A vendor marketing page recently made a striking claim: 69% of directors already use AI. The number appeared without a source, a methodology, or a sample size. It was an estimate, generated by a vendor selling the governed alternative. The statistic does not hold up. But the underlying condition it was pointing at does — and for executive, program, and project boards, that condition carries consequences that no vendor landing page will fully name. Board AI governance is the subject — and for the directors who sit inside it, the consequences are personal.
In Brief
- AI use inside board and senior executive functions is already happening — often through consumer tools with no auditability or governance record.
- The executives responsible for governing AI risk across their organisations are frequently among those creating ungoverned AI exposure themselves.
- Board-level awareness of AI is rising, but formal accountability structures remain absent in most organisations — and that gap now carries personal liability consequences.
- The question is whether board processes are governed to the same standard executives are expected to apply everywhere else in the organisation.
- An organisation’s AI governance posture is only as credible as the governance applied to its own decision-making processes.
The research that does hold up tells a different story. A global survey of directors cited by McKinsey found that 66% of board members report limited to no knowledge or experience with artificial intelligence (AI), and nearly one in three say AI does not appear on their agendas at all (McKinsey & Company, 2025). Deloitte’s 2025 survey of 695 board members and C-suite executives across 56 countries found that nearly a third of boards (31%) still have not placed AI on the board agenda in any substantive form — an improvement on the previous 45%, but a structural gap that remains material (Deloitte Global Boardroom Program, 2025). The National Association of Corporate Directors (NACD) found that while 62% of boards now hold regular AI discussions, only 27% have formally embedded AI governance into their committee charters — with most remaining in education and awareness mode rather than structural oversight (NACD, 2025, cited in Knostic, 2026).
That is the aggregate picture. It masks something more specific — and more urgent.
The gap is inside the room
The standard framing of AI governance risk positions the board as the oversight body and the organisation as the entity being governed. The board’s job is to ask the right questions, set the right policies, and hold management accountable for how AI is being used across the enterprise. That framing is structurally correct. It is also incomplete.
What it omits is the AI exposure being generated inside the governance function itself.
Board materials are among the most sensitive documents an organisation produces. Investment committee papers, program business cases, risk registers, minutes of in-camera discussions — these documents carry price-sensitive information, legally privileged advice, confidential personnel matters, and strategic decisions that have not yet been disclosed. They are also, in the current environment, exactly the class of material that busy, well-intentioned people reach for consumer AI tools to summarise, prepare for, and process more efficiently.
[PULL QUOTE] The executives responsible for governing AI risk across their organisations are frequently among those creating ungoverned AI exposure themselves.
A 2025 analysis by LayerX Security found that approximately 18% of enterprise employees regularly paste data into generative AI tools, and more than half of those paste events contain corporate information — typically via personal accounts that sit entirely outside enterprise controls (LayerX Security, 2025, cited in eSecurity Planet, 2025). The specific risk to board processes is not speculative. A 2024 poll conducted by GC100 — the representative body of general counsel and company secretaries in the FTSE 100 — found that many directors would not be comfortable with board meetings being recorded for AI note-taking purposes, precisely because of the confidentiality implications and data exposure risk that comes with insufficient safeguards (GC100, 2024, cited in White & Case, 2025).
The structural condition here is not that directors are reckless. It is that AI tools have made information processing faster and easier in ways that do not announce themselves as governance events. Pasting a board pack into a consumer AI tool to get a quick summary does not feel like a breach. It feels like preparation. The governance gap is not visible at the moment it is created.
Boards stall before they reach accountability
The picture that emerges from independent survey data is of boards moving rapidly from ignorance to awareness — and then stalling before they reach accountability. That stall is where the liability exposure accumulates.
The 2026 What Directors Think report — produced annually by Diligent and Corporate Board Member from a survey of public company directors — found that while 66% of boards report using AI in some form, only 3% have fully integrated AI into their risk oversight and strategic decision-making. When examined at the level of actual practice, 40% of boards do not use AI at all for risk oversight, and 33% use it only minimally (Diligent Institute & Corporate Board Member, 2026). The same report found that only 10% of boards are using AI tools to manage the growing complexity of scenario planning — despite 84% of directors having significantly changed their approach to risk given the current environment.
[PULL QUOTE] Awareness of AI risk is rising. The governance structures to manage it are not keeping pace — and that gap now carries personal liability consequences for directors.
That gap now has legal teeth. AI-related securities class actions doubled from 2023 to 2024, and the first half of 2025 alone produced 12 filings, with average settlement values for directors and officers claims rising 27% to approximately $56 million. The common thread across these claims, as analysis by Techne AI found, is the absence of documented board oversight (Techne AI, 2026). Under the Caremark doctrine — well established in corporate governance law — directors are required to implement reasonable oversight systems for known risks. Inadequate AI governance now exposes directors personally: to regulatory penalties, shareholder litigation, and reputational damage (Relyance AI, 2025). Governance scholars are applying Caremark and Stone v. Ritter directly to AI oversight obligations (AI CERTs, 2026).
