FOUNDED 2025 · INDEPENDENT UK PRACTICE
InfoSecAI
The Brief DISPATCH 004
AI GOVERNANCE 3 JUN 2026 7 MIN READ

AI Governance for Boards. Five Questions Every Director Should Ask.

By 2 August 2027 every UK board with EU exposure will have at least one AI system inside the EU AI Act high-risk Annex III perimeter. Many boards have not yet been told. Five questions, asked at the next risk or audit committee, will reveal whether the firm is governed for AI or merely talking about it.

Question one. What AI is inside the firm, and who knows.

The starting point of board-level AI governance is the AI inventory. Not the policy. Not the working group. The list.

Boards should ask, in plain language: can the General Counsel and the CISO show me, today, a single list of every AI system the firm uses, every AI system the firm is building, and every AI system inside a supplier the firm relies on?

The answer is almost never yes. The remediation is simple: a documented inventory, refreshed quarterly, owned by a named executive, signed off by the audit committee. Without it, every subsequent governance conversation is hypothetical.

Question two. Where does liability sit, by use case.

The EU AI Act imposes obligations on providers, deployers, importers, distributors, authorised representatives and product manufacturers. The role assigned to a firm depends on the use case, not the firm. The same organisation can be a provider of one AI system, a deployer of another, and an importer of a third.

Boards should ask: for each AI use case on the inventory, which Article 25 role does the firm hold, and what does that role oblige us to do?

If the answer collapses into "we are a deployer" for everything, the analysis has not been done. Deployers of high-risk AI have meaningful obligations under Article 26 of the Act, but providers carry the bulk of the conformity-assessment and post-market-monitoring burden. The role determination is the first material legal question and it needs board-level visibility.

Question three. What is the evidence of human oversight.

Both the EU AI Act and ISO/IEC 42001 expect documented human oversight. Boards should not accept the assurance "there is a human in the loop" without seeing the evidence.

Specifically, for each high-risk AI use case, the board should expect to see: who the human reviewer is, by name and role; what they review and how often; what authority they have to override the AI output; how their oversight is logged; and how their performance is itself reviewed.

If oversight cannot be evidenced at this level of specificity, it is not oversight. It is a comfort phrase. A UK supervisor will detect the gap inside one meeting.

Question four. What is the incident path for AI failure.

AI systems fail in ways traditional software does not. Drift. Hallucination. Discriminatory output. Adversarial input. A model that worked in March can produce harmful output in September without anyone changing a line of code.

Boards should ask: if our AI system produces a harmful output tomorrow, what is the incident path?

The path needs five named elements. Who detects the failure. Who escalates and to whom. Who decides whether to disable the system. Who notifies affected individuals. Who notifies the regulator, by which deadline. The path should be the same one used for cyber incidents, with AI-specific decision rights inserted, not a parallel structure that gets forgotten.

If the AI incident path is a parallel structure, it will not be the structure used at three in the morning when it matters.

Question five. What standard is the firm aligning to, and why.

The choice of governance standard for AI is now a board question. Three options dominate UK practice: ISO/IEC 42001 as the management-system standard, NIST AI RMF as the risk-framework reference, and the EU AI Act as the binding regulatory floor for systems with EU exposure.

Most firms will end up using all three. ISO 42001 gives the management-system spine. NIST AI RMF gives the risk vocabulary. The EU AI Act gives the legal obligations. The board should know which one the firm is currently aligning to, why, and what the migration path is to the other two.

If the answer is none of the above, or "we are watching the space", the firm has decided, by omission, that the regulator and the customer will set its AI governance standard. That is a board-level decision and should be minuted as such.

These five questions take fifteen minutes at the start of a committee meeting. If the management team can answer all five, the firm is in the upper quartile of UK practice. If the team cannot answer two of them, the audit committee has a clear next agenda item.

Paul Jolliffe, Founder of InfoSecAI
WRITTEN BY

Paul Jolliffe

FOUNDER · INFOSECAI · MBA · CISSP · ISO 27001:2022 LA / LI / IA · PRINCE2 Practitioner

Twenty years of senior security leadership across financial services, healthcare, government, telecoms and technology. Independent UK practice founded 2025.

Book a 30-minute working consultation About the practice
02Keep reading
DISPATCH 003 · 27 MAY 2026

Why Most Cyber Transformations Stall, and How to Ship Them

 DISPATCH 005 · 10 JUN 2026

Important Business Services. The Naming Problem.
03The Brief · subscribe

One email, when there is something worth saying.

Each dispatch sent on the day it is published. No tracking pixels, no marketing automation. Unsubscribe in a single click.