Artificial intelligence has moved from corporate experiment to enterprise infrastructure. For boards of directors, that transition carries legal, fiduciary, and reputational obligations that require structured oversight. The EU AI Act reaches full applicability on August 2, 2026. SEC guidance is expected on AI-related disclosure standards. NIST released an AI RMF Profile for Critical Infrastructure on April 7, 2026. The oversight framework boards need is no longer aspirational. It is required.
This checklist gives directors eight concrete actions to verify, question, and track. Each item corresponds to a documented governance gap identified in recent enforcement trends, regulatory guidance, and independent board assessments.
1. Confirm a Named Executive Is Accountable for AI Governance
Accountability diffused across a committee or function produces no accountability at all. The board should be able to name one senior executive, a Chief AI Officer, Chief Risk Officer, or General Counsel, whose role includes explicit AI governance responsibility and whose performance evaluation reflects that accountability. KPMG and INSEAD’s April 2026 Global AI Board Governance Principles identify individual executive ownership as the first structural requirement for effective AI oversight.
2. Obtain a Current AI Systems Inventory
Before any governance framework applies, the board must know what it is governing. Management should deliver a current inventory of all AI systems in production: which systems have access to customer or employee data, which are considered high-risk under the EU AI Act classification, and which are operated by third-party vendors on behalf of the company. A board that cannot answer these questions is operating without visibility into a class of material risk.
3. Verify Alignment with NIST AI RMF Govern Function
The NIST AI Risk Management Framework’s GOVERN function requires documented AI roles, explicit risk tolerance thresholds, and clear accountability lines for decisions made by or about AI systems. Sector regulators including the CFPB, FDA, SEC, and FTC are referencing NIST AI RMF principles in their supervisory expectations. Directors should ask management to confirm that internal AI governance policies map to the GOVERN function and that accountable roles are assigned, documented, and reviewed annually.
4. Confirm EU AI Act Compliance Status for High-Risk Systems
The EU AI Act becomes fully applicable on August 2, 2026. High-risk AI systems in categories including employment screening, credit assessment, critical infrastructure operations, and law enforcement must meet conformity assessment, registration, and transparency requirements before that date. Boards with European operations or data subjects should require a written compliance status report for every high-risk system the company operates or deploys through a vendor, along with a timeline for any systems not yet in compliance.
5. Review AI Risk as a Standing Agenda Item
AI risk that appears on the board agenda only when a crisis emerges is not governed, it is reacted to. The board should establish a standing AI risk agenda item with defined metrics that management reports against at each meeting. Those metrics should include the number of AI incidents flagged and resolved in the reporting period, the status of compliance timelines, and any material changes to the company’s AI system inventory. Harvard Law School’s 2026 Governance Priorities research identifies standing AI risk reporting as a governance minimum for boards in regulated industries.
6. Assess Director AI Literacy
Boards cannot ask effective questions about AI risk if directors lack foundational AI literacy. The board’s skills matrix should include AI governance competency as a required field, and nominating committees should incorporate AI fluency into director recruitment criteria. Directors who have not completed formal AI governance education in the past twelve months represent a structural gap. The board should budget for annual director education on AI risk, regulation, and oversight methods as a recurring governance investment.
7. Commission an Independent AI Governance Assessment
Management self-assessments of AI governance carry the same limitations as any self-assessment: they are incomplete by design. Boards operating at governance best practice commission periodic independent reviews of their AI oversight structures, separate from management reporting and internal audit. WilmerHale’s 2026 Board AI Governance Priorities guidance recommends independent assessment as a prerequisite for boards seeking to demonstrate meaningful oversight in regulatory inquiries or litigation. The assessment should cover AI inventory completeness, policy alignment with NIST AI RMF, vendor oversight standards, and incident response procedures.
8. Establish Vendor AI Oversight Standards
Most enterprise AI deployments involve third-party vendors rather than internally built systems. That does not reduce board exposure. The board should require that management establish and enforce minimum standards for every AI vendor relationship. Those standards should address transparency in data handling and model updates, auditability through logs of prompts and outputs, security controls covering identity and data segregation, and governance support features that allow the company to set usage boundaries and approval workflows. Vendor oversight should be reviewed as part of the annual AI governance assessment and reported to the board.
Implementation Guidance
This checklist is a starting point, not a comprehensive governance program. Boards should work with legal counsel, risk advisors, and management to adapt these eight points to the company’s specific AI footprint, regulatory environment, and industry sector. The checklist should be reviewed against emerging regulatory guidance on a quarterly basis and updated as new frameworks take effect through 2027.
Directors who can answer these eight questions with documented evidence are positioned to demonstrate the active oversight regulators and shareholders now expect. Directors who cannot are exposed.