The finding that should stop every Chair in their tracks

A BCG survey of 625 CEOs and board members published last month (May 2026) found that 61% of CEOs believe their boards are rushing AI transformation. Not dragging their feet. Rushing it.

The explanation buried in the data is worse than the headline: the directors with the lowest confidence in their own AI knowledge are the most likely to believe their organisation is moving too slowly.¹

The directors who understand AI least are the ones pushing hardest for speed.

This inverts the conventional narrative — that boards are too cautious, too analogue, too late for the AI moment. The 2026 evidence says something more uncomfortable: boards are not behind AI. They are ahead of what they understand. And that combination — urgency without literacy, momentum without oversight — is precisely how consequential decisions get made badly, and at scale.

The Stat This Week
61% of CEOs say their boards are rushing AI transformation — and directors with the lowest AI literacy are the most likely to believe they are moving too slowly. Urgency is being generated by uncertainty, not by analysis. (BCG, May 2026, n=625.)

The silence in the room

I have sat in more than thirty boardrooms across eight countries — start-ups to government-owned entities, regulators to multi-billion dollar listed organisations, across every seat at the table. The pattern is consistent: creative destruction gets treated as business-as-usual until it isn’t. I have watched AI strategy presentations receive twenty minutes of agenda time, wedged between the CFO’s report and AOB. How many of us have sat in meetings approving AI spend with no clear value logic, approving the tech stack without challenging the design choices, treating AI governance as a checklist, measuring success by pilots or tokens, accepting ‘human oversight’ without testing if it’s for real?

Are we asking the right strategic and governance questions of a technology now reshaping how organisations fundamentally compete and operate — price, recruit, source, credit-check, market — where agents, not humans, are increasingly making the decisions?

What I have not heard — not once, in any of those rooms — is the question that matters most:

If a well-capitalised competitor rebuilt our core product around AI in the next eighteen months, what would remain of our competitive position?

That silence is the governance gap. Not speed. Not caution. The absence of the question that wasn’t on the agenda.

The numbers no longer allow a comfortable interpretation

Two findings now sit alongside each other in a way the boardroom cannot ignore.

Deployment is happening regardless of readiness. Grant Thornton’s 2026 AI Impact Survey finds nearly three in four organisations are giving agentic AI access to their systems and processes — piloting, scaling or running it in production. Just 20% have a tested AI incident response plan for when it fails.²

Capital is moving at the same speed. BCG’s AI Radar finds corporations expect to lift AI spending from 0.8% to 1.7% of revenues in 2026, with more than half directed at agentic systems.³ These are not experimental budgets. They are material capital commitments made into a technology most boards do not yet have the fluency to interrogate.

What changes when the actor isn’t a person

Every board operating model in use today rests on a hidden assumption: the actor executing a decision is a human who can be instructed, supervised, slowed down and held to account. Once decisions and actions are delegated to autonomous agents — pricing engines, customer-routing models, recruitment screens, refund bots, credit-check agents — that assumption breaks. And once it breaks, the substance of nearly every board responsibility changes with it.

Governance moves from directing human actors making occasional, reviewable decisions to deciding how much agency to delegate to a non-human actor in the first place. Risk moves from slow, visible and auditable-after-the-fact to fast, opaque and emergent — errors propagating at machine speed before controls catch them. Controls move from detective to preventive, embedded and real-time — hard caps, whitelists, kill switches built inside the agent. Compliance moves from periodic and sample-based to continuous and designed-in. Assurance moves from tracing the decision to validating the guardrails under stress, because the reasoning isn’t transparent. Accountability stays exactly where it has always sat — with a named human — because it can never transfer to the agent.

The new first-order board question is no longer “how much risk are we willing to take?” It is “how much agency are we willing to delegate?” — where agents may act autonomously, recommend-only, or are banned outright; each with a named human owner; each with a tested kill switch.

AI doesn’t replace the board’s duties. It raises the metabolic rate at which they must be discharged.

