Most boards receive reports on artificial intelligence that they cannot independently verify. This creates a dangerous gap between management’s technical assurances and the board’s need for defensible governance, exposing directors to personal liability.
By 2026, this gap will be indefensible. The rapid deployment of AI, particularly generative models, has moved the technology from a back-office efficiency tool to a core driver of strategy, risk, and reputation. For an Australian director, overlooking the governance of these systems is no different from ignoring financial reporting standards or critical safety protocols. The core principles of care and diligence apply directly, and regulators expect boards to have a structured, evidence-based approach to their oversight. Relying on the IT department’s assessment alone is no longer a sufficient discharge of your duties.
The Director’s Mandate: Why AI Risk is a Fiduciary Duty in 2026
An AI risk management framework is not a technical document. It is a shield. It is the board’s primary tool for demonstrating that it has exercised its powers with the requisite level of care and diligence, protecting both the corporation and its directors from liability. The legal foundation for this is clear and unforgiving.
Section 180 of the Corporations Act 2001 (Cth) demands that directors exercise their powers and discharge their duties with the degree of care and diligence that a reasonable person would. In the context of AI, a “reasonable” director in 2026 is expected to understand the material risks the technology introduces. This includes risks related to data privacy, algorithmic bias, model accuracy, and cybersecurity. Ignorance is not a defence. A failure to establish and oversee a robust governance framework can be interpreted as a direct breach of this statutory duty.
This reality forces a fundamental shift in the questions a director must ask. The conversation must move from the technical, “Is the AI safe?”, to the governance-focused, “Is our oversight of the AI defensible?” The first question can be answered by management or a vendor. The second can only be answered by the board, supported by independent verification. This distinction is critical. Technical risk concerns the failure of a system, such as a model producing an incorrect output. Governance risk concerns the failure of accountability, such as the inability to explain why a decision was made or who was responsible for a harmful outcome. It is the governance risk that falls squarely within the board’s remit.
Aligning with AICD and ACS Standards
Professional bodies have set clear expectations. The Australian Institute of Company Directors (AICD) has consistently updated its guidance to reflect the growing importance of technology governance. The prevailing view is that an “AI-ready” board is one that has moved beyond general awareness to active, structured oversight. This means having a formal framework, clear reporting lines, and a process for independently validating management’s claims about AI controls and performance.
Similarly, the professional standards from the Australian Computer Society (ACS) provide a benchmark for the ethical and professional conduct expected in the development and deployment of technology. While the board is not expected to be ACS-certified, it is expected to ensure the organisation’s AI practices align with these established national standards. Integrating these standards into the board’s accountability matrix provides a clear, defensible position that demonstrates the company adheres to recognised benchmarks for responsible technology management.
The High Stakes of Generative AI Oversight
The rise of generative AI introduces a unique and potent risk: Shadow AI. This refers to the use of AI tools and platforms by employees without official sanction or oversight. Staff using public generative AI models to analyse sensitive corporate data, for example, can create significant data security and intellectual property risks. From a director’s perspective, widespread Shadow AI is evidence of a systemic failure in governance.
It represents a hidden breach of fiduciary duty because the board is ultimately responsible for the systems and controls that protect corporate assets. If the board has not explicitly set policy and implemented controls regarding the use of generative AI, it has arguably failed to act with due care. This is not a purely technical issue; it is a failure of oversight that requires a board-level response, similar to how directors approach cyber governance for boards in Australia.
Evaluating AI Frameworks: Choosing a Structure for Your Board
Selecting an appropriate framework is the first practical step toward establishing defensible oversight. Several global and local options exist, but they are not created equal. A framework designed for a team of data scientists in a US federal agency is unlikely to be fit for purpose in an Australian boardroom. The key is to choose a structure that can be translated into meaningful, decision-useful information for directors.
