Standing topic, or system?

I have watched boards spend ninety minutes on AI in which the CIO ran model accuracy charts, the CISO covered prompt injection testing and the General Counsel summarised the EU AI Act timetable. Nobody asked who owned the AI agenda at executive level. Nobody asked how much agency had been delegated to which agents, what guiderails we had hard coded or who was responsible for each. Nobody asked what the board would see on the dashboard next quarter. Three hours of update across two cycles; zero hours of governance. That gap is what this manual page is built to close.

Most boards now treat AI as a standing topic. Far fewer treat it as a system. And the system you need now must govern a non-human actor at machine speed — not a person at quarterly cadence.

Standing topic produces an update. System produces evidence (real time).

The Stat This Week
65% of organisations now use generative AI in at least one business function. Three in four are running agentic AI in their systems. Fewer than one in five has a defined AI governance operating model that names who is accountable for each agent. Adoption up, agency unowned, evidence flat.

The shorthand

Strip the leading frameworks back. OECD’s updated 2024 principles set the values — human-centred, transparent, accountable. NIST’s AI Risk Management Framework reframes them as an operating loop — Govern, Map, Measure, Manage. The EU AI Act bolts on legal obligation, phased: prohibited practices live since February 2025, general-purpose AI obligations since August 2025, high-risk system obligations from August 2026. The UK’s principles-led approach leaves more discretion but demands the same outcomes. McKinsey, KPMG/INSEAD, the WEF AI Governance Alliance and the Harvard Law School Forum on Corporate Governance translate the same idea into board-level decisions: align posture, allocate capital, classify risk, govern the lifecycle, evidence the controls.

AI governance is value + risk + trust, governed as one system. The first-order board question is no longer “how much risk?” It is “how much agency?”

What changes when the actor isn’t a person

Every board operating model in use today rests on a hidden assumption: the actor executing a decision is a human who can be instructed, supervised, slowed down and held to account. Once decisions and actions are delegated to autonomous agents — pricing engines, customer-routing models, refund bots, credit-check agents — that assumption breaks. This is not a new agenda item. It changes the substance of nearly every board responsibility.

AI doesn’t replace the board’s duties. It raises the metabolic rate at which they must be discharged.

The Frame this week works through the structural break; this Library page operationalises the response.

The Four-Domain Frame, working as a system

The Manifesto introduces the Four-Domain Frame as the navigation grammar of this publication. The Library makes it operational — the same four domains, the same map, applied as a connected system rather than a list.

The Four-Domain Frame · the navigation grammar of TheDirectorBrief. Cross-cutting: 6-dimension scorecard (Value · Adoption · Risk · Compliance · Capability · Trust), 10 building blocks, 6-month implementation arc.

The board’s job is not to approve every tool or model. It is to ensure four things, one for each domain:

• Strategic intent — AI is linked to value, not pilot proliferation. (Strategy & Innovation.)

• Risk discipline — use cases classified, agency assigned explicitly, controls embedded before deployed. (Risk & Resilience.)

• Agency and accountability — every material agent has a named human owner; agency appetite (autonomous / recommend-only / prohibited) decided in advance; accountability never transfers to the agent. (Governance & Accountability.)

• Capability and trust — AI is explainable, fair, secure, lawful and defensible — and the board itself has the literacy to test that. (Capability & Culture, with Governance.)

A board doing only the first will be blindsided. A board doing only the third will miss the upside. The board that does all four turns AI from a risk to be contained into a capability to be governed.

Caremark exposure is not theoretical. Since Marchand v. Barnhill (2019) confirmed that boards owe an oversight duty for mission-critical risks, AI has steadily moved into the centre of that line. ISS and Glass Lewis both updated 2024 stewardship guidance to reference AI oversight and disclosure. If your minutes do not show evidence-based AI oversight — including who owns each material agent — the question is not whether you should worry. It is when.

The six questions that test whether your governance is real

The full Primer carries twenty questions, five per domain. Six are load-bearing. Use these in your next committee. If any of them produces a fluent description rather than a piece of evidence, you have governance theatre.

1. Where does AI create the most value in our business — and where could it destroy the most value?

Tests whether AI is integrated into strategy or banished to the cost line. (Strategy & Innovation.)

2. Do we have a complete live inventory of AI use cases — including GenAI, agents, copilots, shadow agents and vendor-embedded AI?

Tests whether the board has visibility — or only the slice management chooses to show. (Risk & Resilience.)

