Artificial Intelligence (AI): implications and risks for boards

As more and more companies adopt AI processes across their businesses a significant knowledge gap, often at board level, is emerging within many organisations around both AI generally and the specific systems being deployed internally. That creates a growing governance and liability risk, particularly because AI adoption is often moving much faster than the processes needed to oversee and scrutinise it properly.

Many boards still treat AI like a conventional IT rollout, when, in reality, it should be governed more like a new team, which is making decisions on the company’s behalf. Traditional operational metrics are not enough. Boards need to focus on the quality, consistency and reliability of AI-driven decisions over time.

As AI becomes more embedded in business operations, directors will need to take a far more active role in oversight, including scrutiny before, during and after deployment. That will require stronger governance and better-informed oversight at board level, rather than (what can sometimes be blind) reliance on technology suppliers alone.

The speed and scale of AI adoption have, in many cases, outpaced governance frameworks

Compared to other technologies, many AI systems are being adopted with relatively limited scrutiny, often because boards lack the technical expertise needed to interrogate them properly or because supplier claims are accepted at face value.

That is particularly concerning given the potential for bias and opaque “black box” decision-making. In many respects, businesses are deploying AI before the governance, compliance and testing frameworks around it are sufficiently matured.

We are already seeing examples of failures emerge, although many remain out of the public eye. As interest in AI implementation continues to increase, more of these issues are likely to come to light. The reputational damage of an AI related failure would be costly and time consuming to deal with and could impact a company’s bottom line. It could also lead to litigation, which would, given the general interest in AI, be heavily reported beyond a company’s specific sector. No company wants to become a cautionary tale as regards the adoption of an AI tool which does not withstand scrutiny or which places a business in the line of sight of its regulator. 

Emerging areas of risk for boards to consider and seek to mitigate

One major area of exposure is what might be called “hidden ingredient” risks. Businesses may use AI-generated content that appears acceptable at first, only to discover later that it contains copyrighted material or misuses personal data.

Bias is another significant risk. AI systems are built on pattern recognition, meaning flawed or unbalanced training data can produce discriminatory outcomes at scale unless there are rigorous scrutiny and testing. The difficulty is that these issues may only become apparent after thousands of decisions have already been made. The time and expense that would be incurred reviewing and undoing issues of this nature can’t be underestimated. 

Given the pace of adoption and limited independent testing of many systems, there is a real risk that some organisations are already accumulating liabilities that simply have not surfaced yet.

Further, as AI attracts increasing investor and market attention, there is a growing risk that businesses overstate their AI capabilities or the extent to which AI is integrated into their operations. This “AI washing” mirrors previous concerns around “greenwashing” and could expose companies and senior management to shareholder claims, regulatory scrutiny and reputational damage. Regulators such as the FCA and ASA are likely to take a close interest in AI-related disclosures and marketing claims, particularly where statements cannot be substantiated.

Matters are further complicated for businesses operating internationally because the regulatory is fragmented internationally, creating a patchwork of standards for businesses operating across jurisdictions.

The EU has taken the most developed approach through the AI Act, which adopts a risk-based framework for regulating AI systems. The UK has instead opted for a more flexible, sector-led model relying on existing legislation and oversight by existing regulators such as the FCA and ICO.

While the UK approach is intended to encourage innovation, it also creates uncertainty because businesses often lack clear guidance on what compliance looks like in practice. There is not one standard or guide that a board can refer to and implement to ensure regulatory compliance. As AI-related disputes increase, it is likely that regulatory gaps will become more visible, resulting in a more reactive approach to reform.

Top tips

Mitigating AI-related risk whilst promoting growth requires a clear top-down governance approach. Boards need a sufficient understanding of both the broader AI landscape and the specific systems being deployed within their organisation. That may also require training and external expert input.

AI governance should become a regular board meeting agenda item, ensuring ongoing oversight of the deployment of AI, the testing of AI tools in operation, the monitoring of compliance and the continual assessment of emerging risks. Companies should also carefully scrutinise any public statements proposed which include referenced to a company’s AI capabilities or strategy to ensure that such statements are accurate and evidence based. That evidence should be well documented in board meeting minutes for future reference.

Organisations adopting a number of AI tools should consider establishing dedicated technology or AI committees to oversee implementation, governance and staff training. Improving AI literacy across the business (and evidencing the work undertaken to do so) will be critical to ensuring AI is deployed responsibly and within appropriate parameters.