What your board needs to know about AI

Boards are now routinely asked to approve AI investments, oversee AI risk, and evaluate whether management is handling AI competently. Most are doing this without the conceptual framework needed to distinguish a credible AI strategy from a superficially confident presentation.

This is not a failure of board competence. AI is genuinely new, the relevant expertise is concentrated in a narrow part of the talent market, and the vendor ecosystem has strong incentives to produce presentations that sound impressive regardless of underlying substance. The board’s challenge is to ask the right questions and recognize credible versus non-credible answers, even without deep AI expertise.

What boards are actually being asked to oversee

There are three distinct AI-related board responsibilities that are often conflated in management presentations.

The first is strategic direction: is the company investing in the right AI capabilities, at the right scale, with the right timing? This is a judgment call about opportunity and risk that boards are well-positioned to evaluate using frameworks they already have.

The second is risk oversight: what AI-related risks is the company exposed to, and is management handling them adequately? This includes model failure risks, data privacy risks, regulatory risks, vendor concentration risks, and reputational risks from AI that behaves unexpectedly.

The third is execution quality: is management actually building what it says it is building, and is the AI the company deploys working as intended? This is where boards need additional context to evaluate beyond the management presentation.

Conflating these three leads to board meetings where AI is discussed as a single topic when the relevant questions and appropriate board response differ significantly across the three.

Questions that reveal whether an AI strategy is real

Management AI strategy presentations frequently describe what AI could do without clearly articulating what it is doing, what it has achieved, and what the evidence base is. These questions help distinguish between the two.

What have our AI systems produced that is measurable? Not “what is AI expected to produce” but what has it produced so far. If the answer is entirely forward-looking, the AI program is in an earlier stage than the presentation may suggest.

What is our rate of AI project failure, and what do we do when a project fails? A management team that presents only successes is not giving the board an accurate picture. AI projects fail frequently; the question is whether the organization has a healthy process for detecting and learning from failure. A management team that acknowledges failure rates and describes what was learned from them is likely to be giving a more accurate picture than one that presents only successes.

What does our AI actually do, at the level of a specific example? Not “AI helps our team work faster” but “this specific system does this specific thing, takes these specific inputs, produces this specific output, and we measure quality by this specific metric.” If management cannot describe a specific AI system at this level, the AI program is less developed than the framing suggests.

How would we know if our AI stopped working or degraded? The answer reveals whether the company has monitoring and observability infrastructure for its AI systems. “We would see it in customer complaints” is a lagging indicator and a weak answer. “We have automated monitoring that alerts when quality metrics fall below threshold” is a strong answer.

What AI risks have materialized so far, and how were they handled? This question has a good answer even if the answer is “none have materialized yet, and here is why we believe that.” If the management team cannot articulate which risks have been monitored and what the findings were, that is informative.

What boards get wrong about AI risk

The most common board error is focusing on speculative long-term AI risks (artificial general intelligence, autonomous systems, existential concerns) while underweighting near-term risks that are already materializing.

The near-term risks that deserve board attention are specific. AI outputs can be confidently wrong in ways that are hard to detect without appropriate monitoring. This creates liability exposure when AI is used in customer-facing decisions, regulatory filings, or internal analyses that drive significant decisions. AI systems trained on historical data produce outputs that reflect that data; if the data has biases or gaps, the AI outputs will too, and the company will be accountable for the downstream effects.

Regulatory risk deserves specific attention. AI-related regulation is evolving rapidly across jurisdictions, and the requirements differ significantly by industry, application type, and geography. Companies that have deployed AI without tracking regulatory requirements in their relevant jurisdictions face significant retroactive compliance work. Boards with regulatory oversight responsibility should ask for a map of where the company’s AI applications intersect with AI-specific regulatory requirements, and the current compliance status for each.

Vendor concentration risk is underappreciated. Many companies have built meaningful dependence on one or two AI providers for capabilities that are now embedded in their products or operations. If one of those providers changes pricing, changes terms, or has a service disruption, the company’s options are constrained by how deeply the dependency runs. Boards should understand the extent of vendor dependencies and whether adequate mitigation exists.

What the board should ask of management

Beyond specific questions, boards can establish structural expectations for how AI is reported.

Request that AI be reported on using the same discipline applied to other major programs: specific metrics, specific investments, specific results, and specific risks with the current mitigation status. An AI update that does not include these elements should be sent back for additional specificity.

Ask for an annual AI risk assessment that covers the categories above: output quality risk, data risk, regulatory risk, and vendor risk. This should include both current exposure and the trend over time.

Request that the internal audit function or a qualified external party review the AI risk management program periodically. The audit scope should include whether the risk management practices in place are appropriate to the risk profile of the company’s AI applications.

The goal is not to slow AI development with excessive oversight. It is to ensure that the oversight that exists is adequate to the risk being taken, which requires boards to understand the risk well enough to evaluate the oversight.