What should boards ask to balance AI adoption with risk oversight?

Why boards are asking this now

Boards are under pressure to let the organisation use AI without treating every tool, pilot or embedded feature as an uncontrolled experiment. The right question is not simply whether the business should adopt AI. It is where AI changes risk, accountability, client outcomes and evidence.

Deloitte's board governance roadmap frames AI oversight as a balance between adoption and risk management. That is the useful starting point. AI can improve productivity, analysis and service quality, but it can also create confidentiality, accuracy, bias, resilience and reputation issues if the board only sees a list of pilots.

The board should ask six practical questions

A good board discussion should cover six questions before approving or scaling material AI use:

1. What business outcome are we trying to improve? Name the workflow, client journey, decision or operational metric. If the use case cannot be tied to a clear outcome, it is not ready for board attention.
2. What could go wrong for customers, clients, staff or the firm? Consider poor advice, unfair outcomes, data leakage, hallucinated analysis, weak supervision, supplier lock-in and reputational harm.
3. Who owns the decision and the control environment? The board should see accountable owners across the business, risk, legal, compliance, information security and operations. AI ownership cannot sit only with IT or innovation.
4. What data is being used, and under what permissions? This includes personal data, client confidential material, privileged material, model training settings, retention, subprocessors and deletion rights.
5. How will outputs be checked before they affect real people or client work? Define review thresholds, evidence requirements, escalation paths and stop conditions.
6. What evidence will prove the system is working as intended? Ask for logs, testing results, approval records, incident history, user training records and monitoring reports.

Map your AI risks and efficiency opportunities

Separate opportunity oversight from risk oversight

AI governance gets messy when the same paper tries to sell the opportunity and approve the controls. Boards need both views, but they should not blur them.

The opportunity view should show where AI can improve speed, quality, capacity or client service. It should be specific enough to distinguish a useful workflow change from general enthusiasm. For example: reducing first-draft time in research, improving case triage, summarising policy documents, routing service requests, or checking data quality.

The risk view should show what the organisation will not permit, what needs extra approval, and what must be monitored after launch. For professional services and regulated firms, that means linking AI use back to confidentiality, data protection, professional judgement, audit trail, quality review and senior accountability.

Ask for a live AI use-case register, not a slide of examples

A board cannot oversee AI adoption from anecdotes. It needs a live register that records the material AI uses across the organisation. The register should cover public AI tools, Copilot-style assistants, embedded AI features in existing platforms, internally built workflows and third-party AI vendors.

For each use case, the register should record:

• the business owner and accountable executive;
• the purpose, users and affected customers or clients;
• the data categories involved;
• the vendor or model dependency, where relevant;
• risk rating and approval status;
• required human review steps;
• monitoring metrics and incident triggers;
• last review date and next review date.

This does not need to be bureaucratic. It needs to be accurate enough that the board can see what is scaling, what is experimental and what is outside policy.

Make the operating model explicit

The board should ask management to define how AI decisions move from idea to live workflow. A sensible operating model usually has four gates:

1. Intake: the business describes the use case, data involved, expected outcome and users.
2. Risk review: risk, legal, security, data protection and compliance review the use case against agreed criteria.
3. Controlled launch: the workflow goes live with defined human review, user training, monitoring and rollback rules.
4. Ongoing assurance: the owner reports performance, incidents, drift, complaints, exceptions and control changes.

Board oversight should focus on the criteria used at each gate, not on approving every low-risk prompt or productivity tool. The goal is proportionate control: enough structure to prevent avoidable harm, without making sensible experimentation impossible.

Set up a practical AI governance cadence

What board papers should include

For material AI programmes, board papers should include more than projected productivity gains. Directors should expect:

• a short description of the use case and decision context;
• the expected benefit and how it will be measured;
• the customer, client, employee and regulatory risks;
• data protection and confidentiality assessment;
• vendor due diligence and data retention position;
• human review and escalation rules;
• testing results, known limitations and red-team findings where relevant;
• the audit trail that will be kept;
• ownership under the relevant accountability regime;
• the monitoring dashboard after launch.

In financial services, this should connect to Consumer Duty, SM&CR accountability, operational resilience and model risk where relevant. In legal, accountancy and advisory firms, it should connect to confidentiality, privilege where relevant, professional obligations, quality review and supervision.

Useful board-level metrics

Boards should avoid vanity AI metrics, such as the number of experiments launched. Better metrics show controlled adoption and risk movement. Examples include:

• number of AI use cases by risk tier and business area;
• percentage of material use cases with named accountable owners;
• percentage of users trained on approved-tool and prohibited-data rules;
• number of exceptions, incidents and near misses;
• average time from intake to approval for low-risk and high-risk use cases;
• coverage of audit logs and human review records;
• measured productivity or quality gains after launch;
• third-party AI vendors reviewed and approved.

These metrics help directors spot two common failure modes: uncontrolled adoption hidden in departments, and over-heavy governance that prevents useful, low-risk improvements.

A practical conclusion for the board

The board's job is not to become an AI product committee. Its job is to make sure AI adoption has a clear purpose, accountable owners, proportionate controls and a reliable evidence trail.

The best question to ask management is: Can we show which AI uses are live, why they are allowed, who owns them, what could go wrong, and what evidence proves the controls are working?

If the answer is no, the next step is not another AI strategy deck. It is a short operating model, a live register, and a board reporting rhythm that turns adoption into governed execution.

Build the AI operating model and evidence pack