The governance fix. Not a tenth committee. One loop, clear metrics
Most boards have stalled on step two.
This is the fix for the 10 AI risks laid out in The Frame — that doesn’t need the AI to fail, only the oversight to stand still while the risk moves.
Governance sounds like a compliance checklist. In practice it’s the set of rules that determine what an agent can do, what it can’t and who owns the output. Without it agents can make decisions no one asked it to do and no one will know until something bad has happened. Mckinsey’s research suggests that governance frameworks integrated with business processes are what separates successful agent deployments vs failed ones. Do this before a single deployment or API call.
Most boards do the easy half: set a posture, build a partial inventory, then quietly stop before naming an owner, hard-wiring the controls, or running the loop that would expose whether any of it is real — because this iterative feedback loop is what creates personal accountability, not just paperwork. Here’s the whole loop, a set of metrics to measure and the move your board is most likely avoiding.
1. Set your AI posture. Before ‘how much risk?’, answer ‘how much agency?’. Decide where AI may act autonomously, where it may only recommend, and where it is prohibited — by decision type, not department (e.g. screening CVs, responding to customer support queries, managing refunds or payments, credit checking, procurement etc). What is prohibited vs with clear limits? To what standards and ethical guardrails? This is an Executive team call validated with the board, made explicitly and minuted, not something inherited from whatever the tools default to. Everything else hangs off it.
2. See everything. Build the inventory before the policy. A live register of every material AI system and agent: what it does, what data it touches, which vendor sits underneath. Don’t forget the AI staff use without IT’s knowledge, sometimes called ‘shadow AI’: one governance vendor, governr.ai, puts it at 60–70% of what’s actually deployed inside the average regulated firm. At minimum start with your high risk known cases. Ideally classify each use case by strategic value and risk. If you can’t produce the inventory inside 48 hours, the policy is theatre.
3. Name the owner. Every material AI system carries a named human owner (management and board committee) — for the decision, the data and the vendor relationship. Accountability can never transfer to the machine. Diffuse accountability is what produces the regulator’s letter.
4. Embed the controls. Move from detective to preventive. Hard limits, approval thresholds and a tested kill switch built into the system itself (hard coded upfront with outputs validated) — not a quarterly review that catches the failure after a million decisions. Human sign-off stays mandatory for money movement, code deployment and customer commitments.
5. Monitor, and close the loop. Fund a small number of strategic bets and stop weak pilots. In addition to model releases, vendor moves, incidents - track ROI, token cost, workforce effects & provider concentration. Realtime metrics, not adjectives (see below). As things change test the feedback loop. Refresh board education & scenario testing.
Run it well and this isn’t just defence — it’s how you move faster with more confidence than a rival who’s flying blind. Five moves. Most boards have done one or two and are resisting the rest.
Posture, inventory, owner, controls, monitor & loop. Simple to describe, revealing to run — because each move exposes whether the previous one was real.
The board dashboard: what directors should see quarterly, with a weekly pulse
As an example, I would split Board metrics into five groups:
1/ Strategic value : Top AI bets; revenue/margin impact; cycle-time reduction; customer NPS/conversion; strategic milestones
2/ Economics: AI spend; token/API/cloud cost; cost per workflow; benefit realised; vendor cost trend; capex/opex exposure
3/ Adoption and capability: Usage by role; workflow penetration; training completion; AI-fluent leaders; productivity by function
4/ Risk and trust: Incidents; hallucination/error rate; override rate; customer complaints; regulatory exposure; audit findings
5/ Dependency and resilience: Model/provider concentration; fallback coverage; data residency; self-host/open-source use; outage impact
A board should not accept a dashboard that says: “we have 150 AI use cases.” That is usually a symptom of weak strategy. The better answer is: “we have 8 scaled AI workflows, 4 material strategic bets, 3 stopped initiatives, £X realised value, Y% provider concentration, Z unresolved risks.”
What I would tell the board chair…..bring it all back to strategy
The board’s biggest AI risk is not ignorance of the technology. It is mistaking activity for strategic choice.
The best board conversation is not “show us your AI pilots.” It is:
“Show us how AI changes the structure of this market, where value will migrate, what strategic posture we have chosen, what we are uniquely positioned to win, what we will not do, and how we will measure whether this is real.”
Boards that do not force that conversation will end up governing AI as a compliance topic after competitors have already used it as a strategy weapon.



