本文目前仅提供英文版本。
Board AI Governance Training: What Directors Need to Know and How to Get Up to Speed
Board directors are accountable for AI governance under directors' duties legislation — but most have not received structured AI governance education. This is the guide to what boards need to understand and how to build that understanding.
Key Takeaways
Board directors owe a duty of care that extends to AI governance — a director who approves significant AI deployments without adequate information about their risks has not satisfied their duty of care under the Corporations Act (Australia), the Companies Act (UK), or equivalent legislation.
Boards do not need to be AI experts — they need to be able to ask the right questions, evaluate the quality of management responses, and recognise when AI risks are inadequately governed. This is a governance skill, not a technical skill.
The five questions every board should be able to ask (and evaluate responses to): What are our ten highest-risk AI systems? How do we know when an AI system is failing? What is our process for approving new AI deployments? Have we had any AI-related incidents in the last 12 months? Who is personally accountable for our AI governance outcomes?
Board AI governance training should cover: how AI creates legal and regulatory risk (not how AI works technically), the specific governance obligations that fall on the board versus management, the questions boards should ask and what good answers look like, and the emerging regulatory expectations for board AI governance in relevant jurisdictions.
ASIC (Australia), the FCA (UK), the SEC (US), and other regulators are increasingly expecting boards to demonstrate genuine AI governance oversight — the trend is toward board accountability, not management accountability, for material AI governance failures.
"仅供参考。本文不构成法律、监管、财务或专业建议。如需具体指导,请咨询合格专家。"
Board AI governance training — what directors actually need to know
Board AI literacy is no longer optional. APRA's 30 April 2026 industry-wide letter named board AI literacy as a minimum expectation for Australian financial services. The EU AI Act's Article 4 imposes AI literacy obligations on providers and deployers, with directors expected to demonstrate the capability to discharge their oversight duties. The Federal Reserve's SR 26-2 (17 April 2026) expects substantive board engagement with model risk including AI/ML. ASIC's October 2024 REP 798 named board AI oversight gaps directly.
This article provides a practical training framework for directors: what they should know, how to structure training, and how to demonstrate that board AI literacy is at the level regulators expect.
What "board AI literacy" actually means
Regulatory expectations for board AI literacy don't require directors to be AI engineers. They require directors to have enough understanding to: ask the right questions; understand management's answers; identify when answers are inadequate; provide effective challenge; and exercise informed judgement about AI risk and opportunity.
APRA expressed it as boards needing "enough AI literacy to set strategic direction and provide meaningful challenge and oversight." ASIC's REP 798 expected boards to understand the organisation's position, ask the right questions, and confirm cyber resilience measures are proportionate. The Federal Reserve expects directors to engage substantively with the model risk including AI/ML — not to defer to management or external advisers.
This is a higher bar than awareness or familiarity. It requires substantive engagement with how AI works, where the risks are, and what good governance looks like in your sector.
The five domains of board AI training
1. AI technology fundamentals. What is AI, how do machine learning models actually work, what is generative AI, what are AI agents, what are foundation models. Directors need enough technical understanding to engage with the substantive issues — not deep technical expertise. Two to three hours of well-structured content is typically sufficient.
2. Regulatory landscape. The applicable regulatory framework for the organisation — EU AI Act for EU exposure, APRA CPS 230/CPS 234 for Australian financial services, SR 26-2 for US large banks, FCA Consumer Duty for UK, MAS for Singapore, sectoral regulators for healthcare/critical infrastructure. Directors need to understand which regimes apply, what they require, and what the deadlines are.
3. AI risk frameworks. The 4-6 categories of AI-specific risk: model performance risk, data and training risk, bias and fairness risk, security risk (including prompt injection, model poisoning, IAM for non-human actors), third-party AI risk, regulatory compliance risk. Each needs basic understanding plus organisation-specific application.
4. Governance structures. What good AI governance looks like — board roles, executive accountability, three lines of defence, AI inventory, risk classification, monitoring, incident response. Directors need to understand what the organisation should have in place to evaluate whether it does.