3. Are there AI uses we should prohibit because they are unethical, unlawful or inconsistent with our values?

Tests whether the board has set a floor. (Governance & Accountability.)

4. How much agency have we delegated to each material AI use case — autonomous, recommend-only or prohibited — and is a named human accountable for each?

Tests whether the operating model is defined or improvised. The new first-order question. (Governance & Accountability.)

5. Can we explain and defend AI-driven decisions to customers, regulators, courts or the media — and would the logs survive disclosure?

Tests whether you are defensible. (Risk & Resilience + Governance.)

6. What is the one AI failure scenario that could cause the most reputational harm — and have we imagined it concretely enough to plan for it?

Tests whether the board has imagined its worst day in enough detail to act. (Risk & Resilience + Capability & Culture.)

Watch, ask, decide

• Watch. The gap between the board’s confidence and management’s evidence. If the dashboard contains adjectives, not metrics, the gap is wide. If you cannot name who owns each material agent, the gap is wider.

• Ask. The chair and the SID — separately — who owns AI at executive level, which committee owns which risks, and when the board last received an end-to-end view rather than a topic-by-topic update. Inconsistent answers are the signal.

• Decide. Before the next cycle, that the board will receive a single integrated AI dashboard, that the AI inventory will be presented live (not quarterly), and that every material agent will carry a named owner, a documented agency appetite and a tested kill switch.

Next week in The Library

Eight ways AI can blow up your business — and the control architecture that catches them. The eight risk families tagged to the Four-Domain Frame, the agentic overlay (what changes when the actor is a machine), the ownership map updated for agency, three lines of defence, and the six-dimension scorecard. The Watch companion lands Tuesday; this Library piece lands Thursday.

About The Library

The Library is the manual and repository — primers, tools, templates, prompts, checklists, training material, implementation plans, reading lists and courses, plus the weekly Monday-Morning build: one tool to test and one prompt to use in your own director workflow, always with a safety note on what not to put into a public LLM. The first three issues are pinned anchors: this framework page, next week’s risk taxonomy, and the six-month implementation plan in week three.

What this is, what it isn’t. This is one sitting director writing for fellow sitting directors. It is not NACD certification. Not Big Four broadcast. Not Board Agenda observation. Not LinkedIn governance commentary. Not vendor evangelism. UK and Anglo-European, with the regulatory rigour of FRC, FCA, EU AI Act and SEC. Read in thirty minutes. Used by Monday.

TheDirectorBrief publishes every Tuesday — AI for boards. Each issue carries five sections: The Frame (strategy), The Watch (governance and risk pulse), Five for the Chair (board and committee debate), Signal (AI news that matters, with STAT and CHART of the week), and The Library (primers, tools, templates, prompts and Monday-Morning builds). One read. Thirty minutes. In your inbox before Monday’s pack.

Subscribe free at TheDirectorBrief.com — or reply to this email. I read every response.

Dharmash Mistry sits on the boards of Halma plc, Rathbones Group, the Premier League and the Football Association. He has held board positions across more than thirty organisations spanning listed companies, regulated financial institutions, major sporting bodies and venture-backed businesses, including the BBC, British Business Bank, the Competition and Markets Authority, Hargreaves Lansdown plc, Dixons plc, Revolut and Lovefilm. Prior to this he was a Partner at the venture capital firms Balderton and Lakestar. AI for Boards is written from inside the boardroom, not from outside it.

Sources

1. McKinsey, State of AI 2024 — generative AI adoption by function. [Primary.]

2. Grant Thornton, 2026 AI Impact Survey — agentic AI deployment and incident response. [Primary.]

3. NACD, 2024 Public Company Governance Survey — AI in the top three director risks. [Primary.]

4. Stanford HAI, AI Index Report 2024 — regulatory mentions across major jurisdictions. [Primary.]

5. Marchand v. Barnhill (Del. 2019) — board oversight duty for mission-critical risks. [Primary.]

6. ISS and Glass Lewis, 2024 stewardship guidance updates. [Primary.]

7. Working paper: Governing AI Agents in the Enterprise (May 2026) — the 6-dimension shift and 8-phase continuous loop drawn from internal research; full table sits in The Watch (this week) and the Primer Section B.

Frameworks referenced: OECD AI Principles (updated 2024); NIST AI RMF 1.0 (2023); EU AI Act 2024/1689; UK DSIT principles; KPMG/INSEAD Global AI Governance Principles 2026; WEF AI Governance Alliance 2024–25; Harvard Law School Forum on Corporate Governance. [Primary, all.]