That gap is the problem. Boards are responsible for outcomes they cannot fully see, explain, or trace back to a human decision. And unlike most operational risks, this one does not stay neatly below the board's line of sight. AI has crossed into territory that affects employee outcomes, customer trust, regulatory standing, and strategic direction — the exact areas where boards carry fiduciary responsibility.
This is not an IT problem waiting for a technical fix. It is a leadership and governance challenge. The distance between what AI is doing inside an organization and what the board knows about it represents a real and growing exposure — one that existing legal frameworks were not designed to address.
This article covers what boards need to understand: two distinct failure modes, how existing director duties apply (and where they fall short), and what inspectable AI governance actually requires in practice.
TL;DR
- AI is operating inside most organizations without board-level visibility or sanctioned governance structures.
- Boards face two failure modes: moving too slowly and ceding competitive ground, or adopting AI without accountability and accumulating legal and reputational risk.
- Directors' duties of care and diligence fully extend to AI-influenced decisions — using AI does not transfer legal responsibility to the system.
- Inspectable governance means the board can verify AI oversight is working — not just be told it is — through clear decision rights, defined escalation thresholds, and tested incident paths.
- Closing the expertise gap often requires an independent advisor or fractional CISO who can build and explain AI governance frameworks without delay.
Why AI Has Moved from the IT Agenda to the Board Agenda
For years, AI sat comfortably on technology roadmaps and IT committee agendas. That is no longer where it lives.
AI now directly affects the things boards are accountable for: how employees are evaluated, how customers are treated, how risk is assessed, and how strategic decisions get made. When a model influences a credit decision, a hiring outcome, or a supply chain call, the board cannot credibly treat it as an infrastructure question.
The Shadow AI Problem Is Not Hypothetical
Most organizations are already past the governance threshold — they just have not acknowledged it. According to Microsoft and LinkedIn's 2024 Work Trend Index, 78% of AI users bring their own AI tools to work, based on a survey of 31,000 people across 31 countries.
"Unsanctioned AI" is not an edge case. In most organizations, it looks like:
- Employees uploading company data into consumer AI tools
- Procurement signing SaaS contracts with embedded AI features no one reviewed
- Engineers deploying models outside of legal or compliance review
- Vendor platforms quietly introducing AI-driven outputs into existing workflows
The question is not whether AI is present. It is whether anyone is clearly in charge of it — and whether that answer holds up in a board meeting, a regulatory inquiry, or a securities class action.
The Disclosure Gap
The numbers confirm how far most boards still lag. ISS-Corporate found that in 2024, only 31.6% of S&P 500 companies disclosed some form of board oversight of AI — up significantly from prior years, but still leaving more than two-thirds of large public companies with no disclosed oversight structure. Only 11% had explicit full-board or committee delegation in proxy statements.
When AI runs material parts of the enterprise, it is no longer an IT matter waiting for an audit finding. It is a board-level accountability gap — one that regulators, plaintiffs' attorneys, and institutional investors are increasingly equipped to exploit.
The Two Ways Boards Fail on AI: Paralysis and Unchecked Adoption
Most board AI governance failures fall into one of two patterns. Both carry real cost.
Failure Mode 1: The Waiting Game
The instinct to observe, assess, and wait for clearer information is reasonable for most emerging technologies. For AI, it is a liability.
The technology is not waiting. Competitors have moved. Regulators have published. Every quarter spent "evaluating the space" is a quarter in which AI has already spread further through the organization — outside any governance structure.
By the time a formal oversight framework is built, the organization is typically already managing risk retroactively:
- Responding to AI-related incidents after the fact
- Fielding investor questions about disclosures no one prepared for
- Scrambling to explain AI-influenced decisions that went wrong
Governance that arrives after the fact is damage control. It is not oversight.
Failure Mode 2: Adoption Without Accountability
The opposite failure is moving fast on AI without building controls to match — and that gap is where legal exposure accumulates.
AI can produce inaccurate outputs, reflect bias, or behave in ways no single individual authorized. Without explicit ownership — which human owns this system, which human reviews its outputs, which human answers when it fails — the board is left exposed.
EY's 2025 analysis of Fortune 100 10-K disclosures found that EY's 2025 analysis of Fortune 100 10-K disclosures found that 22% of Fortune 100 companies now flag AI hallucinations, inaccuracies, or biased outputs as material risks. That figure reflects how quickly AI failure modes have moved from theoretical concern to disclosed business risk.
