AI talent and training stats. For example, “Number of employees certified in our internal Responsible AI training: 1,200 (up from 500 last year).” Or “AI governance headcount: 5 dedicated staff in risk management.” This signals investment in oversight capacity.
Value Realization: While risk metrics are vital, boards can also ask for benefit metrics to ensure AI investments are paying off (without hype). E.g., “AI-driven process improvements saved $X this quarter” or “customer satisfaction up by Y% after AI chatbot deployment.” However, tie these to risk metrics (e.g., cost savings achieved while maintaining error rates under threshold Z).

By seeing such metrics regularly, boards gain a fact-based view of AI performance and risk. As one director said, “Show me the data – about your data.” If management cannot produce these numbers, that itself is a red flag indicating immature AI governance. Over time, the board’s goal is to refine the metrics that matter most (just as financial dashboards evolved over years). Initially, even simple counts and qualitative ratings are useful. The key is to start measuring. What gets measured gets managed – and what gets reported to the board really gets attention. In an MIT survey, only 41% of companies said they comprehensively identify and prioritize AI risks[69]. Metrics compel that prioritization. They turn AI from a fuzzy concept into accountable deliverables and limits. Directors should not shy away from asking for quantification of the previously unquantified aspects of AI. Good management will welcome the clarity; poor management will protest “it’s too complex,” which speaks volumes. In short, insist on metrics – they are the board’s window into the AI black box.

Forward Look

AI is a fast-moving target, and board oversight must continuously adapt. Looking ahead 1–3 years, several developments are poised to reshape the board’s AI agenda:

Regulatory Crescendo: By 2025–2026, we’ll see major AI regulations come into force. The EU AI Act’s phased implementation will put teeth into requirements for high-risk AI systems (e.g. mandatory conformity assessments, incident reporting, and a public registry)[63]. Other jurisdictions from Canada to China are introducing AI laws, and the U.S. is hinting at sectoral rules and increased enforcement via existing laws. Boards should anticipate compliance reporting on AI similar to SOX or GDPR – expect management to provide attestations or evidence of AI risk controls to regulators. Smart boards will press for early adoption of these practices (for example, voluntarily adhering to core parts of the AI Act or to ISO 42001 now, to smooth the later mandatory transition). One useful preparatory step: task internal audit or an outside counsel to perform an “AI compliance readiness” review in 2025, highlighting any gaps.

Investor and Stakeholder Expectations: Investor scrutiny of AI governance will intensify. As noted, the 2024 surge in AI-focused shareholder proposals is likely just the beginning[70][29]. Large asset managers and pension funds (e.g. BlackRock, Norges Bank, LGIM) are publishing expectations for how companies should oversee AI[29]. We can expect AI oversight to become a standard part of ESG questionnaires and proxy advisor checklists. In practical terms, by 2026 every large company board may be expected to disclose how it is governing AI – who on the board has expertise, which committee handles it, and what policies exist. Boards should be ready to communicate a credible narrative here. Likewise, stakeholders such as employees and customers will reward companies that use AI ethically. Boards will need to oversee not just risk mitigation but also ethical positioning – ensuring the company’s AI use aligns with its values and brand. (Imagine a scenario where top tech talent asks the board for assurance that the company’s AI products aren’t causing societal harm – not far-fetched as employee activism grows.)

Technological Evolution and Strategy Shifts: Technologically, AI will continue to evolve at breakneck speed – with “frontier AI” models (ever-more general and powerful) and domain-specific AI innovations. This will open new strategic opportunities (and new risks). Boards should encourage a forward-looking AI strategy that’s revisited at least annually. Questions like: How do developments in generative AI or multimodal AI affect our business model? Do we need to invest in AI infrastructure or partnerships to keep up? Conversely, are we prepared for potential disruptions (e.g., a competitor using AI to upend our market)? The board’s role is to ensure the company isn’t caught flat-footed. Governance-wise, directors might consider scenario planning: for instance, if AI enables much more personalized products, is our data governance ready for that scale? If AI automates a chunk of our workforce’s tasks, are we reskilling proactively? The NIST ARIA program (Assessing Risks and Impacts of AI) is developing methodologies for stress-testing AI in society[71] – boards may well be leveraging such tools to inform strategic oversight, asking “what’s our ARIA score?” or similar in a few years.

