AI and the Board's Fiduciary Duty: What Directors Are Now Legally Accountable For

Under the Companies Act 2006, UK directors have a duty to promote the success of the company, exercise reasonable care and skill, and act in a way they believe to be in the best interests of the company for the benefit of its members as a whole. These duties apply to all material strategic and governance decisions, and they are not limited to the categories of risk that existed when the Act was written.

Legal opinion is increasingly clear that director duties extend to AI governance. A director who approves a material AI deployment without adequate due diligence on the risks, who fails to ensure appropriate governance structures are in place, or who ignores red flags about AI system performance, may be in breach of their duty of care just as they would be if they ignored comparable risks in any other domain.

Several specific regulatory requirements already create concrete legal obligations for boards regarding AI.

The EU AI Act, now in force, includes requirements for high-risk AI systems that cover governance, documentation, human oversight, and accuracy that apply to any organisation deploying such systems in European markets. UK businesses with EU operations are within scope.

The FCA's Senior Managers and Certification Regime already applies to AI-related decisions in financial services firms. The FCA has been explicit that AI governance failures can give rise to individual liability for designated senior managers.

The ICO's enforcement of UK GDPR in AI contexts is increasing. Automated decision-making provisions, fairness requirements, and accountability obligations all have direct implications for AI deployment governance.

The Employment Rights Act imposes obligations on employers regarding how automated systems affect employment decisions, with enhanced requirements where AI is used in hiring, performance management, or disciplinary processes.

Within the AI governance landscape, three areas present the most acute director liability risk in the current environment.

First, AI systems that make or support decisions with significant consequences for individuals. Credit decisions, insurance underwriting, hiring and performance management, benefits eligibility: wherever AI is involved in high-stakes individual outcomes, the regulatory and legal framework is most developed and enforcement is most active.

Second, AI systems deployed without adequate data protection governance. Using personal data to train or fine-tune AI models without proper lawful basis, consent, or safeguards creates liability under UK GDPR that ultimately rests with the board as the organisation's governing body.

Third, AI systems that produce misleading outputs in regulated contexts. AI-generated financial advice, legal documents, or medical information that turns out to be inaccurate creates liability that regulators are increasingly willing to trace to governance failures rather than accepting it as a technology limitation.

The appropriate response to evolving AI legal obligations is not legal paralysis. It is disciplined governance.

Boards should ensure their AI governance framework documents that risk assessments were conducted for material AI deployments, that appropriate controls were implemented, and that ongoing oversight is in place. This documentation serves as evidence of due diligence that directors exercised their duty of care.

Boards should ensure their senior manager AI accountabilities are explicit in regulated sectors, with designated individuals who are responsible for AI governance and whose responsibilities are documented in a way that satisfies regulatory expectations.

Boards should commission periodic legal reviews of AI deployment governance as the regulatory framework develops, rather than treating a compliance assessment done in 2023 as adequate for 2025 and beyond.