There is a pattern I have observed in boardrooms for thirty years. A board receives a briefing. The briefing is thorough, professionally prepared, and delivered with confidence. The board asks a few questions. The questions are answered. The board moves on. And everyone in the room believes that governance has just occurred.
It has not. What occurred was the receipt of information. Governance requires something more: the independent exercise of judgment about what the information means, what it does not prove, and what the board must own as a result of knowing it. These are different activities. One is passive. One is active. Most boards have spent the last three years performing the passive version of AI governance and calling it the active one.
The enforcement regimes now converging on enterprise AI are not, at their core, a technology problem. They are a governance problem. The Securities and Exchange Commission is not penalizing companies for bad AI. It is penalizing companies for describing AI that cannot be verified as what they described. The Federal Trade Commission is not penalizing companies for using pricing software. It is penalizing companies for deploying pricing software in a configuration that produces the economic outcome of a cartel: regardless of whether anyone intended it. The EU AI Office is not penalizing companies for building AI systems. It is penalizing companies for being unable to demonstrate, with documented evidence, that their AI systems meet the published technical standards that have been available for review for two years.
In every case, the gap between the briefing and the governance is the exposure.
I have seen this gap in organizations that were otherwise well-governed. The audit committee that received a quarterly report on AI investment and nodded. The N&G committee that discussed AI board literacy at the director education session and checked the box. The general counsel who reviewed the 10-K language about proprietary AI capabilities and did not ask who the third-party API provider was. These are not failures of intelligence or competence. They are failures of the specific governance discipline that AI now requires: the insistence on evidence rather than assurance, documentation rather than description, and accountability rather than activity.
The Declarative Board Failure Pattern describes what I have observed consistently in organizations under governance stress: boards that interact primarily with each other and with management at structured intervals, hand down directives about desired outcomes, and remain genuinely insulated from the specific conditions that will produce or prevent those outcomes. In AI governance, this pattern takes the form of a board that has declared governance expectations, through a policy, a committee formation, an agenda item, without building the architecture that makes those expectations verifiable.
A governance expectation without a verification architecture is not governance. It is a declaration. And declarations do not protect directors when the failure arrives.
The specific failures I see boards carrying into this enforcement environment:
They have approved AI disclosure language in SEC filings without requiring management to produce the supply chain map that the disclosure describes. They have approved revenue management systems without asking whether those systems use shared competitor pricing data from third-party providers. They have discussed AI board literacy as a development goal without defining what technical AI literacy means operationally and requiring that directors who claim it can demonstrate it.
None of these is a failure of malice. All of them are failures of the governance discipline that treats AI oversight as a technical question rather than a governance question. The supply chain map is not a technology document. It is a disclosure document. The algorithmic antitrust question is not a pricing question. It is a fiduciary question. The board composition question is not a recruiting question. It is a governance standard question.
The measure of a board is not whether it received the right briefings. The measure is whether it asked the right questions, required the right documentation, and held management accountable to the right standards: regardless of whether management offered those things voluntarily. Governance is not what management provides. It is what the board requires.
I have watched boards discover this distinction in circumstances that did not allow for a graceful course correction: in the middle of a securities class action, in response to a regulatory inquiry, in the weeks after a disclosure failure that a supply chain map would have prevented. In those moments, the board’s first instinct is to ask why management did not flag the issue. The answer, in most cases, is that management produced what the board required, nothing more and nothing less. The board that does not require the supply chain map does not get the supply chain map. The board that does not establish the algorithmic antitrust policy threshold does not get the antitrust audit. The board that does not define technical AI literacy does not recruit for it.
This is what governance looks like when it is active rather than passive: the board defines what it requires before the risk manifests, documents that it required it, and holds management accountable to the standard it set. That is the Governance Boundary Principle applied to AI: the board governs the risk the technology creates, and management executes within the governance architecture the board has established. Not the other way around.
The boards that build this architecture now, before the SEC comment letter, before the FTC inquiry, before the EU market lockout, will inherit something their successors can operate from. The supply chain map will be in the audit committee’s quarterly review. The antitrust audit will be on the annual governance calendar. The board composition standard will be in the N&G committee’s director qualification matrix. These are not compliance artifacts. They are governance institutions. And governance institutions compound in value across every regulatory cycle that follows the one that created them.
The board that understands this is not the board that is most frightened of the current enforcement moment. It is the board that is building something that outlasts it.
Touch Stone Publishers has developed a complete body of research on the Algorithmic Duty of Care, including functional white papers for every C-suite role and a full implementation roadmap, in the Algorithmic Duty of Care Executive Leadership Playbook, published at the Algorithmic Duty of Care research hub.
Glenn E. Daniels II | Touch Stone Publishers Limited