Ten ways AI can blow up your business
Your board was built for risks that hold still. AI doesn’t.
How many Boards or committees spend forty minutes on AI - where the CIO runs accuracy charts. The General Counsel updates on the EU AI Act & the AI policy document gets signed off without a question? Polished papers, all minuted.
No realtime metrics or discussion on model agency or risk classification? How many decisions in that room reflected that the system under discussion had shipped several vendor updates since the last cycle with updated token pricing & multiple APIs accessing your data — or that the model on the slide wasn’t the model in production.
The governance is theatre. The AI risk is live & different for 3 reasons:
It is probabilistic. Traditional software works or it doesn’t. AI is right most of the time — and wrong with total confidence some of the time. ‘Show me the test results’ gets you a confidence interval, not a certainty. Most directors have never governed one.
It doesn’t sit still. Models drift, vendors push updates, data shifts. A compliant system in January can be non-compliant in June without anyone touching the code. And it doesn’t stay where you put it: AI now sits inside spreadsheets, copilots, supplier portals and browser extensions, mostly uninventoried.
It moves at machine speed. Use cases deploy in weeks; board cycles run in quarters; assurance runs in years. A biased model can serve a million decisions before the next risk committee meets. A deepfake can move a share price in an afternoon.
So what: the annual audit cycle, the quarterly board pack and the policy attestation were designed for a different clock speed. Here are the ten ways that mismatch blows up — and the risk is rarely the technology. It is the governance around it.
1. Strategy — someone reprices your industry while you run pilots. The most dangerous slide is the one describing AI as ‘efficiency’. The real question is whether anyone — incumbent or new entrant — is using AI to reprice the industry around you. If management cannot say where your proprietary advantage now sits and what AI does to it, that is your first red flag.
2. Decisions — the model is wrong with confidence. Hallucination, bias, drift, opacity — and increasingly, decisions taken autonomously at machine speed before a human can intervene. The board does not need to validate models. It needs to know that someone does, and that the highest-stakes decisions carry a human check by design. Would you know if your AI got something wrong an hour ago — or only when a regulator, a customer, prospective hire or a tribunal told you?
3. Data — your crown jewels leak one prompt at a time. Staff are pasting confidential material into public tools today. Models are being trained on content the company may not own. Data governance is not hygiene; it is the foundation of defensible AI — and the first thing a regulator or claimant will pull on. Do you know which of your data is feeding which models? Are you sure you want foundation models accessing your data (ie not training your competitors), are ‘enterprise’ promises & guardrails valid when the underlying model retains data (ie Claude Fable). Is model control a competitive advantage or a moat in your category? The most recent high profile example is of Anthropic rebuilding elements of Figma, where a partner entered the category (Figma share price down circa 50%YTD). The recent debate is around in-house open source models running your own compute stack - given current frontier model token costs this is now becoming a viable (safer) alternative for many?
4. Cyber and fraud — the attacker now has AI too. Deepfake CEO impersonation is no longer hypothetical; finance teams have wired money to cloned voices. The launch and fanfare around Anthropic’s launch of Mythos has changed the Board conversation. However, one of the biggest risks lies within - ‘prompt injection’ can turn an AI assistant into a hijacked insider with real credentials. If cyber reporting to your board does not name AI-enabled threats & the new ‘surface’ they are attacking explicitly, the reporting is incomplete.
5. Regulation — ‘we didn’t know the tool used AI’ is not a defence. The EU AI Act is real, phased and binding for anyone touching the EU market - with the high risk regime landing this August. The UK floor is hardening; the SEC has already enforced against misleading AI claims. Regulators have stopped accepting an annual sign-off as evidence, they want model level records, continuously.
6. Operations — what happens if your AI vendor pushed a silent update tonight, would you find out from your own monitoring — or from your customers? One retailer only discovered its personalisation engine had quietly changed pricing logic after a routine vendor patch when margin fell two points, unexplained, in a single quarter. A yearly continuity test doesn’t catch a system that changes behaviour on a Tuesday night without telling you.
7. Reputation — one failure erases ten wins. AI failures are reputationally asymmetric. One unfair decision, one leaked dataset, one deepfake incident, and the value created by ten well-governed use cases evaporates. Trust is a board asset. Ethics has to be a control, not a communications line.
8. Talent — job enrichment vs displacement? Adoption without redesigning how the work gets done, lacking AI Literacy beyond the tech team. No incentives tied to value capture. Questions many boards are now asking - What is our AI workforce strategy? How are we measuring impact on jobs? What is our AI literacy baseline - for Colleagues, Executives & Directors? How can we deploy talent, rebundle ‘tasks’, build a new organisation model with different spans of control - with humans managing agents?
9. Concentration — it’s no longer just about ‘which model do we use”. It’s about whether a single government decision, vendor pivot or API or token price change could disable critical workflows overnight or make them uneconomic? Most third-party due diligence never asks about model provenance, change notification or sub-processor chains. Does the Board know where concentration risks lie, how quickly can we substitute and what’s the impact?
10. Economics — the money blows up quietly. Also new, and increasingly the one investors ask about. AI cost is now tied to physical infrastructure — compute, chips, power — and token pricing that can move under your business case. Meanwhile most enterprises are funding pilot portfolios with no stop/go criteria and no measured return. Capital committed to AI should face the same discipline as any strategic capex/opex: stage gates, downside cases, explicit return thresholds. Uber recently announced it burnt through its entire 2026 AI coding budget in four months and moved to cap token usage after the horse had bolted.
A board that checks in once a quarter cannot govern a system that changes every day. Today only 39% of Fortune 100 boards have any form of AI oversight — a committee, a director with the expertise, an ethics board. Only 6% have management reporting that goes beyond adjectives. That’s not a knowledge gap.
The uncomfortable close: none of the ten requires the AI to fail. Half of them detonate when the AI works exactly as designed — on the wrong data, at the wrong speed, under the wrong ownership, or at a price that no longer makes sense. How to fix it



