What questions should a non-executive director ask before the board approves an AI initiative?

Where AI is already influencing commercial decisions and who owns each one. Whether the executive team can name the human owner for any AI system the board has approved. Whether the EU AI Act risk classification has been documented. Whether the organisation has the literacy obligations met. Whether reversal authority is named and tested. And whether the cost of getting AI wrong sits on any line of the risk register.

What is the board's fiduciary duty regarding AI?

The risk is not absence of AI. It is absence of governance over AI that has already arrived. The board's duty is to ensure visibility, documentation, and challenge of AI use across the organisation, including where it is shaping commercial, regulatory and reputational outcomes.

What does the EU AI Act require boards of UK companies to do?

AI literacy obligations have been live since 2 February 2025. The wider high-risk regime is arriving in stages. Boards should document risk classification of each AI deployment, maintain auditable records, and ensure literacy is provided across leadership and frontline teams. UK companies serving EU customers or processing EU data are within scope.

How should a board minute its position on AI risk?

A short minutes-ready paragraph: AI is already embedded across executive systems. The board has reviewed the regulatory, reputational and commercial risk profile, and has asked the executive to map where AI is influencing decisions, name the human owner of each, document the EU AI Act risk classification, and report any deployments without those controls in place to the next risk committee.

AI and the board's fiduciary view

AI is now embedded inside most of the executive systems that the board oversees. It is shaping commercial decisions, customer experience, and workforce judgement. For a non-executive director, the question is not whether the executive team is using AI well. It is whether the board has the visibility, the documentation, and the questions in hand to discharge its duties as the use of AI scales.

Key terms

Fiduciary duty regarding AI: The board's responsibility to ensure visibility, documentation and challenge of AI use across the organisation. The duty applies whether or not the executive team has formalised an AI strategy.
EU AI Act literacy obligation: The requirement under Article 4 of the EU AI Act, live since 2 February 2025, for organisations to ensure adequate AI literacy among staff and management dealing with AI systems.
Risk classification: The categorisation of an AI deployment under the EU AI Act risk hierarchy: unacceptable, high, limited or minimal. The classification determines documentation, oversight and reporting obligations.
Reversal authority: The named individual or body with the standing to suspend, redesign or shut down an AI deployment that underperforms or drifts. A core test of governance maturity.
Minutes-ready paragraph: A short, defensible board-level statement of position on AI risk, written so the chair or company secretary can lift it directly into the formal record without further drafting.

AI companion

Read it with your AI

Step one: copy the prompt below. Then open your chosen AI and paste it in. That route works every time. The shortcut buttons try to pre-fill the prompt and pass the article link, but how reliably they do that depends on the AI, your subscription, and how it is configured (Claude tends to be most reliable today). If a shortcut underperforms, fall back to copy and paste.

Prompt preview

Read The White-Collar Horse and the linked CFO brief. Extract the three financial exposures, the single question most worth asking at the next finance meeting, and a sentence for the risk register.

Paste into ChatGPT, Claude, Perplexity, Gemini, or any other AI.

Or jump straight in (behaviour varies by AI and plan)

ChatGPT Claude Perplexity Gemini

We use AI to help leaders prepare. We do not use it to replace judgement.

1The position in three lines

The risk is not absence of AI. It is absence of governance over AI that has already arrived. Inside most enterprises, AI sits across multiple functions, purchased separately, configured locally, and owned nowhere with a full view of consequence. The EU AI Act has already begun to reframe AI as a managed system rather than a clever tool, with literacy obligations live since 2 February 2025 and the wider high-risk regime arriving in stages.

The board is one of the few bodies in the organisation with the standing to ask the diagnostic questions before the system answers for it.

2The plain-English risk matrix

Three lenses, each with a worst-case the board should be prepared to discuss.

Lens

Where it lands

Worst case

Regulatory

EU AI Act risk classification, AI literacy obligations, documentation of high-risk systems, advance awareness in workplace deployments.

A high-risk AI system identified post-deployment, with documentation reconstructed retrospectively, in front of a regulator who has already asked.

Reputational

Decisions made by AI that affect customers, candidates, or employees, with no clear human owner and no defensible rationale on the day they are challenged.

A material decision attributed to AI that the executive cannot explain, surfacing in a press cycle or customer escalation before it surfaces in a board paper.

Commercial

Value-drift in the revenue engine. AI shaping lead scores, forecasts, pricing, and customer prioritisation in ways that drift from the strategy the board signed off.

A materially different commercial trajectory from the one approved at strategy day, accompanied by dashboards that look healthier than the underlying numbers.

3Six questions to table at the next board meeting

None of these questions are hostile. They protect the executive team and the board.

Where in our business is AI currently making, or materially shaping, decisions, and which of those systems are classified high-risk under the EU AI Act?
For each system on that list, who is the named human owner with authority to pause, retrain, or withdraw it, and is that authority documented?
What is our policy on AI usage at work, when was it last reviewed, and how do we know our employees are operating within it?
How do we record and demonstrate meaningful human oversight, particularly for systems that influence customer, employee, or pricing decisions?
How is the executive team monitoring value-drift, the slow change in what AI-mediated workflows are optimising for, against the strategy this board approved?
If we needed to assert, on demand, that we are operating within EU AI Act obligations, what evidence could we produce in 48 hours?

4Minutes-ready paragraph for the risk committee

If the board chooses to record its position, the following paragraph is drafted to be transferred directly into the risk committee section of the next set of minutes.

Suggested minute

The committee noted the increasing use of AI across operational and commercial decisions, including but not limited to lead scoring, forecasting, customer prioritisation, hiring, and performance management. It requested management to maintain and present, at the next sitting, a register of AI systems currently in use, their classification under the EU AI Act, the named human owner accountable for each, and the documented evidence of meaningful human oversight. The committee also requested confirmation that the AI literacy obligations applicable since 2 February 2025 are met by all relevant employees, and that a process for monitoring value-drift in commercial decisioning has been agreed and assigned. Management was asked to flag any high-risk AI system for which the documentation, ownership, or oversight is incomplete, and to propose remediation timelines.

Adapt the language to match your committee's existing minute style. The substance, register, classification, ownership, oversight, literacy, drift, remediation, is what carries the discharge of duty.

The conversation this brief is built for

The most fiduciarily exposed AI decisions in the next twelve months will be the ones the board never saw. Most of those decisions will already be inside an approved system, configured by a function the board does not normally interact with, owned by a person the board has not met. The remedy is not more reporting. It is the right reporting, asked for at the right cadence.

Alex Abbott will brief the executive team and prepare the management response. Cumai Aboul Housn carries the technical authority for the board's risk committee and the documentation that supports it.

Book a conversation with Alex

Prefer email? [email protected]

Full Revenue Diagnostic Download PDF for board pack