The Two Branches Boards Consistently Conflate
One of the most common and costly governance mistakes is treating all AI as a single oversight problem. There are two fundamentally different risk profiles:
| AI Type | Examples | Risk Profile |
|---|---|---|
| Customer-facing AI | Pricing engines, hiring tools, credit decisions, service chatbots | Reputational, legal, regulatory — high visibility |
| Internal operational AI | Workflow automation, document drafting, internal analytics | Efficiency risk, data exposure — lower external stakes |
Different risk tolerances. Different oversight requirements. Different accountability structures. Conflating them produces governance frameworks that are either too heavy for low-risk applications or too thin for high-stakes ones.
Fiduciary Duty in the Age of AI: What the Law Expects
Directors' duties of care, loyalty, and diligence apply regardless of whether a decision was informed by AI. Using AI does not transfer legal responsibility to the system.
What it does is create new pressure on directors to critically evaluate AI outputs, push back on management when the basis for a decision is unclear, and exercise independent judgment — not simply accept AI-generated insights as authoritative.
Where the Legal Framework Falls Short
Safe harbor provisions and delegation frameworks under corporate law were designed for human decision-making chains. Delaware's DGCL Section 141(e), which permits directors to rely on reports and opinions from officers, employees, and professionally competent advisors, does not contemplate AI. Legal commentary in the Richmond Journal of Law and Technology has argued that AI systems do not fit into Section 141(e)'s person-based categories — they are not officers, employees, committees, or human experts.
When something goes wrong with an AI-influenced board decision, the existing legal architecture may provide less protection than directors assume. The University of Chicago Law Review Online has argued that directors risk losing business judgment rule protection without reasonable knowledge of AI-assisted decisions — an extension of the informed decision-making standard established in cases like Smith v. Van Gorkom and the board monitoring requirements of In re Caremark.
The AI Washing Exposure Is Separate
Those legal framework gaps address what AI does inside the boardroom. A separate exposure governs how that AI use is communicated to investors.
In March 2024, the SEC brought its first AI-washing enforcement actions against two investment advisers — Delphia (USA) Inc. and Global Predictions, Inc. — for making false and misleading statements about their use of AI. Delphia paid a $225,000 civil penalty; Global Predictions paid $175,000.
Companies that accurately use AI but inaccurately represent that use — or fail to disclose material AI-related risks — face securities litigation exposure independent of whether their AI actually worked. "AI washing" cases are already in the courts.
The Right Human in the Loop
"Human in the loop" has become a governance checkbox. It should not be. Having a human nominally present in an AI-assisted process is not the same as having the right person in the right place.
Effective governance requires that the person at the decision point has:
- Enough domain knowledge to evaluate what the AI is actually telling them — not just approve the output
- Authority to override, escalate, or reject a recommendation without organizational friction
- Named accountability if the AI output turns out to be wrong
Decision rights that are vague on paper will not hold in an actual incident. This is Tyson Martin's central argument in board advisory engagements: inspectable governance is built on escalation thresholds that are defined before pressure hits, not drafted in response to it.
What Inspectable AI Governance Actually Looks Like
"Inspectable governance" has a specific meaning: the board can verify that AI oversight is working, not just be told that it is.
That distinction matters. Many boards receive polished presentations about AI programs. Fewer can independently assess whether the underlying controls are real. Governance theater looks like oversight. It does not function like oversight.
The Structural Building Blocks
Inspectable AI governance requires four concrete elements:
- Use-case inventory: A current, maintained list of what AI is running across the organization, who owns each system, and what decisions it influences — updated, not archived
- Risk register with named owners: Identified risks tied to specific humans accountable for each one, not just a list with no one attached
- Trend dashboard: Risk posture tracked over time, not point-in-time activity counts that mask whether things are actually improving
- Tested escalation paths: Incident response routes walked through in practice — not just written into a policy no one has stress-tested
Where Oversight Responsibility Lives
EY's 2025 Fortune 100 analysis found that about 40% of companies disclosed board-level committee oversight of AI — with 21% assigning it to the audit committee and 25% to non-audit committees such as technology or nominating and governance committees.