This is why the Four-Domain Frame is not a synthesis of consulting research. It is the operating system the new reality requires — Strategy, Risk, Governance and Capability held at the same time, because the existing machinery was built for a different actor.

The mechanism — it isn’t ignorance, it’s information architecture

The problem is not that directors are unintelligent. I want to be clear about that — and direct about something more uncomfortable.

The board’s understanding of AI is almost entirely constructed by either a vendor pitch disguised as ‘advice’ or by management. Every briefing, every strategy update, every risk summary — shaped by people whose incentives run toward demonstrating competence, maintaining momentum and presenting AI as a controlled programme rather than an existential variable. This is not cynicism. It is a structural observation about how boards receive information and how management teams, rationally, frame it.

The board hears what the risk framework caught. It is almost never told what the risk framework was incapable of seeing.

We have been here before — and we did not learn the right lesson

When the internet arrived, boards appointed Chief Digital Officers. The CDO became the governance pressure valve — the person who ran the digital programme, attended the right conferences, brought in an army of vendors, seeded experiments and then asked to launch a venture fund. Boards called it digital strategy. Meanwhile insurgent entrepreneurs backed by smart VC money went directly after their core profit pools — disciplined quarterly sprints, real-time customer metrics, not waterfall two-year IT projects out of date at the point of committing funds. Reinvention using technology, not technology applied to what they already did.

The companies that navigated that transition had something different: a willingness to self-disrupt — challenging their own legacy economics before someone else did — and boards and management teams who took a long view of what technology might do to their market, treated governance as part of product quality, and were clear about the problem they were solving and why their solution was meaningfully better. The best live example is Google, managing an AI transition where Search still accounts for over $225 billion — more than 55% of total revenues. The counter-example: Air Canada’s chatbot hallucination case, where no one was governing the model end-to-end.

Stripe and Square went after incumbents’ payment economics; Spotify rebuilt music distribution around access, not ownership; Airbnb did the same to hotels’ fixed-cost economics. On the other side of those bets sat the boards that watched it happen — Kodak, Blockbuster, Nokia, BlackBerry, Sears — and many more will follow. The governance failure was not a failure to understand technology. It was a failure to understand what technology did — to competitive dynamics, to cost structures, to who controlled the customer relationship. Crucially, digital was the CEO’s job, treated as a cross-business imperative with a board-level strategy. Not delegated to one function. Not run as an IT project.

The same structural deficit is repeating itself, in compressed time. We are, in 2026, roughly where we were in 2000 — when the boards that believed they were governing digital transformation were, in most cases, ratifying management’s story about it. The difference is that the cycle is compressed, the capital commitments are larger, and the competitive and regulatory environment is hardening around boards that cannot demonstrate they asked the right questions.

The Four-Domain Frame — the navigation grammar

Stripped back to first principles, the WEF Oversight Toolkit, KPMG/INSEAD’s Global Principles, McKinsey’s AI Trust framework and BCG’s board guidance converge on four domains a board must now own at the same time. Together they are this publication’s single organising scaffold — the Four-Domain Frame. Every weekly issue navigates against it.

1/ Strategy & Innovation: where AI changes the moat

Posture · capital · value. Disruption · advantage

Decisions changed, not just automated

2/ Risk & Resilience: what the framework cannot see

8 risk families; 3 lines of defence. Preventive · real-time

3/ Governance & Accountability: how much agency, evidenced

Agency appetite · named owner. Reserved matters · cadence

Evidence, not attestation

4/ Capability & Culture: whether the board can govern this

AI literacy · composition. NomCo trajectory. Personal practice

The Four-Domain Frame · the navigation grammar of TheDirectorBrief. Cross-cutting: 6-dimension scorecard (Value · Adoption · Risk · Compliance · Capability · Trust), 10 building blocks, 6-month implementation arc.

Most boards govern one of these well. A few govern two. Almost none govern all four simultaneously — which is the only configuration that survives this transition.

The ten questions every board should be asking sit across the four domains. Each carries a consequence: the cost of it going unasked. That cost is the point.

Strategy & Innovation

1. If a well-capitalised competitor rebuilt our core product around AI in the next eighteen months, what would remain of our competitive position?

