The Board’s 8-Point AI Governance Checklist: A Quick Reference for Directors

AI deployment without board-level governance is now a documented director liability. This Quick Reference Guide gives corporate directors an 8-point checklist to establish substantive AI oversight, satisfy SEC disclosure expectations, and protect against personal fiduciary exposure.

The numbers are striking: 88 percent of organizations are now deploying artificial intelligence in some form, yet only 25 percent have board-level policies governing that deployment. The governance gap is not theoretical. Courts and regulators are beginning to treat AI oversight failures the same way they treated cybersecurity failures a decade ago. Plaintiffs do not need to prove the AI system failed. They need to prove the board failed to govern it.

The SEC’s Investor Advisory Committee has recommended formal AI disclosure guidelines, directing public company boards to define what they mean by “artificial intelligence,” identify which committee or board body holds oversight responsibility, and report separately on the material effects of AI deployment on operations and consumer-facing products. That is a compliance architecture, not a suggestion.

This Quick Reference Guide gives directors a structured eight-point framework to assess, formalize, and document their AI governance posture. Use it in committee, in executive session, or as a baseline against which to test management’s current controls.

1. Assign Formal Oversight Responsibility

The board must designate, in writing, which committee owns AI governance oversight. This is not a shared or implied responsibility. The Audit Committee, Risk Committee, or a dedicated Technology Committee must have AI explicitly written into its charter. Where the charter is silent, AI risk has no structural owner at the board level. According to the NACD’s 2026 Director’s Handbook on Cyber-Risk, more than 62 percent of director respondents now set aside agenda time for full-board AI discussions, a significant increase, but agenda time is not the same as chartered accountability.

2. Require an Enterprise AI Inventory

Directors cannot govern what management has not catalogued. The board should require management to maintain a current inventory of all AI systems in use, covering three categories: AI the organization has built, AI it has purchased, and AI embedded in third-party tools and platforms. The NACD 2026 guidelines specifically flag “Shadow AI,” the unauthorized use of AI tools by employees without organizational approval, as a critical gap. An inventory requirement forces that gap into the open.

3. Establish a Risk Classification Framework

Not all AI carries equal risk. The board should require management to classify each AI system by risk tier, distinguishing between high-risk systems that affect hiring, lending, medical decisions, or public safety and lower-risk systems used for internal efficiency. The EU AI Act has formalized this classification in jurisdictions where it applies, and the framework is worth adopting as a governance standard regardless of geography. Boards with undifferentiated AI risk postures cannot allocate oversight attention appropriately.

4. Mandate Management-Level AI Controls

Board-level governance requires a corresponding management architecture. The board should confirm that the organization has assigned a named executive accountable for AI governance, established written policies for model development and deployment, and created escalation channels for reporting AI anomalies or failures to the board. WilmerHale’s January 2026 analysis of board AI priorities notes that the absence of clear escalation channels represents a structural liability exposure that courts will examine in hindsight.

5. Review AI Disclosures in Public Filings

The Audit Committee must review all AI-related language in proxy statements, 10-K filings, and earnings releases before they go out. “AI washing,” the practice of overstating the organization’s AI capabilities or governance maturity in public communications, is an emerging securities law risk that NACD’s Spring 2026 Directorship magazine identifies as one of the primary board liability vectors for this cycle. The standard is accurate disclosure, not aspirational narrative.

6. Confirm Third-Party AI Governance

The organization’s legal and regulatory exposure does not stop at the boundary of internally developed AI. Boards must confirm that management has extended governance controls to AI embedded in vendor products, SaaS platforms, and outsourced processes. The board should ask management three specific questions: Which material vendors use AI in the services they deliver to us? What contractual protections govern those AI uses? Has legal counsel reviewed the AI-related indemnification language in key vendor agreements?

7. Integrate AI Risk into the Enterprise Risk Management Framework

AI risk should not exist as a standalone topic on the board agenda. It belongs inside the organization’s existing Enterprise Risk Management framework, with quantified risk assessments, defined risk appetite thresholds, and regular reporting cadence. The FAIR Institute’s work with NACD on AI cybersecurity governance establishes economic risk quantification as the standard. Boards that treat AI as a narrative conversation rather than a quantified risk are operating below the standard of care that regulators and plaintiffs’ counsel will expect.

8. Assess Board-Level AI Competency

In 2025, 44 percent of Fortune 100 companies referenced AI in director biographies or board skills matrices, up from 26 percent the year prior. The Harvard Law School Forum on Corporate Governance’s April 2026 analysis of board AI expertise asks a pointed question: does the board have sufficient AI literacy to evaluate management’s AI strategy, challenge its assumptions, and identify the questions that should be asked? Directors do not need to be technologists. They need to be fluent enough to govern. Skills matrix gaps in AI competency are a disclosure issue and a governance issue simultaneously.

Putting the Checklist to Work

Run this checklist in executive session. Ask management to respond in writing to each point. Where answers are incomplete or absent, those gaps become the board’s governance agenda for the next quarter. AI governance done at the board level is not about understanding the technology. It is about ensuring the organization has the structures, controls, disclosures, and accountabilities that fiduciary duty now requires. The board that can document its answers to all eight points is in a substantively different legal and reputational position than the board that cannot.