What Questions Should Your Board Be Asking About AI?

How to use this guide

Each question below is paired with an example of a good answer (one that suggests genuine governance is in place), an example of a concerning answer (one that suggests governance gaps), and an explanation of why the concerning answer matters. These are not trick questions, management with robust AI governance should be able to answer all twelve with specificity.

1. Who is specifically accountable for AI risk in this organisation?

This is the foundational question. Accountability must be assigned to a named individual, not a committee, not a team, not a title.

Good answer: "The Chief Risk Officer has named AI risk within their accountability framework, with the Head of Technology accountable for technical AI controls. Both report to the board risk committee quarterly."

Concerning answer: "There are several teams involved. IT, legal, and the business units each have responsibility for their areas."

Why it matters: Shared accountability is no accountability. When something goes wrong, the absence of a named owner creates both operational confusion and legal exposure for the board.

2. Can management provide a complete inventory of AI systems in use?

You cannot govern what you cannot see. Shadow AI is endemic. An AI system inventory is the baseline for all governance.

Good answer: "We maintain a register of 47 AI systems in production, covering purpose, data inputs, risk classification, and named owner. It was last reviewed six weeks ago."

Concerning answer: "We have a good picture of the major systems. There may be some departmental tools we're not fully across."

Why it matters: "Some departmental tools we're not fully across" is where the data breaches, regulatory violations, and reputational incidents are hiding.

3. What is our risk classification for each AI system, and what controls does that classification trigger?

Not all AI systems carry equal risk. Boards should understand whether management has a coherent approach to risk classification.

Good answer: "We use a three-tier classification: High Risk (requires human review, full documentation, quarterly validation), Elevated Risk (human spot-checks, annual review), Standard Risk (standard monitoring). Eight systems are classified High Risk."

Concerning answer: "We assess risk case by case."

Why it matters: "Case by case" with no documented framework means there are no consistent standards and no way to audit assessments.

4. Where is AI making or significantly influencing decisions about individuals?

The most significant AI risk concentrations are in consequential decision-making: employment, credit, healthcare, benefits. Boards should know exactly where AI touches decisions affecting people's lives, and whether human review exists.

Good answer: "AI influences initial screening in our recruitment process and portfolio risk assessment. Both have mandatory human review before any decision proceeds. The reviewer must document the basis for any departure from AI recommendations."

Concerning answer: "The AI makes recommendations which the team can accept or modify."

Why it matters: If the team "can" override but there's no requirement, no documentation, and no accountability, the human oversight is nominal, not real.

5. What regulatory obligations apply to our AI systems, and what is our current compliance status?

The EU AI Act imposes mandatory requirements with penalties up to €35M or 7% of global turnover. Australian privacy amendments take effect December 2026. US state laws are now in force. Boards need to know which obligations apply.

Good answer: "We have mapped our AI systems against the EU AI Act. Of our 47 systems, six fall within Annex III high-risk categories. Three have completed conformity assessment; two are in progress; one is being reviewed for decommissioning. The analysis was reviewed by external counsel."

Concerning answer: "Legal is monitoring the regulatory developments."

Why it matters: "Monitoring" is not compliance. The EU AI Act's high-risk obligations must be met. "Monitoring" suggests management does not yet have a compliance program in place.

6. Has the organisation experienced any AI-related incidents in the past 12 months, and if not, how confident are we that we would know?

This two-part question distinguishes between genuine absence of incidents and absence of incident detection.

Good answer: "We had two incidents in Q1: one where a hiring AI flagged a candidate incorrectly due to a training data issue (corrected, reviewed, reported to the affected candidate), and one where model drift was detected in our credit risk tool before it affected decisions. Both were escalated through our AI incident process."

Concerning answer: "We haven't had any significant issues."

Why it matters: "Haven't had issues" from an organisation without an AI incident reporting framework means issues are not being detected, not that they don't exist.

7. Are our AI systems being monitored for performance degradation after deployment?

AI models drift. Post-deployment monitoring is where ongoing governance actually lives.

Good answer: "We have defined Key Risk Indicators for all High Risk and Elevated Risk AI systems. Automated monitoring flags deviations. Three KRIs triggered reviews last quarter; two resulted in model retraining, one in a control change."

Concerning answer: "We're notified if users report issues."

Why it matters: Relying on user complaints is a lagging indicator. By the time users are complaining, harm has occurred, potentially at scale.

8. What is our AI risk appetite, and who approved it?

Risk appetite defines the boundaries within which AI systems may operate without board-level escalation.

Good answer: "The board approved our AI risk appetite statement in Q4 2025. It specifies that AI systems may not make final employment decisions without human sign-off; that no AI system may process sensitive personal data without Data Protection Officer approval; and that any AI incident affecting more than 100 individuals must be escalated to the Risk Committee within 48 hours."

Concerning answer: "We manage risk within our existing enterprise risk framework."

Why it matters: AI risk has properties, opacity, scale, speed, model drift, that existing enterprise risk frameworks typically don't address specifically. Without an AI-specific risk appetite, management has no defined limits for the board to hold them to.

9. Has the organisation conducted independent validation of our high-risk AI systems?

The teams that build and deploy AI systems have obvious incentives to view them positively. Independent validation provides the assurance that board reliance on management reporting requires.

Good answer: "Our model risk function conducts independent validation of all High Risk AI systems annually. The last cycle completed in March 2026. External validation was commissioned for our credit risk AI given its regulatory significance."

Concerning answer: "The technical team reviews system performance regularly."

Why it matters: The technical team reviewing the systems they built is not independent validation. It cannot provide the assurance that boards, auditors, or regulators require.

10. What would happen if our primary AI vendor significantly changed their pricing or discontinued our key AI product?

Many organisations have built critical processes around AI products from a small number of vendors. Vendor concentration risk is a material business continuity issue.

Good answer: "We have assessed our top-three AI vendor dependencies. Our credit scoring AI is the highest concentration risk, we have a documented contingency plan including a manual process fallback and an alternative vendor assessed for migration. We have negotiated contractual protections including 90-day notice of material changes."

Concerning answer: "Our vendors are large, established companies with strong track records."

Why it matters: Large companies discontinue products and change pricing. "Strong track record" is not a continuity plan.

11. Do employees know which AI tools are approved and what they may and may not enter into those tools?

Shadow AI (employees using unapproved tools or uploading confidential information to consumer AI platforms) is one of the primary unmanaged AI risk vectors in most organisations.

Good answer: "We have an AI usage policy published on the intranet and communicated in onboarding. It specifies approved tools, data handling rules, disclosure requirements, and a reporting channel for concerns. Compliance is included in our annual mandatory training."

Concerning answer: "We've communicated general guidance about being careful with what employees share."

Why it matters: "General guidance about being careful" is not an enforceable policy. It does not create accountability and does not provide a basis for disciplinary action.

12. When did the board last receive a structured briefing on AI risk, and what did it cover?

This question benchmarks board oversight maturity. AI risk should be a standing item in risk committee reporting, not a periodic ad hoc briefing.

Good answer: "The Risk Committee received an AI risk report at each of the last four quarterly meetings. It covers: AI system inventory changes, incident summary, KRI dashboard, regulatory developments, and management actions. The board approved the AI risk appetite in December."

Concerning answer: "We received a presentation on AI strategy from the CTO about 18 months ago."

Why it matters: Strategy and risk are different things. Eighteen months without structured risk reporting means the board has had no basis to discharge its oversight obligations for AI risk during that period.