The most common frameworks under consideration are:
- NIST AI Risk Management Framework (RMF): Developed by the U.S. National Institute of Standards and Technology, the NIST AI RMF is considered the global gold standard for technical risk mapping. It is comprehensive, rigorous, and highly detailed. Its primary weakness for an Australian board is its complexity and US-centric context. It requires significant "translation" to be useful for director-level reporting and lacks direct alignment with Australian corporate law.
- ISO/IEC 42001: This is the international standard for an AI Management System (AIMS). Like other ISO standards (such as ISO 27001 for information security), ISO/IEC 42001 provides a structured, process-oriented approach. It helps organisations build repeatable systems for managing AI development, deployment, and monitoring. Its strength is its focus on management systems, which aligns well with corporate governance principles.
- Australia’s AI Safety Standard: The Australian government has focused on a principles-based approach to safe and responsible AI. While still evolving, the direction is toward establishing a local benchmark for responsible innovation that complements global standards. Staying aligned with this voluntary standard is crucial for demonstrating good corporate citizenship and pre-empting future regulatory mandates.
The correct approach for most Australian boards is not to pick one, but to use a “Board-Ready Filter.” This involves adopting a hybrid model that draws on the technical rigour of NIST, the process discipline of ISO, and the ethical principles of the Australian standards, but filters everything through one question: Does this generate reporting that a non-technical director can use to challenge management and demonstrate defensible oversight?
From the Boardroom
I once sat on a board where management presented a proposal for a significant investment in a new AI-powered logistics system. The vendor’s presentation was impressive, full of complex diagrams and promises of double-digit efficiency gains. The executive team was enthusiastic, and the recommendation was to approve the multi-million dollar expenditure.
The board paper was thick with technical specifications but thin on governance. During the discussion, I asked a simple question: “If this system makes a critical error that results in a major safety incident, who is accountable, and how would we prove to a regulator that we took reasonable steps to prevent it?”
The room fell silent. The CEO looked to the CIO, who looked to the project lead. It became clear that accountability had been delegated to the technology itself. There was no framework for human oversight, no clear line of responsibility for the model’s outputs, and no plan for what to do when, not if, it failed. We had been presented with a technical solution, not a business capability. We sent the proposal back. The real work was not in buying the software, but in building the governance structure around it. That moment crystallised for me the critical difference between technical implementation and defensible board oversight.
NIST vs. ISO vs. Australian Standards: A Director's Comparison
To assist boards in their evaluation, I use the following comparison to frame the discussion. The focus is not on technical merit, but on utility within the specific context of an Australian director’s duties.
| Framework | Complexity | Regulatory Alignment (AU) | Board Utility |
|---|---|---|---|
| NIST AI RMF | High. Requires expert translation. | Low. US-focused, not legally binding. | Low as a direct reporting tool. High as a technical benchmark for management. |
| ISO/IEC 42001 | Medium. Process-oriented and familiar. | Medium. Demonstrates good practice but not specific to AU law. | High. The 'management system' approach aligns well with board oversight duties. |
| AU Safety Standard | Low. Principles-based. | High. Directly reflects local expectations. | High. Essential for demonstrating good corporate citizenship and alignment with Australian norms. |
Bridging the Governance Gap
The central challenge for boards is that most advisory services focus on implementation rather than oversight. The market is saturated with firms that will help you build or buy AI, but very few are structured to help you govern it. This creates a critical governance gap. Effective tech consulting for Australian boards must be exclusively focused on bridging this gap.
The goal is to move beyond superficial compliance to build genuine strategic resilience. This requires a framework that is not just a document but a dynamic tool for oversight, enabling the board to probe, question, and direct with confidence.
Implementing Defensible Oversight: The AI Governance Board Review
A framework is only effective if it is implemented and tested. I advocate a clear, four-step process for boards to establish and maintain defensible oversight of artificial intelligence. This process is designed to be led by the board, not delegated to management, ensuring that accountability remains at the highest level of the organisation.
- Establish a clear Accountability Matrix. The first step is to map every material AI system in the organisation. For each system, the board must ensure there is a named individual who is accountable for its performance, its risks, and its outcomes. This matrix must be reviewed and attested by the executive team at least quarterly.
