What Is "AI Governance"? A Boardroom Definition

AI governance is the set of policies, processes, and controls that ensure AI systems are developed, deployed, and operated in ways that are consistent with the organisation's values, legal obligations, and risk appetite.

Breaking this down: policies define what the organisation's rules about AI are. Processes describe how those rules are implemented in practice (how AI deployments are approved, how AI systems are monitored, how AI incidents are reported). Controls are the specific mechanisms that enforce the policies (system prompt restrictions, access controls, human review requirements, audit logging).

For a board thinking practically about AI governance, it covers five areas.

Strategy alignment: do AI investments connect to business strategy with clear accountabilities? Is AI governance integrated with the organisation's overall strategy governance rather than treated as a separate technical matter?

Data governance: are the data practices of AI systems governed appropriately? This includes the data AI systems are trained on, the data they access in operation, the data they generate as outputs, and the data governance obligations that apply to all of the above.

Risk management: are AI risks identified, assessed, and managed? This includes operational risk, reputational risk, regulatory risk, and any AI-specific risks (hallucination, bias, safety failures) relevant to the organisation's deployments.

Compliance: are AI deployments compliant with applicable law and regulation? This includes data protection law, sector-specific regulation, and any specific AI regulation that applies to the organisation's activities.

Performance oversight: are AI systems performing as intended, and is there a mechanism for detecting and responding to performance degradation?

The board's role in AI governance is oversight, not management. The board should set the risk appetite for AI, approve the AI governance framework, receive regular reports on AI performance and compliance, and hold management accountable for AI governance outcomes.

The specific activities that governance implies for boards: approving the AI policy, setting the AI risk appetite, receiving AI risk register updates, reviewing AI programme performance against approved metrics, and ensuring that AI governance is subject to independent review (internal or external audit).

AI governance that works is not primarily a documentation exercise. It is the practical, ongoing management of AI risk in ways that allow the organisation to capture AI value while managing the harms that AI can produce.