AI on the board agenda: oversight without theatre

Why this is a board topic now

Regulators in multiple jurisdictions are converging on the view that AI risk is enterprise risk and that the board is responsible for its oversight. The UK Corporate Governance Code's emphasis on emerging risk, the EU AI Act's accountability obligations on deployers, and the SEC's expectations on material-risk disclosure all push in the same direction (FRC 2024; European Parliament 2024; SEC 2023). Boards that treat AI as an operational matter for management alone are increasingly out of step.

The reasonable counter-argument — we are not technologists — is true and irrelevant. Boards do not need to be technologists to govern AI any more than they needed to be accountants to govern finance. They need a small set of well-chosen questions and a habit of asking them.

Five questions every board should ask

The five questions below, asked routinely and answered with evidence, cover the substance of AI oversight.

1. Do we know what AI we use? A current inventory of AI systems, with owners and risk classifications. Absence of the inventory is itself a finding.
2. Who is accountable? For each material AI system, the named accountable executive and the named accountable risk owner.
3. What risks have we accepted, and on whose authority? The risks accepted, the rationale, the date and the signatory. Risk acceptance is a deliberate act.
4. How would we know if something went wrong? The metrics, the monitoring rhythm, the incident criteria and the escalation path. If the answer relies on customers telling us, that is the answer.
5. What changed since last meeting? New systems, retired systems, material incidents, regulator developments. The delta is where the risk lives.

Three artefacts the board needs

A board cannot govern from a verbal update. Three artefacts, kept current, give it what it needs.

The AI register. One row per AI system in production or active pilot. Columns for owner, business purpose, data categories, supplier stack, risk classification, control set and last review date. The board does not read every row; it reads the count, the distribution and the exceptions.

The AI risk heatmap. A visual that locates each material AI risk on likelihood and impact, with treatment status. The board's job is to interrogate the top-right corner.

The incident summary. A short list of incidents since the last meeting, with categories, root causes and the actions taken. Even a list of zero is informative if the organisation has the detection capability to populate it.

The trap of oversight theatre

The most common failure of board AI oversight is the production of impressive but uninformative packs. A 40-page AI strategy that arrives the night before a meeting is not oversight; it is paperwork. Oversight is the moment a non-executive director asks why a particular risk has been accepted, and an executive answers without consulting notes.

Recovery from oversight theatre takes deliberate work: reducing the pack, raising the quality of the conversation, and inviting management to bring decisions rather than updates. The reward is a board that adds judgement to the organisation's AI posture, not just signatures.

References

• European Parliament (2024) Regulation (EU) 2024/1689 (Artificial Intelligence Act). Official Journal of the European Union.
• Financial Reporting Council (2024) UK Corporate Governance Code. London: FRC.
• ISO/IEC (2023) ISO/IEC 42001:2023 Information technology — Artificial intelligence — Management system. Geneva: ISO/IEC.
• Securities and Exchange Commission (2023) Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Release No. 33-11216). Washington, DC: SEC.