Every conversation about AI governance eventually reaches the same organisational question: who owns this?
In most organisations, AI has been treated as a technology matter. IT teams evaluate tools, engineering teams build systems, and the compliance function is consulted when someone remembers to loop them in. The result is a governance gap that sits between functions rather than within any one of them.
The EU AI Act, NIST AI RMF, and ISO 42001 all share a common architectural insight: AI governance is not a technology problem. It is a risk management problem, an accountability problem, and increasingly a legal problem. And those problems sit at the board level.
Where the accountability gap lives
Most organisations that have deployed AI systems cannot answer three basic questions with confidence: which of our AI systems could be classified as high-risk under the EU AI Act, who is accountable when an AI system produces a harmful output, and how would we demonstrate to a regulator that our AI governance programme is operating as designed?
The inability to answer these questions is not primarily a technology failure. It is a governance failure. The technology teams know what the systems do. What is missing is the organisational infrastructure — policies, roles, escalation procedures, monitoring mechanisms — that converts technical capability into accountable, documented governance.
That infrastructure is a board-level responsibility. Not because board members need to understand transformer architectures or fine-tuning processes, but because the risks associated with AI — regulatory exposure, reputational damage, operational failure, harm to customers or employees — are material risks that belong on the board's risk register.
What board-level AI governance actually looks like
Effective board oversight of AI does not require technical depth. It requires the same things that effective board oversight of any material risk requires: a clear framework, assigned accountability, regular reporting, and confidence that management is applying appropriate controls.
In practice, this means the board needs to know which AI systems the organisation operates and how they are classified for regulatory purposes. There should be a named individual with explicit accountability for AI governance outcomes. AI risk should appear as a standing item in risk committee reporting, with metrics that are meaningful rather than merely reassuring.
The organisations that are getting this right have stopped treating AI governance as a project and started treating it as a permanent operational discipline — like financial controls or data protection.
The NIST AI RMF's contribution to this framing
The NIST AI Risk Management Framework explicitly positions AI risk management as an organisational function that must be integrated into existing enterprise risk management processes, not siloed in a separate AI team. Its GOVERN function — the first of the four core functions — covers establishing policies, processes, accountability, and a culture of responsible AI development and deployment.
GOVERN comes before MAP, MEASURE, and MANAGE. The framework's sequencing is deliberate: without the organisational infrastructure of governance, the technical work of mapping, measuring, and managing AI risks cannot be sustained.
The commercial dimension
There is a growing commercial reason for boards to take AI governance seriously beyond regulatory compliance. Enterprise clients, regulated-sector buyers, and sophisticated investors are beginning to require evidence of AI governance as a condition of doing business. Due diligence questionnaires increasingly include AI risk and governance sections. Procurement processes are adding AI governance requirements alongside existing information security and data protection requirements.
An organisation that can demonstrate a structured, board-owned AI governance programme is increasingly better positioned in competitive situations than one that cannot. Governance is not only a risk management tool — it is becoming a commercial signal.
A practical starting point
For boards and senior leadership teams that want to move from awareness to action, the starting point is an honest assessment of the current state: what AI systems does the organisation operate, are they classified appropriately under applicable regulatory frameworks, who is currently accountable for AI governance outcomes, and what monitoring is in place?
That assessment — structured, documented, and reviewed at board level — is the foundation. Everything else builds from it. Book a discovery call to discuss how to build governance that holds up at board level.
About author
Sonia is a technology risk and AI governance leader with 12+ years of international consulting experience across PwC, EY, and KPMG, spanning London, East Africa, and the Middle East. She has led complex IT audit, controls testing, and data analytics engagements for major regulated institutions including Lloyds Banking Group, Prudential PLC, Shell, RELX Group, McDonald's, and Tesco. She founded VeridianTech Co. to make enterprise-quality AI governance accessible to mid-market organisations — the companies that need it most and have historically been priced out of it.
Sonia Kentaro
Founder & Principal AI Governance Advisor
Subscribe to our newsletter
Sign up to get the most recent blog articles in your email every week.
