Key Definitions
| Term | Definition |
|---|---|
| Board of Directors | The governing body elected by shareholders to oversee the management of a company, set strategic direction, and ensure accountability. In the AI context, the board has ultimate responsibility for AI governance as part of its overall governance mandate. |
| Fiduciary Duty | The legal obligation of directors to act in the best interests of the company and its shareholders, with the duty of care (informed decision-making) and duty of loyalty (avoiding conflicts of interest). AI oversight falls within these existing duties. |
| AI Risk Committee | A board-level or board-delegated committee specifically tasked with overseeing AI-related risks, strategy, and governance. May be a standalone committee or a subcommittee of an existing risk or technology committee. |
| AI Strategy | The organization's plan for how AI will be developed, deployed, and governed in alignment with business objectives, risk appetite, and regulatory requirements. |
| Duty of Care | The obligation of directors to exercise the care that a reasonably prudent person would exercise in similar circumstances, including staying informed about AI risks and opportunities relevant to the business. |
| Duty of Loyalty | The obligation of directors to act in good faith and in the best interests of the company, requiring disclosure of conflicts of interest including those arising from AI-related investments or relationships. |
| Business Judgment Rule | A legal principle that protects directors from liability for business decisions made in good faith, on an informed basis, and in the honest belief that the decision was in the company's best interest — applicable to AI deployment decisions. |
| Shareholder Engagement | The process of dialogue between a company and its shareholders on matters of governance, strategy, and performance, increasingly including AI-related topics. |
| ESG (Environmental, Social, Governance) | The three pillars of non-financial performance assessment, all of which are affected by AI deployment (environmental impact of AI computing, social impact of AI decisions, governance of AI systems). |
| Board Competency Matrix | A structured assessment of the skills, knowledge, and experience present on the board, used to identify gaps and guide director recruitment. AI literacy is an increasingly critical competency. |
| Risk Appetite | The amount and type of risk an organization is willing to pursue or retain in order to meet its strategic objectives, including risks associated with AI deployment. |
| Corporate Governance Code | A set of principles, standards, and best practices for corporate governance, typically issued on a comply-or-explain basis. Major codes (UK, Germany, France, Japan, Australia) are increasingly addressing technology and AI governance. |
Chapter 1: Why Boards Must Engage with AI Governance
AI is no longer a technology decision that boards can delegate entirely to management. AI systems now make or influence decisions that affect customers, employees, investors, and communities at a scale and speed that create board-level risks — regulatory, reputational, financial, and operational. The EU AI Act's organizational requirements, evolving corporate governance expectations, and investor scrutiny of AI practices mean that boards that fail to engage with AI governance are failing in their fiduciary duties.
1-1. The Board's Fiduciary Obligation
Directors' fiduciary duties — the duty of care and the duty of loyalty — extend to AI governance:
Duty of Care and AI:
- Directors must inform themselves about material AI risks facing the organization
- Directors must ensure adequate AI governance structures are in place
- Directors must monitor AI-related risks through regular reporting
- Ignorance of AI risks does not constitute a defense
Duty of Loyalty and AI:
- Directors must ensure AI deployment serves the company's interests, not narrow personal interests
- Directors must disclose conflicts of interest related to AI (investments in AI companies, consulting relationships)
- Directors must not approve AI deployments that enrich related parties at the company's expense
The Business Judgment Rule and AI:
The business judgment rule protects directors who make informed AI decisions in good faith. To benefit from this protection, directors must:
- Inform themselves about AI risks and opportunities (due diligence)
- Act in good faith (genuine belief in the decision's merits)
- Act in the company's best interest (not personal interest)
- Make a rational decision (not grossly negligent)
This means directors need not be AI experts, but they must engage meaningfully with AI governance — receiving information, asking informed questions, and making reasoned decisions.
1-2. Why AI Is Different from Previous Technology Governance
| Previous Technology | AI | Board Implication |
|---|---|---|
| Deterministic — produces predictable outputs | Probabilistic — outputs vary and can be wrong | Board must oversee error management and human oversight |
| Rule-based — follows explicit logic | Learning-based — discovers patterns in data | Board must oversee data governance and model validation |
| Human decisions assisted by tools | Decisions made or heavily influenced by algorithms | Board must ensure accountability and explainability |
| Impact limited to efficiency | Impact extends to fairness, rights, and safety | Board must oversee ethical and societal implications |
| Regulatory framework established | Regulatory framework rapidly evolving | Board must monitor regulatory landscape actively |
| Failure modes well-understood | Novel failure modes (bias, hallucination, drift) | Board must oversee novel risk categories |
1-3. The Regulatory Imperative
Multiple regulatory frameworks now expect board-level AI engagement:
| Framework | Board Expectation |
|---|---|
| EU AI Act | Organizational requirements imply senior management responsibility for AI governance; Article 4 AI literacy extends to board-level understanding |
| UK Corporate Governance Code | Board responsible for establishing risk management and internal control frameworks; technology risk is a recognized category |
| Sarbanes-Oxley (US) | CEO/CFO must assess effectiveness of internal controls; AI systems in financial reporting are within scope |
| DORA (EU Financial) | Board must approve ICT risk management framework; AI systems fall within ICT governance |
| ISO 42001 | Clause 5 requires top management (which includes the board) to demonstrate leadership and commitment |
| OECD Corporate Governance Principles | Board oversight of risk management and internal controls |
| EU CS3D (Corporate Sustainability Due Diligence Directive) | Board must oversee due diligence processes; AI impacts on human rights and environment are within scope |
1-4. Investor Expectations
Institutional investors increasingly evaluate AI governance:
- Proxy advisory firms (ISS, Glass Lewis) are developing AI governance evaluation criteria
- ESG rating agencies include AI governance metrics in technology and governance assessments
- Institutional investors ask about AI governance in engagement meetings and annual general meetings
- Sustainable investment frameworks (UNPRI, Stewardship Codes) address AI as a governance concern
- Shareholder resolutions on AI ethics and governance are increasing in frequency