Most boards are asking the wrong questions about artificial intelligence. They are focused on technical capabilities instead of interrogating the governance framework that makes its use defensible.
By 2026, this gap is no longer a strategic oversight. It is a direct challenge to a director’s duty of care and diligence under the Corporations Act 2001. ASIC is examining AI governance closely, and a failure to ask the right questions creates a clear pathway to 'stepping stones' liability. AI is not a future problem for Australian boards; it is a present and material governance accountability.
From the Boardroom
I was in a board meeting where management presented a compelling AI programme to automate customer service. The ROI was impressive and the technology was cutting-edge. I asked a simple question: ‘Who owns the data this model is being trained on, and can we prove we have the legal right to use it for this purpose under the Privacy Act 1988?’ The room went silent. The technical team had not considered data provenance as a primary governance risk. They were focused on the outcome, not the legal and ethical inputs. We paused the project until we had a defensible answer. The most powerful questions in the boardroom are rarely about technology. They are about accountability. (global AI regulations)
Director Duties and AI: A Fiduciary Obligation
Artificial intelligence has fundamentally shifted from an item for the innovation sub-committee to a core risk on the full board’s agenda. The speed of its adoption, coupled with the opacity of many models, presents a unique challenge to traditional oversight structures. Your duty to act with care and diligence does not diminish just because the decision-making process involves a complex algorithm.
AI governance is the system of rules, practices, and processes by which an organisation’s use of AI is directed and controlled. It is not management’s job to set the board’s risk appetite for AI; it is the board’s responsibility. This requires moving beyond presentations on technical capabilities and demanding reporting that speaks to liability, ethics, and resilience. Relying on an off-the-shelf AI policy is insufficient. You need a framework that can be defended under regulatory scrutiny. (NIST AI Risk Management Framework)
The Australian Institute of Company Directors (AICD) provides clear guidance on the board's role in overseeing AI, emphasising strategic alignment and risk management. Similarly, the Australian Computer Society (ACS) has established technical and ethical frameworks that inform professional standards. A board that is unaware of these standards will struggle to demonstrate it has met its obligations.
The cost of passive governance is significant. It manifests in regulatory fines, reputational damage, and the erosion of shareholder value. When an AI system causes harm, regulators will not question the algorithm. They will question the directors who failed to govern it. For a deeper analysis of this responsibility, I have previously written on the core tenets of a .
The 2026 Director's Checklist: 12 Critical Questions
To move from passive observation to active oversight, directors need a structured way to interrogate the corporate AI strategy. These 12 questions are designed to test the robustness of your governance framework. They are not for the CIO to answer alone; they are for the executive team to answer to the satisfaction of the board. I recommend tabling these questions formally and requesting documented responses in the board papers.
Strategic Alignment and Value
The first set of questions tests whether the AI programme is a genuine strategic asset or a costly distraction. It forces a conversation about durable value creation, moving beyond simplistic metrics that can be easily manipulated. (AI strategy questions for the boardroom)
- What specific, durable competitive advantage does this AI programme build that cannot be replicated by a competitor using the same underlying technology? If the advantage is based solely on a third-party model, it is temporary at best.
- How are we measuring value beyond productivity metrics or headcount reduction, and how does this align with our approved risk appetite? This question links investment to the board's primary function of setting and overseeing risk tolerance.
- What is the explicit business problem this solves, and what is the documented cost and risk of not solving it? A clear problem statement is the foundation of any defensible business case.
Risk, Ethics, and Accountability
This area represents the greatest source of liability for directors. These questions probe the systems of control and accountability that must surround any deployment of autonomous technology.
- How have we tested for algorithmic bias, and what is the board-approved protocol for human intervention when an error or unintended outcome is detected? A plan to monitor is not enough; you need a documented, tested response protocol.
- Where does the ‘kill switch’ for our autonomous systems reside, and who holds the authority and accountability to use it? This clarifies the line between automated operation and human oversight.
