• About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact
  • Menu

The Risk Coalition

  • About us
  • Raising the Bar
  • Raising your Game
  • The Extra G - Geopolitical
  • Risk Matters - Roundtables
  • Leadership Team
  • Events
  • Blog
  • Contact

AI governance: why boards need to look beneath the surface

June 14, 2026

AI governance is beginning to look reassuringly familiar.  That is part of the problem.

Policies are being drafted, committees established and frameworks referenced, sometimes formally adopted.  In many organisations, AI has already entered the risk register.  From a distance, that looks like progress. The recent Risk Coalition Risk Matters roundtable suggested a more nuanced picture.  In the boardroom, there is recognition that something material is changing, but not always a shared view of where it sits, who owns it or how it should shape decisions.  That gap matters.  With AI, the optics of governance can arrive well before the substance.

The comfort of structure and its limits

When something new emerges, the instinct is to create structure.  Frameworks and committees bring order, provide a common language and signal that an issue is being taken seriously.

AI does not behave like traditional technology. It is not static and it rarely stays within neat organisational boundaries.  Models learn and are updated.  AI-enabled features appear inside mainstream tools.  The capability can span processes, functions and suppliers in ways that are not immediately visible. It may be embedded in third-party services, introduced through partners or used informally by employees trying to work more effectively.

At the roundtable, Pauline Norstrom characterised this as an iceberg problem.  Much of what is labelled ‘AI governance’ sits above the waterline, while the more consequential elements remain below it.  The implication is straightforward, if uncomfortable.  It is not that governance is absent.  It is that it is misaligned with where AI actually operates.  Governance that focuses only on what is visible will often miss what matters most.

A widening gap between adoption and control

This challenge is compounded by the pace of adoption.  The case for AI is compelling and boards are understandably focused on productivity gains, better insight and transformation.  In many organisations, governance capability is not keeping pace.

The roundtable highlighted an emerging imbalance.  Technology leaders are under pressure to move quickly and may prioritise speed over detailed validation.  Meanwhile, relatively few organisations have governance arrangements that could be described as mature.  Operating models, controls and assurance mechanisms are not evolving at the same rate as the technology itself.

This is rarely a question of intent.  It is a development mismatch.  AI is entering the organisation faster than it can be fully understood and faster than it can be governed consistently.  In practice, this means organisations are often scaling AI use before they have established how to oversee it.

The visibility problem

Board discussions often move quickly to frameworks, standards and regulation.  These are important, but they are rarely the best starting point.  A more basic question is frequently overlooked: where is AI already influencing our organisation today?  The roundtable was candid on this point.  In many cases, boards cannot answer that question with confidence.  That is not a technical gap.  It is a governance gap.

AI-generated outputs may already be shaping management information, feeding into board papers or informing operational decisions.  They may be used to draft documents or support analysis without being clearly identified as AI-assisted.  This is seldom deliberate.  It is a predictable consequence of how accessible these tools have become.  Alongside this sits the issue of ‘shadow AI’, where employees use AI informally and often without disclosure.  Attempts to prohibit usage rarely eliminate it.  More often, they push it out of sight.

Together, these dynamics create a situation where AI is present and influential, but not fully visible.  Governance then concentrates on what is known, while what is unknown continues to expand.

When confidence outpaces reliability

A second concern is how AI outputs are interpreted and relied upon.  Modern AI systems are highly fluent.  They present information clearly and confidently, often in a way that resembles expert judgement.  That fluency can easily be mistaken for accuracy.  It creates the conditions for confident error.  It should not be relied upon in isolation.

As noted at the roundtable, there are well-documented cases where AI-generated outputs appear credible yet are wrong.  The underlying point is simple.  These systems optimise for plausible responses, not verified truth.  For boards, the implication is clear. AI does not replace judgement.  It increases the need for it.  The organisation remains accountable for its decisions regardless of whether AI informed them.

Moving beyond the IT framing

It is tempting to treat AI as an IT issue. In some organisations it is positioned as a data risk or a technology control problem.  That framing is understandable, but too narrow.

AI is better understood as a decision-shaping capability.  It influences how information is gathered and analysed, how options are presented, and increasingly how actions are taken. It cuts across existing risk categories rather than sitting neatly within one of them.  That creates a practical challenge.  AI cannot be treated as a standalone agenda item alongside other governance topics, nor can it be absorbed into existing processes unless it is explicitly identified.  The more effective approach is to do both.  Make AI use visible, and integrate its implications into existing governance processes.  Without that clarity, AI risks being either oversimplified or overlooked.

The role of frameworks and their limits

There is no shortage of guidance.  The OECD principles provide a values-based foundation.  The EU AI Act introduces a structured regulatory approach.  Frameworks such as NIST and ISO IEC 42001 offer practical models for managing AI within organisations.  Each is useful.

