I have spent more than thirty years watching boards govern.
Not every board I have observed governed well. Some governed in the true sense: they built architecture, received information, asked substantive questions, and held management to account through documented processes. Others declared. They issued policy statements, approved values documents, and considered the governance obligation addressed.
I can tell you which ones produced defensible organizations and which ones did not.
The boards that declared produced elegant documentation of their own failure. The boards that built produced organizations capable of surviving the tests that arrived.
The Pattern I Keep Seeing
There is a pattern that appears in board governance failures across industries, across sectors, across decades. It is so consistent that I have come to think of it as structural rather than situational.
The board is informed that a material risk exists. The risk is acknowledged. A policy is drafted. The policy states the organization’s commitment to managing the risk appropriately. The policy is approved. The board considers the matter addressed.
Nothing is built beneath the policy. No committee is chartered with explicit accountability. No management reporting structure is established. No officer is designated with a documented accountability contract. The policy floats above the organization with no architecture underneath it to make it real.
Then the risk event arrives.
In discovery, the plaintiff’s team asks for documentation of the board’s oversight architecture. The policy is produced. The policy is examined. The policy states a commitment. The policy does not describe an architecture. The board, it turns out, declared its way into the risk rather than governing its way through it.
I have seen this pattern in cyber risk governance. I have seen it in environmental risk governance. I have seen it in human capital governance. Each time, the same structure: declaration without architecture, commitment without documentation, oversight in name and not in practice.
AI Governance Is the Same Pattern, Arriving at a Different Speed
What I am watching now in AI governance is the same pattern. Boards are aware that AI deployment creates material risk. Responsible AI commitments appear in proxy statements, annual reports, and CEO letters to shareholders. The governance frameworks that would make those commitments real: committee charters, officer accountability contracts, quarterly reporting architectures, pre-deployment impact assessment processes: are absent in 64% of boards surveyed by NACD in 2025.
The declaration exists. The architecture does not.
What concerns me most is not that boards are unaware of the risk. Most boards I speak with are aware. What concerns me is the speed at which the risk is compressing. The Caremark derivative action for AI governance failure is not ten years away. The Oxford Law Blogs analysis from March 2026 estimates an 18-month horizon. The Q3 2026 proxy season arrives before that horizon. The SEC Investor Advisory Committee voted in December 2025 to advance AI disclosure guidance.
The timeline for building the governance architecture before the governance question is asked is shorter than most boards currently believe.
What the Board That Built Looks Like
I have also watched boards that built. They share a common characteristic that has nothing to do with governance technology or regulatory sophistication.
The board that builds starts with a question rather than a declaration. Instead of “what should our AI policy say,” the question is “if our AI systems produced an adverse outcome tomorrow, what would we produce to prove we governed them?”
That question demands architecture as its answer. It cannot be answered with a policy statement. It requires a chartered committee, a documented reporting structure, executed accountability contracts with the officers responsible for AI deployment, and a record of substantive engagement with the quarterly information the reporting structure produces.
The boards I have watched build governance architecture in response to that question produced organizations that were defensible when the test arrived. Not because they prevented every adverse outcome: no governance architecture does that. But because they could demonstrate, from documentation, that they had taken the obligation seriously before the event, not after.
That is the difference between governance and declaration. Declaration says what the board believes. Governance proves it.
The Accountability Contract the Board Owes Its Officers
There is a dimension of AI governance that is often missed when boards think about the obligation in board-centric terms.
The McDonald’s Corp. derivative litigation in 2023 extended Caremark oversight duties to officers within their delegated domains. Every CFO, COO, CHRO, CRO, and CIO who oversees AI systems in their functional domain carries personal fiduciary exposure under the extended doctrine.
A board that delegates AI governance to management without documenting what was delegated: without specifying the domain, the red flags, the authority, and the escalation protocol in writing: has exposed its officers to personal liability without giving them the structural clarity to discharge the obligation they have been handed.
The Accountability Contract Model applies here with particular force. Accountability is not a value. It is a conversation. It requires the board to be specific about what was assigned, what authority was granted, what success looks like, and what the escalation protocol is. When boards skip that conversation and hold officers accountable for governance outcomes that were never precisely specified, they have created the conditions for the failure they will later cite.
The board that wants to govern AI well starts by being precise about what it is asking of its officers. Not a general expectation that management will “handle AI governance.” A documented accountability contract with each officer who has AI deployment in their domain.
The Question I Would Ask Every Board Chair
If I were sitting across the table from a board chair today, I would ask one question.
If your organization’s AI systems produced a material adverse outcome tonight, and plaintiff’s counsel filed a derivative action tomorrow morning, what document would you hand to your litigation team to prove the board discharged its oversight obligation?
If the answer is a policy statement, the board has declared.
If the answer is a committee charter with an AI oversight mandate, a quarterly AI governance report reviewed by the designated committee, executed officer accountability contracts for each C-suite domain, and a pre-deployment impact assessment for each AI system in a consequential decision domain: the board has built.
The boards I have watched over thirty years that governed best were the ones that knew, at every moment, which category they were in.
The Legacy Test
The measure of a board is not whether its governance architecture worked while the board that built it was seated. The measure is whether the organization it governed produced institutions strong enough to survive the board’s departure: and to benefit from the architecture that board built.
The board that constructs documented AI oversight architecture before the first Caremark challenge is not only protecting itself. It is building something the next board, the next CEO, the next generation of officers will benefit from. That is what governance architecture looks like when it is built from conviction rather than crisis.
The board that declares has, at best, a record of what it believed. The board that builds has a record of what it did.
Glenn E. Daniels II is the founder of Touch Stone Publishers Limited. The AI Fiduciary Gap: What Every Board Must Document Before June 30 is a Touch Stone Publishers Executive Leadership Playbook. Learn more at touchstonepublishers.com/ai-fiduciary-gap/.