Skip to content
       

Blog

Board AI Oversight Isn't a Technical Job. It's a Duty.

Board AI Oversight Isn't a Technical Job. It's a Duty.

Ask most boards how they are overseeing their company's use of AI and you will get some version of the same answer, delivered a little sheepishly: we are not really technical enough to get into that, so we rely on management. It sounds like humility. It is actually an abdication, and an increasingly dangerous one, because it rests on a misunderstanding of what board oversight has ever required.

Oversight was never about technical fluency. A board does not need to understand how a jet engine works to oversee an airline, or how a clinical trial is designed to oversee a pharmaceutical company. What it needs is to ensure that management has a system for identifying the risk, competent people accountable for managing it, and a way of surfacing problems to the board before they become crises. That is a procedural duty, not a technical one, and it applies to AI exactly as it applies to everything else the board oversees without being expert in. The "we're not technical enough" excuse quietly swaps the real duty, ensuring a system exists, for a fake one, personally understanding the technology, and then declines the fake duty as impossible. The real one was always doable.

Why this is now squarely a board matter

For a while, AI could reasonably be treated as an operational detail, something management experimented with below the board's line of sight. That window has closed, for a simple reason: AI has become a material risk to the enterprise, and material risk is the board's job by definition.

The law is catching up to this quickly and pointedly. Under the Delaware standard that governs director oversight, directors have a duty to make a good-faith effort to put in place a system to monitor known, material risks, and a conscious failure to do so is a breach of duty that is personal to the directors. Legal commentators are now applying that standard directly to AI: when a company deploys AI in ways that create legal, operational, or compliance risk, the board's oversight obligation attaches, and the notable point is that the standard is procedural rather than technical. Directors are not required to understand how a model generates an output. They are required to make a good-faith effort to ensure the company's reliance on that model is designed, validated, and supervised. The opacity of the technology does not excuse the oversight. If anything, it raises the bar, because a risk you cannot fully see is one that demands a better reporting system, not a pass.

Boards are starting to move, which tells you the sophisticated ones no longer see this as optional. The number of S&P 500 companies disclosing that a board committee has explicit AI oversight responsibility more than tripled in 2025. The direction is unmistakable, and a board still sitting it out on grounds of technical modesty is increasingly the exception, in a way that will not read well in hindsight if something goes wrong.

The board's job, and the line it should not cross

The reframe cuts both ways, and the honest version of this argument has to name the opposite failure too. The board's job is not to run AI, design the governance framework, or second-guess management's technical choices. A board that overcorrects, that tries to become the AI department out of anxiety, is making its own mistake, blurring the line between oversight and management and usually doing both badly.

The distinction is the same one that separates a good board from a meddling one on every other topic. Management's job is to build and operate the AI governance: the inventory of where AI is used, the controls, the accountable owners, the testing, the incident response. The board's job is to assure itself that this exists, that it is adequate to the risk, and that management can demonstrate it rather than merely assert it. The board does not write the reporting system. It refuses to accept high-level reassurance in place of one. That is the whole role, and it is neither technical nor passive.

The questions a board can actually ask

Because the duty is procedural, it reduces to questions any capable director can pose without a computer-science background. These are oversight questions, and management's ability or inability to answer them cleanly tells the board most of what it needs to know.

Do we have a complete inventory of where AI is used in this company, including the tools individual teams have adopted on their own? A management team that cannot produce this does not yet have governance, it has hope, and that answer alone is a finding.

For each material use, who is the named person accountable if it goes wrong? "The vendor" and "the system" are not acceptable answers. Accountability that cannot be attached to a person is accountability that does not exist.

Where AI touches something that matters, a reported number, a customer decision, a compliance obligation, how do we know its output is right, and what happens when it is wrong? This is the board asking whether validation and a failure plan exist, without needing to understand the model itself.

What would have to go wrong for this to become a serious problem, and would we hear about it in time? This is the board testing whether the reporting system actually surfaces trouble to the level that is accountable for it, which is the core of the oversight duty.

If management answers these fluently, with evidence, the board has done its job and can take real comfort. If the answers are vague, defensive, or amount to "trust us, it's handled," the board has found exactly what oversight is designed to find, and the discomfort of not being technical is no longer the point. None of those questions required technical expertise to ask, and none of them accept technical complexity as an excuse not to answer.

The duty was always doable

The through-line is simple. AI has not created a new kind of board duty that requires directors to become engineers. It has taken the oversight duty boards already had and pointed it at a risk that is material, fast-moving, and increasingly a matter of personal legal exposure. The technical modesty that boards offer as a reason to stay out is real as modesty and false as an excuse, because the job was never to understand the technology. It was to ensure someone competent does, is accountable for it, and can prove it to you. Directors who grasp that will oversee AI the way they already oversee everything else they are not experts in, capably, by asking the right questions and refusing weak answers. The ones who keep hiding behind "we're not technical enough" are not protecting themselves. They are documenting, in their own board minutes, that they knew the risk was there and chose not to look.

FAQs

Q1. Do directors really need to understand how AI works to oversee it?
No, and this is the central misunderstanding. The oversight duty is procedural: it requires directors to ensure a system exists to identify and manage the risk, not to understand the technology themselves. The same board oversees complex financial, legal, and safety matters without expertise in any of them. AI is no different in what it asks of directors.

Q2. Why has AI oversight become a board-level issue rather than a management one?
Because AI has grown into a material enterprise risk, and material risk is the board's defined responsibility. Legal commentary now applies the established director duty of oversight directly to AI, treating a conscious failure to monitor it as a potential breach of fiduciary duty. Once a risk is material, leaving it entirely to management is itself an oversight failure.

Q3. What is the legal basis for saying boards can be liable here?
The Delaware duty of oversight requires directors to make a good-faith effort to put a monitoring system in place for known, material risks, and that duty is personal to directors. Legal analyses are applying this standard to AI deployment, and the duty of care can be implicated when foreseeable, preventable AI problems occur without adequate governance. The exposure is about the absence of oversight, not about the technology malfunctioning.

Q4. Isn't there a risk of the board overreaching into management's territory?
Yes, and that is the opposite failure to guard against. The board's role is to assure itself that management has adequate governance, not to build or run that governance itself. A board that tries to become the AI department blurs oversight and management and tends to do both poorly. The discipline is to verify, not to operate.

Q5. How should a board structure AI oversight?
There is no single correct structure, and practice varies. Many boards assign it to the audit committee, others to a technology or risk committee, and the right choice depends on how central AI is to the business. What matters more than the specific committee is that oversight is explicitly assigned to someone rather than assumed to be everyone's job, which usually means no one's.

Q6. What is the single most revealing question to ask management?
Ask for a complete inventory of where AI is used across the company, including tools teams adopted independently. A management team that cannot produce it does not yet have governance in place, and that gap is itself an important finding. The quality of that first answer tends to predict the quality of everything downstream.

Q7. We're a smaller company, not a public one. Does this apply to us?
The fiduciary framing is sharpest for public-company boards, but the underlying logic applies broadly. Any board or ownership group overseeing a company that depends on AI carries responsibility for ensuring the risk is managed. The reputational, operational, and financial consequences of ungoverned AI do not require a public listing to hurt you.

Q8. How do we start without turning this into a large program?
Begin by putting the four oversight questions to management and listening carefully to how cleanly they can be answered. That single exercise reveals whether real governance exists or whether the board has been accepting reassurance in its place. From there, the board can require a remediation plan where the answers were weak, rather than launching a sprawling initiative before it knows where the gaps are.