Board Governance Evolution: Finally, expect boards themselves to formalize AI oversight. Today, relatively few have AI-specific committees or standing agenda items. That will change. By 2026, it wouldn’t be surprising if many boards have, say, a “Technology and AI Committee” (or expanded Audit/Risk charters explicitly mentioning AI). Board education on AI will be ongoing – perhaps even regulatory expectations for director training in AI in high-impact sectors (similar to financial literacy requirements). We might also see cross-company forums of directors on AI governance emerging for sharing practices (NACD and others are already running such workshops). Director liability for AI oversight could also be tested in courts if a major AI failure leads to shareholder lawsuits alleging breach of duty. This is another reason boards will formalize oversight – documenting that they exercised proper diligence on AI decisions.

In sum, the forward look is one of normalization and integration of AI governance into corporate governance at large. The initial Wild West of AI is being tamed by standards, laws, and stakeholder expectations, and boards must be the stewards riding at the front of that effort. Those boards that adapt will help their companies harness AI’s transformative potential safely and profitably. Those that do not may find themselves playing catch-up amidst crises. As the Financial Times opined, when it comes to AI, “Boards that aren’t asking tough questions will have even tougher ones asked of them”. The coming years will validate that sentiment. The time for boards to act is now – decisively and without the hype.

References:

[1] [2] [3] [4] [5] [10] [22] Board Oversight of AI

https://corpgov.law.harvard.edu/2024/09/17/board-oversight-of-ai/

[6] [12] [13] [14] [17] [42] [62] AI: Are Boards Paying Attention?

https://corpgov.law.harvard.edu/2024/07/22/ai-are-boards-paying-attention/

[7] AI principles | OECD

https://www.oecd.org/en/topics/sub-issues/ai-principles.html

[8] [9] [46] [63] Key Takeaways from the UK’s AI Summit: The Bletchley Declaration — Internet & Social Media Law Blog — November 7, 2023

https://www.internetandtechnologylaw.com/ai-summit-bletchley-declaration/

[11] [23] [24] [25] [26] [27] Oversight in the AI Era: Understanding the Audit Committee’s Role

https://corpgov.law.harvard.edu/2025/07/12/oversight-in-the-ai-era-understanding-the-audit-committees-role/

[15] [18] [19] Governance of AI: A Critical Imperative for Today’s Boards

https://corpgov.law.harvard.edu/2025/05/27/governance-of-ai-a-critical-imperative-for-todays-boards-2/

[16] Why AI Illiterate Directors Are The New Liability For Boards Today

https://www.forbes.com/sites/stevenwolfepereira/2025/06/26/why-ai-illiterate-directors-are-the-new-liability-for-boards-today/

[20] [21] [49] Robust AI Governance as a Path to Organisational Resilience

https://www.techuk.org/resource/robust-ai-governance-as-a-path-to-organisational-resilience.html

[28] [29] [43] [44] [45] [61] [70] Unveiling Key Trends in AI Shareholder Proposals

https://corpgov.law.harvard.edu/2024/09/29/unveiling-key-trends-in-ai-shareholder-proposals/

[30] Insight - Amazon scraps secret AI recruiting tool that showed bias against women | Reuters

https://www.reuters.com/article/world/insight-amazon-scraps-secret-ai-recruiting-tool-that-showed-bias-against-women-idUSKCN1MK0AG/

[31] [32] [33] [34] [35] [36] [37] [38] [39] [40] Beyond ISO 42001: The Role of ISO/IEC 23894 in AI Risk Management | by Amitav Mukherjee | Medium