Board directors are not expected to become AI engineers. They are expected to govern AI responsibly — and right now, most boards are not equipped to do so. A 2025 NACD survey found that only 24% of board directors feel confident in their understanding of AI risks and opportunities. Yet every organisation they oversee is already using AI, whether sanctioned or not.
The gap between AI adoption and board oversight is a governance failure waiting to happen. This guide is written for non-executive directors, chairs, and board committee members who need to fulfil their fiduciary duties in an era where AI is reshaping risk, strategy, and compliance.
À retenir
- AI oversight is now a core fiduciary duty — directors who ignore it risk personal liability and organisational harm
- Only 24% of board directors feel confident in their AI knowledge, yet 78% of enterprises have deployed AI tools
- The EU AI Act imposes direct compliance obligations that boards must oversee, with penalties up to 3% of global turnover
- Effective board AI governance requires asking the right questions, not becoming technical experts
- AI literacy at board level correlates with stronger risk management and faster strategic decision-making
AI oversight as a fiduciary duty
Fiduciary duty has always required directors to exercise informed judgement about material risks and strategic opportunities. AI now qualifies as both. When an organisation deploys AI in hiring decisions, customer interactions, financial modelling, or regulatory reporting, the board has a duty of care to understand what is being deployed, how it is governed, and what could go wrong.
This is not theoretical. In 2025, multiple regulatory bodies — including the UK Financial Conduct Authority and the European Banking Authority — issued guidance explicitly stating that board-level AI oversight is expected. Directors who cannot demonstrate they have exercised reasonable diligence over AI deployments face increasing exposure.
24%
of board directors feel confident in their understanding of AI risks and opportunities — leaving the vast majority governing AI without adequate knowledge
Source : NACD Director AI Readiness Survey, 2025
The duty extends beyond risk avoidance. Boards that fail to consider AI’s strategic potential are equally negligent. If competitors are using AI to reduce costs by 20%, accelerate product development, or improve customer retention, a board that has not evaluated these opportunities is not fulfilling its duty of loyalty to shareholders.
The five questions every board must ask about AI
Board directors do not need to understand how large language models work. They need to ask the right questions — and recognise when the answers are inadequate. Here are the five questions that should appear on every board agenda:
1. Where is AI being used in our organisation — and where is it being used without approval?
Most boards receive updates on sanctioned AI projects. Few have visibility into shadow AI — the tools employees adopt independently using company data, without IT approval or governance. A 2025 Salesforce study found that 55% of enterprise AI use occurs outside official channels. If your management team cannot answer this question precisely, your organisation has an ungoverned risk.
2. What are our highest-risk AI applications?
Not all AI use carries equal risk. A marketing team using AI to draft social media posts is fundamentally different from an HR department using AI to screen job candidates, or a finance team using AI to generate regulatory filings. High-risk applications require stronger governance, more rigorous testing, and in many jurisdictions, specific compliance measures. Your AI risk assessment framework should categorise every AI deployment by risk level.
3. Are we compliant with applicable AI regulations?
The EU AI Act is the most comprehensive AI regulation globally, but it is far from the only one. The UK is developing sector-specific AI regulation. The US has executive orders and state-level legislation. Organisations operating across borders face overlapping requirements. Boards must ensure management has mapped applicable regulations, assessed compliance gaps, and allocated resources to close them. Article 4 of the EU AI Act, for instance, requires AI literacy training for all personnel interacting with AI systems — a provision many boards have not yet addressed.
4. Do we have a functioning AI governance framework?
A policy document is not governance. Functioning AI governance means clear accountability (who approves new AI deployments?), active monitoring (how are AI outputs being validated?), incident response (what happens when AI produces harmful or incorrect outputs?), and documentation (can we demonstrate compliance to regulators?). Boards should request evidence that governance is operational, not aspirational.
5. Is our workforce AI-ready?
The most sophisticated AI strategy fails if the workforce cannot execute it. Board directors should understand the organisation’s AI skills gap — how many employees can use AI tools competently, how many have received structured training, and whether the organisation’s AI competency framework is producing measurable improvements. Workforce readiness is both a strategic enabler and a compliance requirement under the EU AI Act.
Directors bear personal responsibility for governance failures. As AI regulation tightens across jurisdictions, boards that cannot demonstrate active AI oversight face not only organisational penalties but potential individual liability. The time to establish board-level AI governance is before the regulator asks for evidence of it.
Building AI literacy at board level
Board AI literacy does not mean every director must understand transformer architectures or fine-tuning techniques. It means understanding AI’s capabilities and limitations well enough to ask informed questions, challenge management assumptions, and evaluate risk.
