Most boards treat AI as a technology question. It is a governance question. That single mistake sits at the root of nearly every AI oversight failure I have watched unfold. Directors wait for the chief technology officer to walk them through the models, nod at the sophistication, and call it oversight. They have asked the wrong person the wrong thing. The board's job was never to understand the architecture. It is to make sure someone is accountable for what that architecture does to real people.

There are two ways boards fail at this

The first is abdication. "That is management's job." The board treats AI as an operational detail beneath its altitude and waits for a polished demo. The second is theater. The board approves an AI policy, files it, and tells itself the matter is handled. Both feel like governance. Neither is. One looks away. The other looks at the wrong thing.

You do not need to understand the model

There is a trap waiting for conscientious directors, and it is the urge to get technical. To learn the vocabulary, to ask about parameters and training data, to prove they belong in the conversation. That instinct hands the room to whoever is most fluent in jargon, and it lets management dazzle the board into silence.

No board would accept this posture on capital allocation. Directors are not bankers, yet they govern finance with confidence. They ask for the assumptions behind the forecast. They probe the downside case. They know which decisions are theirs and which belong to management. AI deserves exactly that treatment, and almost never gets it.

The board's leverage was never technical expertise. It is judgment. A director does not need to read the code. A director needs to refuse vague answers.

Three questions that do the real work

Strong AI oversight comes down to three plain questions, asked persistently and answered specifically.

Who is accountable? Not "the system." A named human being who owns the outcome.

What could go wrong, and for whom? This is the question most boards skip, and it is the most important one. Force the conversation toward the person on the receiving end. Who gets denied, misjudged, or harmed if this fails quietly?

How would we know? If the only way the board would learn about a failure is by reading it in the news, then there is no oversight, only hope.

Those three questions require no technical fluency. They require the willingness to keep asking until the answers stop being vague.

Oversight is not a one-time vote

An AI system is not a bridge you inspect once and approve. It changes after deployment. It drifts. The policy a board signed off on last year now governs a system that no longer exists in the form they approved. Oversight that happens once is not oversight. It belongs on the agenda as a standing item, revisited with the same seriousness as financial risk.

Good governance is mostly the discipline of deciding things in advance. Decide which categories of decisions AI may not make alone. Decide what triggers escalation to management and what triggers escalation to the board. Put your risk appetite for AI in writing, the way you already do for credit or liquidity. The NIST AI Risk Management Framework gives boards and management a shared vocabulary for exactly this conversation, and it costs nothing to adopt. A boundary set after the incident is not a boundary. It is an apology.

Stop asking "what is our AI strategy?" Start asking who is accountable, what could go wrong and for whom, and how you would know. The boards that get AI right are not the most technical ones in the room. They are the ones willing to ask plain questions and unwilling to accept vague answers.

Lead or react. The choice is still available. It will not stay available forever.