Frameworks do not create governance.  They create the conditions in which governance may or may not exist.  They provide structure, but they do not substitute for understanding, ownership or judgement.  There is a risk that boards focus on selecting the right framework or assume that adopting one provides assurance.  In practice, effectiveness depends on how the framework is interpreted, implemented and tested in the organisation’s context.

The board’s task is not to collect frameworks.  It is to translate them into meaningful oversight of how AI is actually used and controlled.

A socio-technical challenge

AI governance is not primarily a technical problem.  It sits at the intersection of technology, human behaviour and organisational culture.  Employees are already using AI tools in ways they believe improve their effectiveness.  That instinct is often rational. Without clear guidance and guardrails, it can also introduce material risk, particularly where use is informal, inconsistent or poorly understood.  Addressing this requires more than policy.

Organisations need a level of AI literacy that enables people to understand both potential and limitations.  They need an environment where AI use can be discussed openly rather than hidden.  They also need to align this with existing governance structures in a way that is practical, proportionate and capable of adaptation as tools evolve.

What boards should focus on

The board’s role is becoming clearer.  It is not to become expert in the technology itself. It is to ensure the organisation can answer the right governance questions and demonstrate those answers in practice.

  • Can we identify where AI is being used, including by suppliers and through embedded features

  • Do we understand where it is influencing judgement, decisions and management information

  • Have we defined what acceptable use looks like in our context and trained people accordingly

  • Can we assure the outputs we rely on, including quality, bias, explainability, provenance and security

  • Do we have the capability to monitor AI as it changes, including models, data, vendors and use cases

These are governance questions, and they go to the heart of accountability.

 

Pauline Norstrom, LLB(Hons), FRSA, FIOD, FBCS is CEO of Anekanta® and a recognised expert on AI governance and EU AI law. This blog summarises the key insights from a roundtable discussion based on a proprietary presentation delivered by Pauline Norstrom.  The original presentation materials, frameworks, and spoken insights are the exclusive intellectual property of and Copyright Anekanta® Ltd 2026.  All rights reserved.

 

Tags: Pauline Norstrom
Prev / Next

Blog

Featured
June 14, 2026
Pauline Norstrom
AI governance: why boards need to look beneath the surface
June 14, 2026
Pauline Norstrom
June 14, 2026
Pauline Norstrom
May 8, 2026
Ewan Willars
Uncovering a hidden risk - focusing on intelligibility
May 8, 2026
Ewan Willars
May 8, 2026
Ewan Willars
December 15, 2025
Risk Matters: ECCTA – in the Boardroom
December 15, 2025
December 15, 2025
October 27, 2025
Hanif Barma
Strengthening risk oversight
October 27, 2025
Hanif Barma
October 27, 2025
Hanif Barma
September 16, 2025
True, Fair... and Future-Proof: Risk Accounting for a New Era
September 16, 2025
September 16, 2025
September 16, 2025
Risk Matters Blog – The Anatomy of a Ransomware Attack
September 16, 2025
September 16, 2025
April 15, 2025
Vera Cherepanova
The future of ESG: navigating a fragmented landscape
April 15, 2025
Vera Cherepanova
April 15, 2025
Vera Cherepanova
March 6, 2025
Mo Warsame, Gavin Hayes
Internal audit and risk management must work together to navigate uncertainty
March 6, 2025
Mo Warsame, Gavin Hayes
March 6, 2025
Mo Warsame, Gavin Hayes
September 4, 2024
Polly Williams, Mia Harris
Three key threats of phishing to be aware of
September 4, 2024
Polly Williams, Mia Harris
September 4, 2024
Polly Williams, Mia Harris
August 25, 2024
Felix Ritchie
Principles versus rules in data and corporate governance
August 25, 2024
Felix Ritchie
August 25, 2024
Felix Ritchie
July 16, 2024
Jane Hunter, Mia Harris
How can you maintain high standards in your business without suffering burnout?
July 16, 2024
Jane Hunter, Mia Harris
July 16, 2024
Jane Hunter, Mia Harris
June 2, 2024
Afshan Moeed
Enforcement of individual accountability in UK banking: a new boardroom recipe for change or continuity?
June 2, 2024
Afshan Moeed
June 2, 2024
Afshan Moeed
May 28, 2024
Craig Morris, Mia Harris
Three exciting new developments for AI in 2024 that you need to know about
May 28, 2024
Craig Morris, Mia Harris
May 28, 2024
Craig Morris, Mia Harris
May 24, 2024
Stefan Hunziker
The stuff of nightmares: risk management is shut down, and nobody notices
May 24, 2024
Stefan Hunziker
May 24, 2024
Stefan Hunziker
March 20, 2024
Neil Tinegate
What should boards know about digital technology?
March 20, 2024
Neil Tinegate
March 20, 2024
Neil Tinegate