The structural choice matters less than the outcome. AI oversight needs to be:
- Explicitly chartered — not assumed to fall under an existing mandate by implication
- Non-overlapping — not split across two committees with no clear ownership of the gaps
- Actionable — producing decisions, not just discussion
What Board Reporting Should Actually Deliver
Effective AI governance reporting answers four questions at every briefing:
- What is our current AI risk posture, in plain English?
- What changed since the last briefing, and why?
- Which AI systems are operating outside approved parameters?
- What decisions require board-level action versus management delegation?
When these four questions get answered consistently, the board stops relying on assurances and starts relying on evidence. That shift — from briefings that inform to reporting that enables decisions — is what separates governance theater from governance that holds up under scrutiny. Boards that don't yet have this infrastructure in place often work with an external advisor, such as a fractional CISO or board-level governance advisor, to build it before the next incident makes the gap visible.
Closing the Expertise Gap: Board Composition, Decision Rights, and External Guidance
Most directors did not design AI systems and do not have direct experience operating them. That is not disqualifying. But it does mean that AI fluency cannot be treated as something directors will absorb through periodic management briefings.
The data confirms the gap. EY's 2025 analysis found that only 11% of Fortune 100 companies disclosed board-level education and training efforts on AI. ISS-Corporate found that 20% of S&P 500 companies disclosed at least one director with AI expertise in 2024 — an improvement, but still leaving the large majority of boards without a director with verified AI expertise.
Three Ways to Close the Gap
| Response | Best For | What It Delivers |
|---|---|---|
| Appoint a credentialed director | Long-term board composition strategy | Permanent expertise, fiduciary standing, sustained oversight capacity |
| Retain an external AI advisory council | Organizations needing broad technical depth | Specialized knowledge without board restructuring |
| Engage a fractional technology executive | Organizations needing governance stability quickly | Decision rights, reporting infrastructure, and inspectable execution — fast |
For organizations in transition, a fractional executive can establish foundational elements quickly: decision rights, risk register, escalation thresholds, and board reporting cadence. No board seat restructure required, and no lengthy hiring process.
What Clear Decision Rights Require
Each of these three approaches only holds if the underlying decision rights are explicit. When those rights are undefined, even the best governance structure collapses under pressure.
If decision rights require negotiation during an incident, they were never real decision rights. In the AI governance context, a defensible framework answers these questions explicitly:
- Which AI decisions require board-level visibility before deployment?
- Which are delegated to management with defined parameters and monitoring requirements?
- At what threshold — by system type, data sensitivity, or business impact — does an AI issue escalate to the board?
- Who is the named human accountable for each major AI system end-to-end?
Tyson Martin's framework for board advisory engagements centers on exactly this: decision rights and escalation thresholds that hold in real incidents, not just in governance documents. Boards that have those answers documented — with named owners and defined thresholds — are the ones that respond rather than react when something goes wrong.
Frequently Asked Questions
Frequently Asked Questions
Will AI replace the board of directors?
AI can support board work — synthesizing information, scenario modeling, competitor analysis — but accountability, judgment, and fiduciary duty cannot be automated. Delaware corporate law requires directors to be natural persons, and legal responsibility for board decisions remains with the humans who make them, regardless of what AI contributed to the analysis.
What are the 4 C's of corporate governance?
The 4 C's are typically compliance, conduct, culture, and competence. AI governance intersects with all four — particularly competence (directors need AI fluency to exercise real oversight) and conduct (accountability for AI-influenced decisions must sit with specific humans, not diffused across a system).
What is the board's fiduciary duty when it comes to AI?
Directors' duties of care and diligence extend fully to AI-influenced decisions. Boards cannot disclaim responsibility because AI was involved. Directors must critically evaluate AI outputs, ensure management has adequate controls, and maintain clear accountability structures — the same standards that apply to any other material business decision.
How should boards structure AI oversight — through the full board or a dedicated committee?
Most large companies expand existing audit or risk committee mandates to cover AI; a growing number create dedicated technology committees. Either approach works — what matters is that AI oversight is explicitly chartered and doesn't fall through the gaps between committees.
What questions should a board be asking management about AI right now?
Start here:
- What AI is currently operating in our organization, and who owns each system end-to-end?
- What decisions has AI influenced without explicit board authorization?
- When something goes wrong with an AI system, what is the escalation path — and how quickly does it reach this level?
