13 May 2026
Board Responsibilities for AI: What Directors Need to Know
AI governance is a board-level issue. Here's what UK directors are now accountable for — and the risks of getting it wrong.
Sam Hawkins
Syntra Automate
AI is no longer an IT project that the board can delegate downwards and forget about. It is a strategic risk — regulatory, reputational, and operational — that sits squarely at board level.
And yet, in most UK businesses, the board has minimal visibility over what AI systems the organisation uses, how they make decisions, and what data they process. According to the UK Cyber Security Breaches Survey 2025, only 24% of businesses using or considering AI reported having processes in place to manage AI risks. That is not an IT failure. It is a governance failure. And governance is a board responsibility.
Why AI is now a board agenda item
Three forces are converging to make AI a board-level concern.
Regulatory pressure. The EU AI Act (Regulation (EU) 2024/1689) imposes obligations on organisations deploying high-risk AI systems, with the Annex III deadline arriving on 2 August 2026 and fines reaching EUR 35 million or 7% of worldwide annual turnover. The UK GDPR already requires accountability for automated decision-making. The ICO, FCA, and other UK regulators are embedding AI expectations into existing supervisory frameworks.
Reputational risk. AI failures make headlines. Biased recruitment algorithms, discriminatory credit scoring, data leaks through AI tools — these incidents damage trust with customers, employees, and investors. The reputational fallout from an AI governance failure can far exceed any fine.
Operational risk. Organisations are increasingly dependent on AI systems for core business functions. If those systems produce inaccurate outputs, embed biases, or fail entirely, the operational consequences can be severe.
Any one of these would justify board attention. Together, they make AI governance a fiduciary concern.
What directors are personally accountable for
UK directors have a duty under the Companies Act 2006 to promote the success of the company (section 172) and to exercise reasonable care, skill, and diligence (section 174). These duties are not suspended when it comes to AI.
If a board fails to establish adequate oversight of AI systems and that failure leads to regulatory penalties, data breaches, or material business harm, directors may face personal liability. "We did not understand the technology" is not a defence — just as it was never a defence for failing to oversee financial controls or health and safety.
The principle is straightforward: directors are not expected to be AI experts. They are expected to ensure the organisation has appropriate governance, risk management, and oversight in place. That is a governance question, not a technical one.
The UK Corporate Governance Code connection
The UK Corporate Governance Code — which applies to premium-listed companies but influences governance practice across the UK — establishes principles that are directly relevant to AI oversight.
Principle O requires the board to establish procedures to manage risk, oversee the internal control framework, and determine the nature and extent of the principal risks the company is willing to take. AI risk falls squarely within this.
Provision 28 requires the board to carry out a robust assessment of the company's emerging and principal risks. For any organisation using AI in customer-facing, employment, or decision-making contexts, AI is an emerging risk that demands assessment.
Provision 29 requires the board to monitor the company's risk management and internal control systems. If AI systems are making or influencing decisions, the board needs to understand what controls are in place.
Even for private companies not bound by the Code, its principles represent good governance practice that regulators, insurers, and commercial partners increasingly expect.
The board's role: strategic governance, not technical detail
To be clear: the board does not need to understand how large language models work or what a neural network does. The board's role is strategic governance — setting direction, ensuring accountability, and overseeing risk.
In practice, that means:
Setting the tone from the top. The board should communicate clearly that AI governance matters, that it expects compliance, and that resources will be allocated to get it right.
Appointing accountability. Someone at senior level — whether a Chief Information Officer, Chief Risk Officer, or a designated AI governance lead — must own AI risk and report to the board. Without named ownership, governance will drift.
Ensuring visibility. The board needs a clear picture of what AI systems the organisation uses, what decisions they influence, and what risks they carry. This requires regular reporting, not a one-off briefing.
Challenging management. Directors should ask probing questions about AI risk — just as they would about financial risk, cyber risk, or health and safety. The questions do not need to be technical. They need to be sharp.
