Board AI Governance Training: What Directors Need to Know and How to Get Up to Speed

What boards need to understand about AI — and what they do not

The most common mistake in designing board AI governance education is teaching boards how AI works technically. Board directors do not need to understand gradient descent, transformer architectures, or reinforcement learning from human feedback. What they need to understand is how AI creates legal risk, regulatory risk, reputational risk, and operational risk for the organisations they govern — and what governance arrangements adequately manage those risks.

This distinction is not merely pedagogical. Directors who have received extensive technical AI education but have not been taught the governance questions this creates are no better equipped to discharge their governance responsibilities than directors with no AI education at all. Conversely, directors who understand that AI credit scoring models must be tested for disparate impact, that AI clinical decision support tools have specific regulatory classifications, and that AI-generated customer communications create consumer law obligations can meaningfully oversee AI governance even without technical AI literacy.

The five governance questions every board should ask

Boards assess AI governance through questions. The quality of management responses to good governance questions tells the board more than any board paper — it reveals whether management genuinely understands and manages AI risk or is performing compliance. The five most revealing AI governance questions: What are our ten highest-risk AI systems, and why? A management team that cannot answer this question specifically has not inventoried and classified their AI systems. How do we know when an AI system is failing to perform as intended? A management team that cannot point to specific monitoring processes and thresholds has not implemented operational governance. What is the process for approving a new high-risk AI system? A management team that describes an informal process has not operationalised governance. Have we had any AI-related incidents in the past 12 months, and what did we learn from them? A management team that reports no incidents may have a monitoring gap. Who is personally accountable for our AI governance outcomes — by name? A management team that names a committee or a function rather than a named individual has not established genuine accountability.