Getting serious about AI risk

Getting serious about AI risk – an AI governance education guide helping you turn principle into practice for this crucial boardroom topic. 

Think back to boardroom agendas five years ago and compare them to now. Does it shock you how fast AI has made inroads in that time? If so, you’re not alone. Most companies now recognise that it’s the operating system for modern business, but struggle to understand how it gained that status so fast.

Ultimately, as long as it’s managed correctly, it will create value. That said, the risk attached to it should never be ignored. Anyone who has worked on AI implementation will tell you that it comes with real dangers of reputational damage, regulatory penalties, and operational resilience failure if you don’t give it the respect it deserves. 

The only sensible option is to ensure your board is as serious as possible about AI risk now. It’s a future-proofing strategy you can’t afford to live without.

First off, even diligent directors will find AI challenging. After all, almost every director won’t have learned how to manage AI in school, college, or even the upskilling courses they’ve completed throughout their career. 

It doesn’t matter, though;  AI still carries risk that you need to be serious about. So, while it can be daunting, it’s possible to take on. Here are the five most effective ways to do it: 

1. Demand a dedicated AI governance framework
   Ad hoc policies, something you’ve thrown together in 15 minutes, just won’t do. Boards must ensure management adopts a recognised standard, such as ISO 42001 or the NIST AI Risk Management Framework. This provides a structured “three lines of defence” approach to AI, ensuring that development, deployment, and monitoring follow a consistent, rigorous logic.
2. Define the risk appetite explicitly
   Risk management doesn’t work if the business doesn’t know what risk it’s prepared to take and what it’s not. That’s why directors need to sit down and think broadly. Incorporate everything, and use your collective intelligence to decide what’s worth what. This appetite statement acts as the guardrails for the executive team.
3. Audit the supply chain, not just the AI in front of you
   Many firms will eventually end up outsourcing some of their AI capabilities. While it’s tempting to think that means you can wash your hands of some risk management, think again. Today’s business regulations are all about ensuring companies take responsibility for everything in their supply chain. It’s no different here. The board must therefore scrutinise third-party risk management. If your vendor’s AI hallucinates or discriminates, it is your brand on the chopping block. Due diligence must extend to the model providers and data processors you rely on.
4. Mandate ‘human-in-the-loop’ protocols
   For high-stakes decisions—hiring, lending, medical diagnosis—automation cannot be absolute. Boards should require evidence of human oversight mechanisms. Who signs off on the AI’s decision? Who is accountable when the model drifts? If there isn’t a human to hold responsible, the governance is failing.

Establish continuous monitoring metrics
AI models degrade; they are not “set and forget” assets. The board pack should include KPIs specifically regarding model performance, fairness, and data integrity. If the board isn’t seeing a dashboard on how the AI is behaving, they are flying blind.

That’s natural. In fact, it’s expected. No stakeholder will look down on your board for lacking AI experience, they’ll only look down on your board if you’re not pursuing AI experience. 

You can reach this goal with a two-pronged strategy:

• Aggressive upskilling: Dedicated training on AI ethics, regulatory landscapes (like the EU AI Act), and technical basics is essential. The goal isn’t to learn to code; it’s to learn to ask the right questions.

Strategic recruitment: It is time to look at the composition of the board. If your matrix is heavy on finance and legal but light on digital, your risk radar is off. Networking for fresh recruitment must focus on “digital directors”—individuals who have battle scars from technology implementation and can translate technical risk into business language.

There is a tempting trap in corporate governance: the desire to relegate AI risk to the technology sub-committee or the IT department. This is a dereliction of duty.

While the technical team manages the implementation, the board owns the risk. When an algorithm denies a loan based on biased data, or a generative AI leaks trade secrets, the shareholders and regulators will not call the IT manager; they will call the Chair.

AI risk is a material business risk. It impacts strategy, reputation, and solvency. As such, it demands active, inquisitive, and robust engagement from every single member of the board. It is time to treat it with the seriousness it deserves.