Board AI Literacy: What Directors Actually Need to Know About AI Governance

Board AI literacy is the minimum level of understanding that directors need to provide effective oversight of AI-related risks and opportunities. It does not mean understanding how neural networks are trained or how transformer architectures work. It means understanding what AI systems your organisation uses, what decisions those systems influence, what can go wrong, what legal and regulatory obligations apply, and what questions to ask management. In May 2026, both APRA and ASIC identified board AI literacy as a material governance gap. APRA observed boards promoting AI adoption strategies while falling short on the technical literacy needed to challenge AI-related risks effectively. ASIC directed all regulated entities to table its cyber resilience letter at board level. The message is clear: AI governance is a board-level responsibility, and directors who cannot engage meaningfully with AI risk are not meeting their duties.

What APRA and ASIC expect from boards

APRA's 30 April 2026 industry letter sets specific board-level expectations: boards should maintain sufficient understanding and literacy with respect to AI to set strategic direction and provide effective challenge and oversight. APRA observed an overreliance on vendor presentations and summaries without sufficient examination of key AI risks such as unpredictable model behaviour and the impact on critical operations. ASIC's 8 May 2026 letter expects boards to understand their organisation's cyber resilience position, ask the right questions, and be able to evidence the basis for their assurance — not just rely on management assurances.

The seven questions every board should be asking

First: where are we using AI today, and do we have a complete inventory? If the answer is uncertain, governance has a foundational gap. Second: which AI use cases create the highest risk — to customers, to regulatory compliance, to operations, to reputation? Third: what is our risk appetite for AI, and is it documented? Fourth: can we evidence that our AI controls are working — not just that they exist, but that they are effective? Fifth: are our cyber controls adequate for AI-enabled threats? Sixth: do we understand our AI supply chain, including vendor concentration and fourth-party dependencies? Seventh: are our business continuity arrangements credible if a critical AI system or provider fails?

What directors do NOT need to know

Directors do not need to understand machine learning mathematics, neural network architectures, training methodologies, or programming languages. They need to understand the governance implications of AI — the same way they understand the governance implications of financial instruments without being quantitative analysts, or the governance implications of cybersecurity without being penetration testers. The most effective board AI education focuses on risk categories (what can go wrong), regulatory obligations (what the law requires), governance structures (who is accountable), and assurance mechanisms (how we know controls are working).

Practical steps for boards

Commission an AI use case inventory from management and review it at board level. Establish a regular AI governance reporting cadence — not just opportunities, but risks, incidents, and control effectiveness. Ensure at least one board member has sufficient AI literacy to provide effective challenge (this may require targeted education or an advisory board appointment). Include AI risk in the board risk register and risk appetite statement. Review AI vendor contracts and concentration risk at board level. Request evidence of control effectiveness — not compliance reports, but test results, audit findings, and incident data.

Primary sources: APRA Letter to Industry on AI, 30 April 2026 | ASIC 26-092MR, 8 May 2026

Related reading

• What Is AI Governance?
• APRA and ASIC: AI for Financial Services
• AI Compliance Checklist 2026