The Category Error
Most boards treat AI risk as a technology risk. This is the fundamental mistake. AI does not create a single new category of risk that can be filed alongside cybersecurity or IT infrastructure. Instead, it overlays and amplifies existing risks across multiple domains simultaneously — cyber, professional services, employment, intellectual property, product liability, and directors and officers exposure.
When an AI system produces a biased hiring outcome, that is simultaneously an employment law risk, a regulatory compliance risk, a reputational risk, and potentially a D&O liability risk. When a generative AI tool hallucates in a customer-facing application, that touches product liability, professional services liability, and brand risk. AI does not sit neatly in one risk register category. It spreads across all of them.
Boards that delegate AI risk to the technology committee alone are structuring their oversight around a category error. The risk is not primarily technical. It is organizational.
The Oversight Deficit
The numbers are sobering. More than half of directors surveyed by the National Association of Corporate Directors reported that the threat of disruption from AI is not a standing item on their board agenda. Only 39 percent of Fortune 100 companies disclose any form of AI board oversight. (See The Five Questions Every Board Should Ask for a practical starting point.) Meanwhile, insurers are already signaling increased interest in AI governance maturity within D&O underwriting — including how companies vet public disclosures and how boards approach oversight.
Courts and regulators are raising expectations as well. Directors are increasingly expected to understand how and where AI is used in their organizations, ensure appropriate governance structures are in place, and demonstrate that material risks have been identified and addressed. The standard of care for board oversight of AI is evolving faster than most boards are adapting.
Five Common Mistakes
Treating AI as an IT Deliverable
AI governance requires engagement from legal, compliance, HR, operations, and the board — not just the CIO. When AI risk is managed as a technology workstream, the governance, ethical, and legal dimensions are systematically under-addressed.
Relying on Management Reassurance
Boards should be skeptical of management presentations that focus on AI opportunity without equally addressing AI risk. When management reports that “we have appropriate controls in place” without providing documentation, metrics, or third-party validation, that is not oversight. It is trust without verification.
Conflating AI Investment with AI Governance
Spending money on AI platforms, tools, and talent does not constitute governance. Some of the largest AI investors in the market have the weakest governance structures, because the organizational energy is focused on adoption speed rather than deployment discipline.
Ignoring Third-Party AI Risk
Most organizations deploy significantly more third-party AI than internally developed AI. Every SaaS vendor with “AI-powered” features introduces risk into your ecosystem. Boards should ask what due diligence is performed on AI vendors and whether contractual protections address model updates, data handling, and incident response.
Waiting for Regulation to Dictate Action
The EU AI Act is the current headline, but it is not the only framework that matters. State-level AI regulations are proliferating in the United States. The SEC’s 2026 examination priorities have elevated cybersecurity and AI concerns. Financial institutions face particularly complex requirements around AI governance and risk ownership. Shareholder litigation related to AI governance failures is emerging as a distinct category of D&O exposure. Waiting for a single, definitive regulatory mandate is a strategy that guarantees you are behind when it arrives.
What Better Oversight Looks Like
Boards that are getting this right share several characteristics. They have designated a committee or working group with explicit responsibility for AI oversight. They receive regular reporting that includes both opportunity metrics and risk indicators. They have asked management to produce a complete AI inventory with risk classifications. They have ensured that a senior executive — with sufficient authority and resources — owns AI governance at the operational level. And they are engaging with the topic as an evolving discipline, not a one-time agenda item.
For a practical checklist, see what directors need to know before the next audit. AI risk is not a future problem. It is a current exposure that compounds with every AI deployment your organization adds without corresponding governance. The boards that adjust their oversight model now will be better positioned when the regulatory environment tightens, the litigation landscape clarifies, and the reputational stakes of AI failures become impossible to ignore.