Most boards are asking the wrong questions about generative AI. They focus on technical demonstrations and productivity gains. The real question is one of liability.
By 2026, Australian regulators will expect boards to have moved beyond curiosity. They will demand a defensible governance framework for AI that stands up to legal scrutiny. This is not a technology challenge. It is a fundamental test of a director’s duty of care and diligence under the Corporations Act 2001. Relying on management’s assurance that "we are being responsible" will not be enough when an AI-driven decision causes material harm. The responsibility for oversight rests squarely with the board.
The Director’s Dilemma: Why Generative AI Oversight is a Fiduciary Duty
Generative AI is not merely another IT project. Its capacity to create novel content, make autonomous decisions, and interact with sensitive data places it in a unique risk category. For a director, this technology directly intersects with the duty of care and diligence enshrined in Section 180 of the Corporations Act 2001. Willful blindness or a failure to ask probing questions is no longer a viable defence. The expectation is that directors apply an appropriate level of scrutiny to the risks and opportunities AI presents.
Many boardrooms are still in the 'AI Curiosity' phase. Management presents impressive demonstrations of what the technology can do. This is interesting, but it is not governance. A demonstration shows capability. It does not reveal the underlying data sources, the jurisdictional risks of the models used, or the accountability framework for when the AI makes a mistake. Moving from a passive observer to an active governor is the critical step every Australian board must take.
One of the most immediate threats is 'Shadow AI'. This refers to the unauthorised and ungoverned use of public generative AI tools by employees. Staff using these platforms for work may be feeding sensitive corporate IP, customer data, and strategic plans into third-party models with opaque data retention policies. This creates an enormous, unmanaged risk profile that the board is ultimately accountable for, yet often has zero visibility of.
Aligning with AICD and ACS Standards
A defensible position on AI governance must be grounded in established Australian standards. The Australian Institute of Company Directors (AICD) and the Australian Computer Society (ACS) have jointly published guiding principles for AI governance. These are not technical guidelines. They are board-level principles that should be formally integrated into your board charter and risk management framework.
These principles provide a clear structure for board-level conversations. They compel directors to consider data governance, accountability, and the ethical implications of AI deployment. Critically, they advocate for integrating AI risk into your existing Risk Management Framework (RMF). AI should not be treated as a separate, siloed issue for the IT committee. It is a strategic risk that affects finance, operations, reputation, and legal compliance. It must be governed as such.
Identifying High-Stakes AI Risks
The board's focus should be on the most severe and plausible risks. First among these is data sovereignty and privacy. When your organisation uses a third-party generative AI model, you must ask: where is our data being processed and stored? If the answer is unclear, or if it involves jurisdictions outside Australia, you may be creating significant privacy and IP risks.
The second major risk is algorithmic bias and the resulting reputational fallout. If an AI model used for hiring, credit assessment, or customer service exhibits bias, the board is responsible for the ethical and legal consequences. This requires proactive oversight of how models are trained and tested for fairness. In the context of Australian law, defensible oversight means you have established and can prove a reasonable and prudent system for governing these risks, even if an incident still occurs.
From the Boardroom
I was recently with the board of a prominent financial services company. The executive team presented a compelling case for deploying a new generative AI-powered chatbot to handle customer insurance queries. The pitch was slick, focusing entirely on cost savings and improved customer response times. The board was impressed.
I asked the CIO two questions. First, what specific large language model is this built on? Second, can you guarantee that no personally identifiable information from our customers will be used to train that third-party model in the future? The room went quiet. The CIO could not answer the first question with certainty, and he admitted he had not received contractual assurance on the second. The board had been minutes away from approving a tool that would have outsourced its customer data to an unknown entity with unknown data usage policies. It was a stark reminder that the most important questions are rarely about the technology’s features. They are about risk, liability, and control.
Establishing a Defensible Framework for Board Oversight
A defensible framework is not a technical document. It is an architecture of accountability. It must be built on four pillars: Strategy, Ethics, Risk, and Accountability. The board must own this framework. It cannot be delegated entirely to management.
The starting point is to set a clear 'AI Risk Appetite'. This is a strategic decision for the full board. You must define where the organisation will be a pioneer, a fast follower, or where it will deliberately abstain from using AI due to unacceptable risks. This appetite statement becomes the guiding document for all AI initiatives, empowering management to act within clear boundaries and providing the board with a clear benchmark for oversight.
Effective board oversight of generative AI risks also requires a new form of reporting. Technical dashboards showing model accuracy or processing speeds are insufficient. The board needs governance-focused insights. Reporting should answer questions like: How have we tested this model for bias? What is our response plan if this AI generates harmful advice? Who is the single individual accountable for the outputs of this system? This is the crucial shift required for true governance that moves beyond technical metrics.
Finally, a board cannot rely solely on internal management reporting. This creates an inherent visibility gap and a potential conflict of interest. Management teams are incentivised to present progress and success. Independent, external advice is essential to provide the unvarnished truth about the organisation's AI readiness and expose gaps that internal teams may have missed.
Translating Technical Metrics to Governance Realities
To bridge the gap between management and the board, directors must ask questions that expose uncomfortable truths. Do not ask "Is the AI working?" Ask "If this AI causes a major privacy breach, who is the accountable executive and have they accepted that accountability in writing?" Do not ask "What are the efficiency gains?" Ask "Show me the evidence that our use of this AI complies with the AICD’s ethical principles."
