What Boards Need to Know About AI Governance in 2026: Director Duties, Liability, and Oversight

Why AI governance is a board matter, not just a management matter

The shift of AI governance from operational to board-level responsibility is being driven by regulators globally, and the expectations are now explicit and testable. In Australia, the Australian Prudential Regulation Authority's letter to industry of 30 April 2026 stated directly that boards are still developing the technical literacy needed to provide effective challenge on AI risks, and that APRA's minimum expectation is that boards have enough AI literacy to set strategic direction and provide meaningful challenge and oversight. In the European Union, the EU AI Act elevates AI governance to board-level responsibility. The Australian Institute of Company Directors (AICD), in its Director's Guide to AI Governance developed with the Human Technology Institute at UTS, frames AI governance as a core governance responsibility requiring the same structured oversight as financial and risk governance.

The legal foundation is existing director duty law. In Australia, section 180 of the Corporations Act 2001 requires directors to act with the care and diligence that a reasonable person in that position would exercise. A director who approves or fails to challenge material AI deployment without understanding the risks, governance framework, or regulatory obligations is exposed under this duty. The same principle applies under section 174 of the UK Companies Act 2006, under Delaware corporate law in the United States, and under equivalent provisions in most jurisdictions.

What boards are required to know and do — jurisdiction by jurisdiction

Australia. APRA-regulated entities (banks, insurers, superannuation funds) face the most specific published expectations. APRA's April 2026 letter requires boards to: set strategic direction for AI; provide effective challenge to management on AI risks; maintain sufficient AI literacy to do so independently of vendor presentations; approve governance frameworks and risk appetite for AI; ensure an AI inventory exists; require human involvement in high-risk AI decisions; and receive regular reporting on AI risk. ASIC's open letter of 8 May 2026 sets equivalent expectations for all financial services licensees: boards and senior executives must understand their organisation's position, ask the right questions, and confirm cyber resilience measures are proportionate. ASIC's October 2024 REP 798 ("Beware the Gap") found that AI governance arrangements across financial services were inadequate even before agentic AI became material.

For ASX-listed companies, AI risk that is material to financial performance or that poses reputational risk triggers continuous disclosure obligations under ASX Listing Rule 3.1. Directors have personal liability for disclosure failures.

European Union. The EU AI Act (Regulation 2024/1689) makes deployers of high-risk AI systems organisationally accountable for compliance. The full requirements for Annex III high-risk AI systems — covering employment, credit, biometrics, education, law enforcement, critical infrastructure, and essential services — apply from 2 December 2027. The Article 50 transparency obligation (disclosure that a system is AI) applies from 2 August 2026. Deployers of high-risk AI must designate a responsible person, conduct Fundamental Rights Impact Assessments (FRIAs), maintain logs, implement human oversight, and report serious incidents. Boards cannot delegate these obligations to management without maintaining oversight accountability.

United Kingdom. The UK's sector-by-sector approach means board obligations derive from sectoral regulators. The Financial Conduct Authority expects boards of FCA-authorised firms to oversee AI risk as part of their Consumer Duty and Operational Resilience obligations. The ICO has issued specific AI guidance for organisations processing personal data using AI systems, including board accountability for data protection by design. The forthcoming AI Opportunities Action Plan and any future AI legislation will layer onto these existing obligations.

United States. Federal and state-level expectations vary by sector. The NIST AI Risk Management Framework is voluntary at the federal level but is referenced in enforcement actions and sector guidance. At the state level, Colorado's SB 205 (effective 1 February 2026), the Texas Responsible AI Governance Act (TRAIGA), and other state AI laws include deployer obligations that boards of companies operating in those states must understand and ensure compliance with.

The eight questions every board should be able to answer

The AICD's Director's Guide to AI Governance and APRA's April 2026 letter together identify a core set of questions that board members should be capable of answering — not as technology experts, but as governance principals responsible for organisational accountability:

1. What AI systems does our organisation use in material business processes, and who is accountable for each? (The AI inventory question — APRA found this absent at several entities.)

2. What is our board-approved AI risk appetite, and how does management report against it?

3. Which of our AI systems could qualify as high-risk under applicable regulation — EU AI Act Annex III, US state laws, APRA's materiality framework — and what compliance programme applies to each?

4. How are we managing AI vendor risk — including fourth-party dependencies — under our third-party risk and procurement frameworks?

5. What is our process for AI incident identification, escalation, and where applicable regulatory notification?

6. Is our board receiving regular, independent (non-vendor) AI risk reporting — and do we have the literacy to challenge it?

7. If one of our material AI systems failed or produced systematic errors at scale, could we stop it, reverse its effects, and continue operating? (The operational resilience question.)

8. How are we building board-level AI literacy — through education independent of vendors and management?

What good board AI governance looks like in practice

Based on regulatory expectations across jurisdictions, effective board AI governance includes four practical components. First, a board-approved AI governance framework — not a technical document but a governance instrument that sets risk appetite, accountability structure, oversight mechanisms, and escalation paths. Second, regular AI risk reporting to the board that is independent of the business units deploying AI — covering the AI inventory, incident pipeline, regulatory compliance status, and emerging risks. Third, board-level AI literacy that is maintained through independent education rather than vendor briefings — directors do not need to understand how a transformer model works but do need to understand what can go wrong, what the regulator expects, and what questions to ask. Fourth, clear accountability at the executive level — a designated senior executive (typically the CRO, CTO, or CISO depending on the organisation) who is personally accountable for the AI risk programme and who reports directly to the board.

Related reading

• What Is AI Governance? The Complete Guide for Business Leaders
• AI Compliance Checklist 2026: What Your Organisation Actually Needs to Have in Place

Further reading: OECD Corporate Governance