- How does our Directors and Officers (D&O) insurance policy cover liabilities arising from decisions made by non-human agents? Many policies have exclusions for this; the board must have clarity before an incident occurs.
Data Governance and Intellectual Property
AI models are worthless without data. The provenance, rights, and protection of that data are critical governance issues that directly impact corporate value and legal standing.
- What is the precise provenance of the data used to train our models, and can we produce auditable proof of our right to use it? This is a crucial line of defence against breaches of the Privacy Act 1988.
- How are we protecting the intellectual property we create when fine-tuning third-party models with our proprietary corporate data? This question addresses the risk of inadvertently transferring your company's core IP to a vendor.
- What contractual protections do we have if our AI vendor uses our data to train models that could be used by our competitors? The board must understand the terms of these critical dependencies.
Operational Resilience and Dependency
Over-reliance on a single vendor or technology creates systemic risk. These questions test the organisation's ability to withstand disruption in its AI supply chain.
- What is our contingency plan if our primary AI provider fails, is acquired by a competitor, or materially changes its terms of service? A lack of a Plan B is a failure of risk management.
- How do we identify and govern the use of ‘Shadow AI’ tools being used by employees without corporate approval? Unsanctioned use of AI tools creates significant data security and IP risks.
- What are the single points of failure in our AI technology stack and supply chain, and how have we mitigated them? The board needs to see a clear map of dependencies and the controls around them.
Establishing Defensible AI Accountability
Asking these questions is the first step. The ultimate goal is to establish defensible accountability. This is not the same as confidence in a management presentation. It is the ability to demonstrate to a regulator like ASIC or a court that the board took reasonable, documented steps to understand and govern AI-related risks. It proves that you applied an informed and independent mind to the problem.
Relying solely on management’s dashboards creates a dangerous blind spot. These reports are often designed to show progress against technical KPIs, not to expose governance weaknesses or risk threshold breaches. Effective AI governance reporting for boards must translate technical complexity into the language of business risk.
To bridge the gap between the board and the technical teams, many boards engage independent advisors. An external perspective, free from internal politics and operational bias, can provide the unvarnished truth about the maturity of your AI governance and help structure board-level reporting that is fit for purpose.
The 2026 Director’s Action Plan
If management cannot provide satisfactory answers to the questions in this checklist, the board must act. A failure to follow up on identified weaknesses could be seen as a breach of your duty of care. Consider the following steps:
- Formally table the questions. Ensure they are recorded in the minutes of a board or committee meeting.
- Request a formal response. Ask management to provide documented answers in the next set of board papers, citing evidence for their assertions.
- Commission an independent review. If significant gaps are apparent, the most defensible action is to seek an external assessment of your AI governance framework.
- Conduct a simulation. A facilitated AI incident simulation is an effective tool to test the board’s response capabilities in a crisis, exposing weaknesses in a controlled environment.
The objective is not to become a technical expert. It is to ensure a robust governance structure is in place. That is the non-delegable duty of the board.
Contact me to discuss how we can establish defensible oversight for your organisation.
AI Governance Board Review
https://aradvice.com.au/contact.html
Article by
Andrew Roberts
Founder and Principal Advisor at Andrew Roberts Advisory. I work directly with Australian boards and non-executive directors on cyber governance, AI governance, and IT general controls, translating complex regulatory terrain into clear, defensible oversight frameworks that directors can own and act on.
I have founded and exited two technology companies. I founded Field Solutions Group, served as Group CEO for a decade, and led the ASX listing in 2017. During that time I held direct board accountability for cyber risk, ISO 27001 certification, and governance at the listed company level. I have also served as Deputy Chairman of a federally funded Cooperative Research Centre.
I am a Member of the Australian Institute of Company Directors (AICD) and the Australian Computer Society (ACS), holding the ACS designation MACS (Snr) CP (Cyber), and am a Member of ISACA.