Practical steps to build board AI literacy include:
- Dedicated board briefings. Schedule quarterly AI briefings from the Chief AI Officer, CTO, or external advisors. Focus on business impact and risk, not technology demonstrations.
- Hands-on experience. Directors who have personally used AI tools — even for simple tasks like summarising documents or analysing data — make significantly better governance decisions. Consider offering board members access to AI tools with guided exercises.
- External benchmarking. Compare your organisation’s AI maturity against peers using structured frameworks such as ISO 42001 or the NIST AI Framework. This provides objective context for board discussions.
- Committee structure. Consider whether AI oversight sits within the existing risk committee, the audit committee, or requires a dedicated technology and AI committee. The answer depends on your organisation’s AI exposure and industry.
78%
of enterprises have deployed AI tools across business functions, yet fewer than one in three have board-level AI oversight mechanisms in place
Source : Gartner Board of Directors Survey, 2025
AI compliance obligations boards cannot ignore
Regulatory compliance is the area where board oversight has the most immediate consequences. Three compliance domains demand particular attention:
EU AI Act. Phased implementation is underway, with full enforcement by August 2026. Boards must ensure their organisations have classified AI systems by risk level, implemented required governance for high-risk systems, and established AI literacy programmes as required by Article 4. Penalties for non-compliance reach up to 3% of global annual turnover — or EUR 15 million, whichever is higher.
Data protection. AI systems process vast quantities of data, often including personal data subject to GDPR and equivalent regulations. Boards must ensure that AI deployments have lawful bases for data processing, that data protection impact assessments have been conducted for high-risk processing, and that individuals’ rights are respected when AI is used in decisions that affect them.
Sector-specific regulation. Financial services, healthcare, and other regulated industries face additional AI-specific requirements from their sectoral regulators. The board’s risk committee should maintain a current map of all applicable AI regulations and the organisation’s compliance status against each.
Structuring effective board AI oversight
Governance without structure is just good intentions. Effective board AI oversight requires:
Regular reporting. AI should be a standing board agenda item, not an annual deep-dive. Management should report quarterly on: AI deployments and their business impact, risk incidents and near-misses, compliance status against applicable regulations, workforce AI readiness metrics, and investment versus planned returns. The CEO guide to AI transformation provides a framework for executive-to-board reporting.
Clear escalation criteria. Define which AI decisions require board approval versus management authority. At minimum, boards should approve: AI deployments in high-risk categories (hiring, credit, healthcare), AI expenditure above defined thresholds, changes to AI governance policies, and responses to AI-related regulatory actions.
Independent assurance. Just as boards commission external audits for financial reporting, consider independent assessment of AI governance, compliance, and risk management. This provides assurance that management’s reporting is accurate and complete.
Skills on the board. Ensure at least one or two directors have sufficient AI or technology expertise to probe management’s proposals and challenge assumptions effectively. This does not require a computer scientist — a director with experience leading digital transformation or managing technology risk can fulfil this role.
Start with a board AI maturity self-assessment. Rate your board’s current capability across five dimensions: AI literacy, governance structure, risk oversight, compliance monitoring, and strategic engagement. Identify the two weakest areas and address them within the next quarter. Progress, not perfection, is the objective.
Where to start as a board director
If you are a director reading this and unsure where to begin, here are five actions for your next board cycle:
- Request a shadow AI audit. Ask management to map all AI tools in use across the organisation — sanctioned and unsanctioned — within 30 days.
- Review your AI governance framework. If one exists, assess whether it is operational or merely documented. If none exists, commission its development as a priority.
- Map regulatory exposure. Ensure the organisation has identified all applicable AI regulations and assessed compliance gaps, particularly under the EU AI Act.
- Assess board AI literacy. Honestly evaluate whether your board has sufficient AI knowledge to govern effectively. Schedule briefings or training to close gaps.
- Add AI to the standing agenda. Make AI governance a recurring board item with standardised reporting from management.
Equip your board and workforce for AI
Brain is the AI readiness platform that helps organisations build AI literacy from the boardroom to the front line. Role-specific training covering AI tools, prompt engineering, output verification, and EU AI Act compliance — with a governance dashboard that documents capability development across your entire workforce. Give your board the confidence that AI readiness is being built systematically. Explore our plans.
Related articles
AI Compliance Automation: Cut Costs + Reduce Risk
Automate regulatory compliance with AI — cut costs, reduce manual errors and lower risk. Tools, frameworks and implementation strategies.
AI Compliance Monitoring: Automate Oversight (2026)
Automate regulatory oversight with AI compliance monitoring — tools, frameworks and implementation guide for enterprise teams.
AI Compliance Training & Standards: Why It Matters (2026 Guide)
AI compliance standards, training requirements under EU AI Act Article 4, why classic seminars fail, and adaptive learning that actually works.