AI in the Boardroom: What Directors Must Now Govern

The boardroom debate over artificial intelligence has entered a new phase. For two years the question in most board packs was whether to experiment at all. That question has been settled. As companies move beyond pilots and proofs of concept and push AI into pricing, planning, customer service, finance and product, the harder questions have landed on the board's table: who is accountable when an AI-enabled decision goes wrong, how should directors oversee AI-driven strategy and cyber risk, and what kind of AI expertise actually belongs in the boardroom.

AI in the Boardroom: What Directors Must Now Govern - Richard Keenlyside, Fractional CIO, CTO and CISO
AI in the Boardroom: What Directors Must Now Govern

I have sat on and reported to boards through more than one technology shift, from the arrival of eCommerce to cloud, cyber and now AI. The pattern repeats. The technology matures faster than the governance around it, and the gap between the two is where value leaks and reputations are lost. AI is a sharper version of that same problem, because it touches strategy, risk and workforce all at once.

This piece is written for the people who carry the fiduciary duty, not for the engineers building the models: chairs, chief executives, non-executive directors and private equity operating partners who now have to govern something most of them were never trained to oversee.

The debate has moved from whether to how

The shift is visible in the numbers. Research published in 2026 by ISS-Corporate found that only around a fifth of S&P 500 companies had disclosed board oversight of AI, and the figure across the wider Russell 3000 was far lower still. KPMG and INSEAD, launching their AI Governance Principles for Boards in April 2026, reported that nearly three-quarters of boards are perceived to have only moderate or limited AI expertise. Adoption is running well ahead of oversight.

That mismatch is the real story. Boards are not behind on using AI. They are behind on governing it. And those are two very different responsibilities.

Using AI is not the same as governing it

Plenty of directors now use AI tools to summarise board papers, model scenarios or prepare for a meeting. That is adoption, and it is useful. It is not governance.

Governance is the board's duty to oversee how the whole organisation deploys AI: whether it is used responsibly, whether the risks are understood and controlled, and whether the outcomes serve the company's strategy and its shareholders. A board can be fluent in using a co-pilot and still have no grip on the pricing algorithm quietly shaping revenue, or the AI embedded in a supplier's platform. The convenience of the tool tells you nothing about the control of the estate.

What directors are now being asked to oversee

AI does not change the board's fundamental duties. The duty of care, the oversight of risk and the stewardship of long-term value are unchanged. What changes is how those duties have to be discharged. Three areas now demand direct board attention.

AI-enabled strategy

AI is no longer a line item under IT. It is increasingly the connective tissue running through strategy, competitive positioning and the operating model itself. Boards should be asking where AI genuinely creates advantage, where it is being adopted for the sake of appearances, and what the business would look like if a competitor moved faster. That is a strategy conversation, and it belongs to the full board, not delegated wholesale to management or to a single committee.

Cyber and third-party risk

AI widens the attack surface and complicates the supply chain at the same time. Sensitive data flows into models. Third-party AI is embedded in tools the board has never formally approved. Staff use public AI systems with company information because no governed alternative exists. I have led board-level cyber risk programmes across private equity portfolio companies and outsourced security operations to strengthen oversight, and the lesson holds here: the risk you cannot see on a board report is the one that hurts you. AI oversight and cyber oversight are now the same conversation, and directors should insist on incidents being prioritised by business impact, not technical severity alone.

Accountability and the audit trail

The uncomfortable question every board must be able to answer is simple. When an AI-influenced decision causes harm, who is accountable, and can we show how the decision was made? Accountability for AI cannot be transferred to a model or a vendor. It stays with the humans who deploy it and, ultimately, with the board that oversees them. That means clear ownership, traceable decisions and an audit trail that a regulator or an investor could follow. In the United States, commentators are already framing AI oversight against established directors' duties; in the UK and Europe the regulatory direction is the same, moving from voluntary principles towards enforceable expectations. Boards that build the accountability structures now will not be scrambling to retrofit them later.

The expertise gap on the board

Here is the finding that should give every nomination committee pause. The same 2026 ISS research found that only about 16 per cent of the companies reviewed disclosed even a single director with specialised AI skills, and that this expertise was heavily concentrated in a handful of technology and industrial sectors. Fewer still, roughly one in twenty-five, had two or more AI-literate directors. The overwhelming majority of boards are relying on a single "lone expert", or on no expert at all.

