Boards Must Act Now on AI Governance, Risk Leaders Say
Boards need to move quickly on three fronts: building AI literacy among directors, establishing clear governance structures, and integrating artificial intelligence into enterprise risk management. The speed of AI deployment has outpaced industry standards and regulatory frameworks, making board-level oversight urgent.
That assessment comes from two executives with decades of experience navigating disruptive change across technology, financial services and manufacturing. Their core argument: AI is fundamentally different from previous innovations because it simultaneously accelerates decision-making and risk accumulation.
Directors Must Use AI Themselves
The most practical first step is straightforward. Directors who have never used AI tools cannot effectively oversee them.
Discussions about model drift, hallucinations or agent misalignment remain abstract without hands-on experience. When the technology is unfamiliar, oversight weakens. Boards should use AI to enhance their own performance: curated briefings tailored to committees, financial analysis, scenario modeling and sharper challenge questions before meetings.
The information gap between management and the board is widening. Management operates inside the company daily. Directors see quarterly snapshots. Secure enterprise AI environments can synthesize board materials, earnings transcripts and historical presentations into searchable knowledge bases that directors query across time, not just quarter by quarter.
Confidentiality is nonnegotiable. Board materials should never go into general-purpose AI tools. Leading boards work with portal providers and IT teams to create secure, access-controlled environments where current and historical materials can be loaded and queried safely.
Build AI Literacy Across the Full Board
Research from MIT found that companies with at least three directors possessing strong technology fluency averaged 10.9 percentage points higher return on equity than industry peers. Three directors were sufficient to shift the culture of inquiry.
The goal should be baseline AI literacy across the entire board. Just as every director can read financial statements while a subset probes accounting complexity more deeply, every director should engage meaningfully in AI discussions. A small number may bring deeper expertise in applying AI or understanding how the technology works.
Boards need "air-to-ground" coverage on critical technologies: some directors focused on strategic implications, others able to examine operational and technical details. This breadth matters because directors must oversee a widening set of technology risks including cybersecurity, tokenization and quantum computing.
Directors do not need to become data scientists. They do need to understand what an AI system is optimized to do and what trade-offs that implies. AI systems behave according to their objective functions. If speed is rewarded over quality, speed will prevail. Boards already understand how incentives shape executive behavior through compensation design. The same scrutiny applies to AI.
Establish Clear Governance Structures
Before discussing strategy or use cases, every board should hold a foundational AI conversation focused on alignment. Key questions: What is our AI governance philosophy? How does it align with strategy and risk appetite? What policies need development or updates? How do we ensure ethical deployment? What metrics should management provide regularly?
AI governance is most effective when viewed as a shared responsibility across the full board and its committees, rather than concentrated in a single forum.
In practice, this may involve:
- The full board maintaining visibility into how AI shapes strategy, enterprise performance, workforce impact and reputational exposure
- The audit committee overseeing internal controls, validation processes and transparency in financial reporting
- The risk committee aligning AI deployment with risk appetite and regulatory expectations
- The compensation committee considering talent strategy, succession planning and incentive structures in human-AI environments
- The governance committee assessing whether director skills and governance documents remain aligned with AI oversight responsibilities
Board and management structures must be aligned with clear decision rights and accountability. Cross-functional AI risk oversight committees are increasingly common at the management level.
Three Policies Need Explicit AI Language
The risk escalation policy should establish clear materiality thresholds and leading indicators that trigger escalation of AI risk exposures to senior management and the board. Criteria must be established in advance so governance is disciplined rather than reactive.
The risk appetite framework should incorporate AI-specific metrics and tolerances aligned with business strategy, use cases and capacity to manage risk.
The risk acceptance policy should formalize exception management when AI exposures exceed approved tolerances.
Boards should also review insurance coverage. Many directors and officers and cyber policies now contain AI-related exclusions. Affirmative AI coverage should be evaluated rather than assumed.
Report on Four Key Dimensions
AI inventory. A centralized view of systems, models and agents in use, including purpose, business ownership, data sources, guardrails and risk classification.
Development and deployment. Indicators of adoption and scaling such as usage levels, token volume, cost per token and compute consumption.
Risk and control metrics. Results from red teaming and controls testing, model accuracy and drift monitoring, hallucination rates, fairness assessments and third-party risk exposures.
Outcome-based performance measures. AI-related return on investment, productivity improvements, cost efficiency and customer experience indicators.
Given the scale of capital committed to AI, ROI discipline is a fiduciary obligation, not an afterthought. Boards should also monitor external signals and industry benchmarks. The MIT AI Risk Repository documents more than 1,300 AI-related incidents over the past decade, highlighting recurring patterns and emerging risks.
Transform ERM Into a Strategic Asset
Many organizations still rely on 1-to-5 risk ratings, heat maps and siloed risk systems. These practices are no longer sufficient. AI and enterprise risk management are a natural fit with significant opportunities to improve business performance.
ERM is not about risk avoidance. Companies must take risk to create value. The core objective is to minimize unexpected performance variance across the organization. For public companies, that typically means minimizing unexpected earnings variance relative to guidance.
A mid-sized bank's chief risk officer had never analyzed the correlation between credit risk and interest rate risk because the two functions operated in separate silos. An AI system integrating both datasets produced a structured correlation analysis across economic cycles within minutes - a previously unexamined risk dynamic.
That is the real opportunity: not automating existing processes, but revealing what organizations cannot yet see.
Agentic ERM Creates Continuous Oversight
Before its acquisition by Morgan Stanley, E*TRADE produced a quarterly board report quantifying unexpected earnings variance with a 20% tolerance threshold. The analysis integrated earnings-at-risk models with financial attribution analysis, creating a performance feedback loop for the overall ERM program.
The process was episodic and required significant manual coordination between the chief risk officer and CFO teams. Agentic AI can make this framework continuous, integrated and automated.
An agentic ERM architecture can ingest structured and unstructured data in real time, integrate risk models across domains, run scenario analysis dynamically and trigger alerts as risk exposures approach tolerance thresholds.
Digital twins powered by the same architecture can model enterprise risk portfolios in real time. Second- and third-order effects of strategic decisions become visible rather than speculative. The cost of digital twin technology has declined rapidly, making this capability increasingly accessible beyond the largest institutions.
Machine learning systems continuously evaluate which data sources and analytical models improve predictive accuracy. Models that improve forecast accuracy are reinforced. Those that add noise are recalibrated or retired. Over time, ERM evolves from a reporting function to a self-improving performance management system.
AI also acts as an early warning system, surfacing early signals in large datasets before they become significant events. Traditional ERM performs well in the middle of the risk distribution but struggles at the tails - the visible risks few prepare for and genuine black swans that historical data does not capture.
AI does not replace judgment. It amplifies it. Leaders must define objective functions, establish safeguards and validate data and models. Human oversight remains essential. Boards that use AI effectively, govern it rigorously and integrate it into ERM will reduce downside risk, improve decision quality, strengthen capital allocation and enhance long-term enterprise value.
Learn more about AI for Executives & Strategy or explore AI for Finance.
Your membership also unlocks:
