Portfolio Chair  ·  Certified NED  ·  IoD Member  ·  Run the free Board Advisory Diagnostic →
Home  /  Knowledge  /  Guide

AI on the board agenda: questions before tools.

By Max Fontana-RevalUpdated June 20267 min read

It stopped being an IT topic the moment it touched risk, cost and customer promises at once. The board-level version, in one read.

AI has reached the point every general technology reaches: it's no longer an IT topic, it's a board topic — because it now touches risk, cost, customer promises and directors' duties all at once. This is the board-level version: the questions to ask before the tools, and a starter policy you can adapt in an afternoon.

Why this is board work, not IT work

Three reasons. Duty: decisions made with AI assistance are still the company's decisions — s172 doesn't have a software exemption. Risk: data leaving the building through unapproved tools is happening in most SMEs today, policy or not. Opportunity cost: the productivity gap between firms that adopted deliberately and those that didn't is becoming visible in margins. The board doesn't need to choose models; it needs to ensure someone has, deliberately.

The seven questions directors should ask

  • Where are we already exposed? Which teams use AI tools today — approved or shadow — and with what data?
  • What data can and can't leave? Customer data, commercial terms, IP: classified, with rules people can actually follow.
  • Which decisions get human review? Anything touching customers, money, or people keeps a named human accountable.
  • Who are our vendors, really? Where does the data go, who trains on it, what does the contract actually say?
  • Where's the opportunity, sized honestly? The two or three workflows where this genuinely moves cost or speed — piloted with success measures, not vibes.
  • Do we have the skills, and who owns this? One named senior owner; board-level literacy enough to challenge them.
  • What's coming at us in regulation? Sector rules, customer requirements, insurance questions — on the horizon scan, reviewed twice a year.

A starter policy outline

1 · Scope: what counts as AI use, who this covers.
2 · Approved tools: the current list, who approves additions.
3 · Data rules: what may never be entered; what's fine.
4 · Human accountability: the decisions that always carry a named reviewer.
5 · Customer transparency: when and how AI use is disclosed.
6 · Incidents: the route when something goes wrong, same as any breach.
7 · Review: owner, and a six-monthly refresh — this field doesn't sit still.

One page beats forty: a policy nobody reads is shadow AI with extra steps.

The two failure modes

Pilot theatre — a year of demos, nothing in production, "we're exploring AI" on the website. And prohibition theatre — a ban that simply moves usage onto personal phones, beyond visibility. Both are governance failures wearing strategy costumes. The fix for both is the same: put it on the standing agenda (the risk & horizon slot exists for exactly this) and give it an owner.

If the board wants structured help — exposure review, policy, the honest opportunity map — that's the AI & Digital Advisory engagement: practitioner-led, vendor-neutral, and built for boards rather than developers. Not sure AI is the priority? The Board Diagnostic weighs it against everything else on your plate.

Max Fontana-Reval
Written by

Max Fontana-Reval — Portfolio Chair & Certified NED; NE Chair, MW Equipment; Advisory Chair, Unsigned Research; Member IoD · NEDonBoard · BCS. About Max  ·  LinkedIn

Quick answers

Asked often.

Does an SME really need an AI policy?
If anyone in the business uses AI tools — and someone does, approved or not — then yes, because the alternative is shadow usage with company data and no rules. One readable page beats a forty-page document nobody opens.
Who should own AI at board level?
One named senior owner accountable for exposure, policy and the opportunity pipeline, with the board reviewing twice a year as part of risk and horizon. A committee is rarely needed at SME scale; an owner always is.
Should the board ban AI tools until it's safer?
Bans usually relocate usage to personal devices, beyond visibility — prohibition theatre. The governed route is an approved-tools list, clear data rules and named human review on consequential decisions, refreshed every six months.

Start with the diagnostic — or a conversation.

Five questions if you want structure. One email if you'd rather talk. Either way, a straight answer about what your board needs.

Run the Board Diagnostic Book an intro call