- Conduct an independent AI Governance Board Review. The board cannot rely solely on management’s self-assessment. An independent, conflict-free review of the organisation's AI governance posture is essential. This AI Governance Board Review should assess the existing framework against legal duties, professional standards, and best practices, providing the board with an unvarnished view of its readiness.
- Define "Board-Ready" reporting metrics. The board must insist on reporting that bypasses technical jargon. Metrics should focus on governance outcomes. Examples include: the number of high-risk AI models with an assigned executive owner, the time taken to conduct bias audits, and the results of model validation tests, all presented in a simple, clear format.
- Schedule facilitated incident simulations. The only way to know if a plan works is to test it under pressure. The board should participate in facilitated simulations of AI-related incidents, such as a data breach caused by a faulty algorithm or a public outcry over a biased decision. This tests the executive team’s response and the board’s own crisis-management protocols.
The Role of Independent Advisory
The need for independence cannot be overstated. Internal IT and data science teams have an inherent conflict of interest. They are responsible for building and operating the AI systems, and therefore cannot provide the objective, impartial verification a board requires to fulfil its oversight duties. Their perspective is valuable, but it is not independent.
A truly independent advisor has no financial interest in the technologies being assessed. They do not sell software, they do not have implementation partnerships with vendors, and their sole function is to provide the board with an unconflicted, evidence-based assessment. This independence is the cornerstone of defensible oversight.
Reputational Protection for Directors
Ultimately, a structured framework is about protection. It protects the organisation from operational and financial harm. Critically, it also protects the personal reputation of each director. In the event of an AI-related failure, regulators and stakeholders will ask what the board did to prevent it. Being able to produce board minutes, independent reviews, and a clear accountability matrix demonstrating a rigorous and proactive approach to governance is the most powerful defence available. This structured approach is essential for all senior leaders, but especially for directors serving on multiple boards.
Frequently Asked Questions
What is the most important AI risk for an Australian director to manage?
The most important risk is the failure of governance. Technical failures like model inaccuracies or security flaws are symptoms. The root cause that exposes a director to liability is the absence of a structured, defensible framework for overseeing the technology and holding management accountable.
How does the Corporations Act 2001 apply to AI failures?
Section 180 requires directors to act with due care and diligence. An AI failure that causes material harm to the company (financial, reputational, or legal) could be seen as evidence that the board did not exercise sufficient oversight. If the board cannot demonstrate it had a reasonable framework for managing AI risk, it may be found in breach of its duties.
Can a board delegate AI risk management to the IT department?
No. A board can delegate the execution of tasks, but it cannot delegate its ultimate responsibility for oversight and accountability. The board must retain control, set the risk appetite, and independently verify that management's controls are effective. Relying solely on the IT department is an abdication of this non-delegable duty.
How often should a board review its AI governance framework?
The framework should be formally reviewed at least annually. However, the reporting from the framework, including the accountability matrix and key risk metrics, should be a standing item on the agenda of the relevant board committee (such as Risk or Audit) for every meeting.
If this is a conversation you would like to have, I am available.
We can begin with an AI Governance Board Review.
aradvice.com.au/contact.html
Article by
Andrew Roberts
Founder and Principal Advisor at Andrew Roberts Advisory. I work directly with Australian boards and non-executive directors on cyber governance, AI governance, and IT general controls and strategy, translating complex regulatory terrain into clear, defensible oversight frameworks that directors can own and act on.
I have founded and exited two technology companies. I founded Field Solutions Group, served as Group CEO for a decade, and led the ASX listing in 2017. During that time I held direct board accountability for cyber risk, ISO 27001 certification, and governance at the listed company level. I have also served as Deputy Chairman of a federally funded Cooperative Research Centre.
I am a Member of the Australian Institute of Company Directors (AICD) and the Australian Computer Society (ACS), holding the ACS designation MACS (Snr) CP (Cyber), and am a Member of ISACA.