5. Sector-specific considerations. The AI risk profile and regulatory expectations vary substantially by sector. Financial services boards face different issues than healthcare boards, manufacturing boards, or technology company boards. Tailoring sector-specific training is essential.
Training delivery — formats that work
Initial intensive (4-8 hours). A structured initial training programme covering the five domains. Typically delivered over 2-3 board meeting sessions or a dedicated board training day. Combines presentation, case studies, and discussion.
Quarterly deep dives. 60-90 minutes at each quarterly board meeting on a specific AI topic — a recent enforcement case, a regulatory development, a deep look at one of the organisation's high-risk AI systems. Builds depth over time and demonstrates ongoing engagement.
Pre-meeting briefings. Where AI items appear on board agendas, briefing materials should provide enough context for directors to engage substantively. Don't assume directors remember training from six months ago.
Tabletop exercises. Simulated AI incident scenarios force engagement with real decisions. "An AI hiring tool has been identified as producing biased outcomes — what is the board's response?" Tabletop exercises reveal gaps that training presentations don't.
External speakers. Regulator briefings (where available), expert practitioners, peer board members from other organisations. External perspectives add credibility and breadth.
What good training material looks like
Effective board AI training has these characteristics:
Specific to your organisation. Generic AI training won't satisfy regulatory expectations. The training should reference specific AI systems in your organisation, specific regulatory regimes that apply to you, specific risks in your sector.
Recent and updated. AI regulation moves fast. Material from 2024 is already out of date in 2026. Training that references "APRA expects boards to..." needs to reflect the 30 April 2026 letter, not pre-2026 expectations.
Practical, not academic. Directors need to know how to engage with AI risk practically. Discussing AI ethics as philosophy is less useful than practising the specific challenges directors face.
Engages with failure modes. Real-world AI failures (DWP Universal Credit, Robodebt, Workday, Eightfold AI, Berlin bank Article 22 case) teach more than abstract risk frameworks.
Documented for evidence. Training records — what was covered, who attended, what was assessed — provide the evidence base regulators expect.
Common gaps in current board AI training
From regulatory engagement and audit findings, common gaps include:
"Tour the technology" without governance application. Training that explains what large language models are without addressing what boards need to do about them is incomplete.
Generic ethics framing. Discussion of AI ethics without specific governance application doesn't build the literacy regulators expect.
Overreliance on external speakers. Boards need internal-facing training using the organisation's own AI inventory and governance framework — not just external perspectives.
One-time training without ongoing reinforcement. A single 2-hour session in 2024 doesn't establish ongoing literacy. Quarterly engagement is the minimum.
No assessment. Without some form of assessment (post-training quiz, board exercise, self-assessment), there's no evidence that material was understood.
Documenting board AI literacy
Regulators are increasingly examining the evidence of board AI literacy. The documentation needed includes: dates and content of training sessions; directors attending each session; materials used; questions and discussion captured in board minutes; assessment of director engagement (formal or informal); ongoing reading/briefing supplied to directors; AI items at board meetings and the quality of discussion.
This documentation matters because regulators will ask. The Federal Reserve, APRA, FCA, and others increasingly expect to see evidence of substantive board engagement with AI — not just attendance lists. ASIC's REP 798 commented specifically on "overreliance on vendor presentations and summaries" without independent challenge.
Building board AI training in your organisation
If you're starting from a low base, the path forward is:
1. Assess current board literacy through informal conversation, formal survey, or external assessment. This establishes the baseline and identifies gaps.
2. Build a training plan with named owner (typically the company secretary or chief risk officer), defined cadence, and documented content. Budget appropriately — meaningful board training costs money.
3. Run an initial intensive session(s) covering the five domains tailored to your organisation. Document attendance and engagement.
4. Establish quarterly cadence for ongoing deep dives. Build into the board meeting calendar.
5. Use tabletop exercises at least annually to test decision-making under pressure.
6. Maintain the documentation as evidence of board literacy programme.
The objective is not to make directors AI experts — it is to ensure directors can discharge their statutory and prudential duties with respect to AI. That's a realistic, defensible standard that regulatory expectations are converging on.