Board-ready reporting translates technical complexity into strategic impact. It should be a concise, standing item on the board agenda. The report must clearly map AI initiatives to the board-approved risk appetite. It must also detail any incidents, near misses, or ethical dilemmas that have arisen, and how management has responded. This creates a documented history of diligent oversight.
Ethical AI and Institutional Accountability
An ethical AI framework is not an abstract ideal. It is a practical risk management tool. It requires establishing clear lines of accountability for every AI system in use. Fiduciary responsibility cannot be delegated to an algorithm. The 'human in the loop' is not just an operational step; it is a legal necessity. There must always be a designated individual who is ultimately responsible for the decisions and outputs of an AI system.
This accountability must be supported by strong whistleblower governance. Employees, particularly those on technical teams, are often the first to see when an AI system is behaving in unintended or unethical ways. They must have a safe and confidential channel to report these concerns without fear of reprisal. A board that ignores this is willfully ignoring a critical source of risk intelligence.
From Policy to Proof: Validating AI Governance Readiness
Having a policy on paper is not enough. Regulators and courts are interested in proof of operational readiness. By 2026, the standard of care will require boards to demonstrate that they have actively validated their AI oversight capabilities. This means moving from passive review to active testing.
The most effective way to do this is through facilitated incident simulations. The board and executive team must walk through a realistic, high-stakes crisis scenario involving an AI failure. This could be a data breach caused by a rogue AI, a reputational crisis from a biased algorithm, or a regulatory investigation into an autonomous decision. Practising the response in a controlled environment is the only way to expose weaknesses in your governance framework before a real crisis occurs.
This is where the value of independent, fixed-fee advisory becomes clear. An external expert can design and facilitate these simulations without the conflicts of interest inherent in working with the same vendors who implement your technology. The goal of an independent review is not to sell more technology. It is to provide the board with an objective, defensible assessment of its governance posture.
The Role of Independent AI Governance Reviews
An internal audit can confirm that management’s processes are being followed. It is less effective at challenging whether those processes are adequate in the first place. An independent AI Governance Board Review provides the external validation that regulators, insurers, and stakeholders expect.
This review provides the 'defensible proof' of oversight. It assesses your governance framework against legal duties and industry best practices like the AICD standards. It identifies the critical gaps between what management is reporting and what the board actually needs to know. This independent perspective is crucial for uncovering hidden risks and ensuring the board is not simply marking its own homework.
Simulation and Stress-Testing Oversight
A facilitated incident simulation tests the human element of your governance framework. It answers the hard questions. Does the board receive timely and accurate information during a crisis? Is it clear who has the authority to make critical decisions, such as shutting down a compromised AI system? Can the board effectively manage communications with regulators, customers, and the market under intense pressure?
This process moves a board from a state of 'Paper Compliance' to 'Operational Readiness'. This is the standard that will be applied in 2026. Proving that you have not only a policy, but a tested and refined capability to govern through an AI-driven crisis, is the ultimate expression of a director’s duty of care.
Frequently Asked Questions
What is the board's primary responsibility regarding generative AI?
The board's primary responsibility is to ensure a defensible governance framework is in place. This involves setting the risk appetite, ensuring clear accountability, and challenging management's assertions to satisfy the director's duty of care and diligence under the Corporations Act 2001.
How does AI oversight differ from traditional cyber governance?
Cyber governance focuses on protecting systems from external threats and internal misuse. AI governance adds another layer: accountability for the decisions and outputs created by the systems themselves. It is concerned with ethics, bias, and autonomous actions, which are not central to traditional cyber risk.
What are the specific risks of 'Shadow AI' for Australian directors?
The primary risks are the unauthorised disclosure of corporate intellectual property and sensitive personal information into third-party platforms. This can lead to significant data breaches, loss of competitive advantage, and violations of the Privacy Act, for which the board is ultimately accountable.
Can a board delegate AI oversight to a technical committee?
A committee can handle detailed reviews, but the full board cannot delegate its ultimate fiduciary responsibility. Given AI's strategic impact on finance, reputation, and legal risk, the entire board must maintain active oversight and literacy on the core governance issues.
How can we ensure our AI governance is defensible under Australian law?
Defensibility is achieved by demonstrating a reasonable and prudent process. This includes formally adopting a framework aligned with AICD/ACS standards, documenting board-level risk appetite decisions, demanding governance-focused reporting, and undertaking independent, external validation of your readiness.
What role does the AICD play in setting AI governance standards?
The AICD, in partnership with the ACS, provides a set of guiding principles for boards. These principles are not legally binding but represent the industry-accepted standard of good practice. A court or regulator would likely consider them a benchmark for assessing whether a board has met its duty of care.
If this resonates, I would welcome a conversation.
AI Governance Board Review
aradvice.com.au/contact.html
Article by
Andrew Roberts
Founder and Principal Advisor at Andrew Roberts Advisory. I work directly with Australian boards and non-executive directors on cyber governance, AI governance, and IT general controls and strategy, translating complex regulatory terrain into clear, defensible oversight frameworks that directors can own and act on.
I have founded and exited two technology companies. I founded Field Solutions Group, served as Group CEO for a decade, and led the ASX listing in 2017. During that time I held direct board accountability for cyber risk, ISO 27001 certification, and governance at the listed company level. I have also served as Deputy Chairman of a federally funded Cooperative Research Centre.
I am a Member of the Australian Institute of Company Directors (AICD) and the Australian Computer Society (ACS), holding the ACS designation MACS (Snr) CP (Cyber), and am a Member of ISACA.