What a board AI risk report should contain
If your board does not currently receive regular reporting on AI risk, it should. A good board AI risk report covers:
AI system inventory. A summary of all AI systems in use across the organisation, including third-party tools and any shadow AI identified.
Risk classification. How each system maps against the EU AI Act risk tiers (unacceptable, high, limited, minimal).
Compliance status. Where the organisation stands against regulatory requirements — EU AI Act, UK GDPR, sector-specific obligations.
Key risks and mitigations. The principal AI risks the organisation faces and the controls in place to manage them.
Incidents and near-misses. Any AI-related incidents, including data breaches, biased outputs, or compliance failures.
Policy compliance. Whether staff are following the AI usage policy, including shadow AI monitoring results.
Upcoming regulatory changes. Any new requirements or deadlines the board should be aware of.
Actions and recommendations. What management is doing to address gaps and strengthen governance.
This does not need to be a 50-page document. A clear, concise quarterly report gives the board what it needs to fulfil its oversight role.
Ten questions directors should be asking
Directors do not need to become AI specialists. But they do need to ask the right questions. Here are ten that every board should be putting to management:
1. What AI systems does our organisation currently use, and who approved them?
2. Are any of our AI systems classified as high risk under the EU AI Act?
3. Do we have a formal AI usage policy, and is it being followed?
4. What personal data is being processed by AI systems, and are we GDPR-compliant?
5. Have we conducted a shadow AI survey to identify unapproved tools?
6. Who in the organisation is accountable for AI governance?
7. What controls are in place to ensure human oversight of AI-driven decisions?
8. How are we managing AI supplier risk — particularly around data handling and model training?
9. Are we on track to meet the EU AI Act high-risk deadline of 2 August 2026?
10. What would happen if one of our AI systems failed or produced biased outcomes tomorrow?
If management cannot answer these questions clearly, the board has identified a governance gap that needs immediate attention.
How to establish AI governance at board level
Building board-level AI governance does not require a massive transformation programme. It requires structure, clarity, and consistency.
Step 1: Designate a responsible executive. Assign ownership of AI governance to a named senior leader who reports to the board. This person does not need to be a technologist — they need to understand risk and governance.
Step 2: Establish regular reporting. AI risk should feature on the board agenda at least quarterly. Use the reporting framework above as a starting point.
Step 3: Commission an AI audit. Before you can govern, you need to know what you have. An independent audit of your AI estate — including shadow AI — gives the board a factual starting point.
Step 4: Approve an AI policy. The board should formally approve the organisation's AI usage policy, just as it would approve policies on data protection, anti-bribery, or health and safety.
Step 5: Integrate AI into existing risk frameworks. AI risk should sit within your existing enterprise risk management framework — not in a separate silo. Integrate it into your risk register, internal audit programme, and assurance processes.
Step 6: Invest in board awareness. Directors do not need to become technical experts, but they do need enough understanding to ask informed questions and challenge management effectively. A focused board briefing on AI risk — covering the regulatory landscape, your specific exposure, and the governance framework — is a worthwhile investment.
The cost of inaction
The risks of not establishing board-level AI governance are real and escalating.
Regulatory fines under the EU AI Act reach EUR 35 million or 7% of worldwide annual turnover. The ICO can impose significant penalties for GDPR failures linked to AI. Reputational damage from AI incidents can erode customer trust and shareholder value. And directors who fail to exercise reasonable oversight may face personal consequences.
The businesses that establish AI governance at board level now will be better positioned — for compliance, for commercial advantage, and for the scrutiny that is coming.
The bottom line
AI governance is a board responsibility. Not because directors need to understand the technology, but because they are accountable for the risks it creates. The regulatory framework is tightening, the deadlines are fixed, and the expectation is clear: boards must govern AI with the same rigour they apply to every other material risk.
The question is not whether your board should engage with AI governance. It is whether you can afford to wait any longer.