That is a fragile position. A lone expert becomes a single point of failure and, worse, a reason for the rest of the board to disengage from a subject they should all be able to challenge. AI oversight cannot be the responsibility of one director any more than financial oversight is the sole responsibility of the person who happens to be an accountant.

What kind of AI expertise belongs in the boardroom

The instinct to appoint a data scientist to the board is usually the wrong one. Boards do not need directors who can build models. They need directors who can govern them.

The expertise that matters at board level is the ability to ask the right questions, read the risk, and connect AI decisions back to strategy, cost and controls. It is judgement, not code. In practice, three things close the gap.

First, raise the AI literacy of the whole board, not one member of it. A standing education programme, tied to the annual governance review, keeps directors current enough to challenge management without pretending to match them technically. The aim is directors who know what to ask, what a good answer looks like, and where the failure modes lie.

Second, update the board skills matrix deliberately. Treat AI and technology fluency as a competency the board plans for, the way it plans for financial or sector expertise, rather than something it hopes turns up in the next appointment.

Third, bring in seasoned oversight capability where the board lacks it, without waiting for a permanent hire. This is precisely where a fractional or advisory technology executive earns their place: someone who has governed AI, cyber and transformation at board level across multiple businesses, who can sit alongside the board, sharpen the questions, stress-test management's answers and lift the literacy of every director in the room. It is the fastest way to move from a lone expert to a genuinely capable board, and it costs a fraction of a full-time appointment.

A practical starting point

Boards that want to close the gap quickly can begin with a short, unglamorous set of moves:

  • Commission an honest assessment of where AI is already in use across the business, including in third-party tools, and what risk each use carries.
  • Decide where AI oversight sits: full board for strategy, audit and risk committees for controls and assurance, with the interfaces between them made explicit.
  • Establish clear accountability, a usable policy and an audit trail before scaling, not after.
  • Put a board education programme and an updated skills matrix in place, so oversight keeps pace with adoption.
  • Rehearse failure. Run a tabletop exercise where an AI system gives flawed strategic advice or leaks data, and see whether your governance actually holds.

None of this requires the board to become technical. It requires the board to be disciplined, in exactly the way it already is with finance and cyber.

Frequently asked questions

Does a board need a technical AI expert as a director?

Not usually. Boards need directors who can govern AI, not build it: people who can ask the right questions, read the risk and tie AI decisions to strategy and controls. Deep technical skill sits with management. What the board needs is broad AI literacy across all directors, supported where necessary by an experienced advisor.

Who is accountable when an AI-enabled decision goes wrong?

Accountability stays with the humans who deploy the system and, ultimately, with the board that oversees them. It cannot be transferred to a model or a vendor. That is why clear ownership, traceable decisions and an audit trail matter before AI is scaled.

How is AI oversight different from ordinary IT oversight?

AI reaches into strategy, workforce and risk simultaneously, and it often operates invisibly inside dashboards, pricing engines and supplier platforms. It cannot be treated as another IT project delegated below board level. It demands the same board discipline applied to finance and cyber, with explicit accountability and reporting.

Should AI oversight sit with the audit committee, the risk committee, or the full board?

Both, with clear interfaces. Strategy and the biggest questions belong to the full board. Controls, assurance and the audit trail can sit with audit and risk committees. What matters is that nothing falls through the gap between them and that the board sees AI risk prioritised by business impact.

How can a board build AI capability without a full-time hire?

A fractional or advisory technology executive who has governed AI, cyber and transformation at board level can embed alongside the board, raise the literacy of every director, and strengthen oversight immediately, at a fraction of the cost and risk of a permanent appointment.

Governing AI is a board discipline, not a technical one

The boardroom debate over AI has matured from novelty to duty. Directors do not need to become technologists. They need to govern AI with the same seriousness they already bring to finance, cyber and risk: clear accountability, informed oversight, and enough literacy across the whole board to challenge management well. The organisations that treat this as a board discipline now will be the ones still standing, and still trusted, when the regulation and the scrutiny arrive in full.

If your board is carrying AI oversight on a single expert, or none, and you want that gap closed properly, book a confidential conversation. I work with boards and private equity backers as a fractional Chief AI Officer and technology advisor, and specifically with PE-backed portfolio companies, to turn AI from an ungoverned risk into a governed source of value.