For Australian public sector executives, the accountability structure is different but the structural logic is the same. The Public Governance, Performance and Accountability Act 2013 (PGPA Act) places personal accountability on accountable authorities for the use and management of public resources. The Commonwealth’s AI policy obligations — including supplier disclosure requirements already in force and automated decision-making privacy disclosure obligations arriving in December 2026 — create a compliance environment in which ungoverned AI use inside governance processes sits directly in the accountability chain. The exposure is not to shareholder litigation. It is to Senate estimates, Australian National Audit Office scrutiny, and ministerial accountability.
Governing the governance function
The reorientation required is not a new AI strategy. Most boards and senior executive groups already have those in motion, or will shortly. The reorientation is narrower and more immediate: the governance applied to the organisation’s AI use needs to be applied with equal rigour to the governance function itself.
That means being clear about which tools are in use — formally and informally — inside board preparation, meeting facilitation, and minute-taking processes. It means understanding where sensitive material is being processed, what controls exist around that processing, and whether the auditability standard applied to board decisions extends to the AI-assisted inputs that shaped them. It means recognising that a board policy on AI that governs everyone except the board is not a governance document — it is a gap.
The EY Center for Board Matters found that the share of Fortune 100 companies citing AI risk as part of board oversight responsibilities increased threefold in a single year — from 16% to 48% between 2024 and 2025 (EY Center for Board Matters, 2025, cited in Corporate Compliance Insights, 2025). That acceleration reflects boards recognising a structural accountability obligation that is not optional. Proxy adviser Glass Lewis warned in 2025 that it may recommend votes against directors without clear AI oversight disclosure; BlackRock and Vanguard both highlighted responsible AI in their stewardship guidelines (AI CERTs, 2026). The external pressure is not theoretical.
What this means for senior leaders in practice is a short diagnostic question applied to their own processes before they apply it to the organisation’s: where is AI being used inside the governance function, by whom, with what controls, and how would that use appear if it were examined? Not as a precursor to restriction — but as the same standard of structured visibility that governance is expected to apply everywhere else.
The executive who has answered that question for their own processes is better placed to govern the same question across the organisation. The one who has not has created the same gap they are charged with closing.
References
- AI CERTs. (2026, March 7). Fiduciary governance: Why boards must master AI oversight now. https://www.aicerts.ai/news/fiduciary-governance-why-boards-must-master-ai-oversight-now/
- Corporate Compliance Insights. (2025, October 31). Board oversight of AI triples since ’24. https://www.corporatecomplianceinsights.com/news-roundup-october-31-2025/
- Deloitte Global Boardroom Program. (2025). Governance of AI: A critical imperative for today’s boards (2nd ed.). Deloitte Global. https://www.deloitte.com/global/en/issues/trust/progress-on-ai-in-the-boardroom-but-room-to-accelerate.html
- Diligent Institute & Corporate Board Member. (2026). What directors think 2026. Business Wire. https://www.businesswire.com/news/home/20260127108462/en
- EY Center for Board Matters. (2025). How boards are addressing AI oversight. Cited in Corporate Compliance Insights. (2025, October 31). Board oversight of AI triples since ’24. https://www.corporatecomplianceinsights.com/news-roundup-october-31-2025/
- GC100. (2024). GC100 poll: AI in the boardroom. Cited in White & Case. (2025, October 27). AI in the boardroom: Privilege and recording decisions. https://www.whitecase.com/insight-alert/ai-boardroom-privilege-and-recording-decisions
- Knostic. (2026, January 5). The 20 biggest AI governance statistics and trends of 2025. https://www.knostic.ai/blog/ai-governance-statistics
- LayerX Security. (2025). Enterprise AI and SaaS data security report 2025. Cited in eSecurity Planet. (2025, October 9). 77% of employees leak data via ChatGPT, report finds. https://www.esecurityplanet.com/news/shadow-ai-chatgpt-dlp/
- McKinsey & Company. (2025, December). The AI reckoning: How boards can evolve. McKinsey Technology. https://www.mckinsey.com/capabilities/mckinsey-technology/our-insights/the-ai-reckoning-how-boards-can-evolve
- National Association of Corporate Directors. (2025). NACD board governance survey 2025. Cited in Knostic. (2026, January 5). The 20 biggest AI governance statistics and trends of 2025. https://www.knostic.ai/blog/ai-governance-statistics
- Relyance AI. (2025, December 8). Board-level AI risk: Data journeys for directors. https://www.relyance.ai/data-journeys/board-level-ai-risk-data-journeys
- Techne AI. (2026, February 20). AI governance and D&O liability: What every board needs to know in 2026. https://insights.techne.ai/p/ai-governance-and-d-and-o-liability