Most boards govern AI risk inside the existing business. Almost none ask the disruption question — not whether AI creates risk in our operations, but whether it lets a rival make our operations irrelevant. Management is paid to defend the model that exists. The board owns the question of whether that model survives.

2. Is our AI investment buying competitive advantage — or operational parity that every rival will also reach?

Boards are approving AI spending that doubles in a single year. The right governance question is not how much. It is what for. Efficiency gains from AI are real and accessible to every competitor. The organisations building durable advantage are redefining the product, the customer relationship or the cost architecture in ways that are hard to replicate. Does the board know which category its spend falls into?

3. Is AI changing how this organisation makes decisions — or simply automating the decisions it already makes?

This is the line that separates real transformation from expensive process improvement. Most organisations use AI to do existing things faster. Fewer use it to do things differently — to make decisions with information they could not previously access, at speeds the operating model precluded, at a level of personalisation the old margin structure could not support. The board should know which category describes its programme.

Risk & Resilience

4. What is our AI risk framework built to catch — and what is it structurally incapable of seeing?

Risk frameworks identify the risks they were designed to identify. AI introduces categories no pre-AI framework was built to surface: emergent model behaviour, training-data bias at scale, adversarial manipulation, hallucination in high-stakes outputs, and — new in 2026 — agentic systems taking sequences of autonomous decisions across connected processes. An audit committee receiving a RAG status update on AI risk is not governing AI risk. It is receiving a summary of classified risks — which is a different thing entirely.

5. How much agency have we delegated to non-human actors — and did we decide that, or has it happened to us?

Three in four organisations now give agentic AI access to their systems; only one in five has tested what happens when it fails.² The board’s instinct is to ask how much risk. The question that survives the next two years is how much agency. For every material AI use case — pricing, credit, recruitment, customer routing, supply chain, refund handling — there are three possible answers: autonomous, recommend-only, prohibited. Each with a named human owner. Each with a tested kill switch. The boards that have made those calls explicitly will be governing. The boards that haven’t will discover their agency appetite the way pricing committees once discovered their FX exposure: in the incident report.

Governance & Accountability

6. Where does accountability sit when an AI-driven decision causes harm — and has the board formally assigned it to a named human?

This is not hypothetical. The EU AI Act’s requirements are now effective across European markets. The FCA’s AI governance expectations are hardening. D&O exposure on AI-related harm is live and being tested. Most boards have not formally assigned AI accountability — not in committee terms of reference, not in management responsibilities, not in the schedule of matters reserved. Accountability never transfers to the agent. The answer, when it matters, will be found in what was documented. Not in what was assumed.

7. Is AI a standing item on the board agenda — or does it appear only when something goes wrong or management asks for a budget?

Reactive governance is incident response with a board letterhead. The boards building real oversight treat AI as a live strategic conversation — at the frequency and seriousness of financial performance — not as a technology update in the CTO’s slot once a quarter.

Capability & Culture

8. Are we asking management the questions that matter — or the questions management has prepared us to ask?

This is the meta-question, and the one I find most difficult to answer honestly about my own board contribution. When I have been on the presenting side of the table, I knew which questions were coming. I had prepared answers. The questions I had not prepared for were the ones that changed the dynamic — and they were almost never on the agenda. The BCG finding cuts both ways: if boards are pushing faster than management, the question is whether that pressure is informed or anxious. Governance is not about speed. It is about the quality of the decision.

9. Who in this boardroom has used an AI tool to do something consequential in the last thirty days?

I include myself in this question. If your understanding of AI is entirely briefing-derived, your pressure for speed cannot be informed. The board cannot meaningfully challenge management’s AI strategy if its understanding of AI is entirely second-hand. This is not about becoming data scientists. It is the same standard of practical engagement expected of any director overseeing a material business transformation. The board that governed digital without digital experience was the first wave’s structural error. Repeating it knowingly is harder to excuse.

10. Do we have the board composition to govern the company we are building — not just the one we have?

The NomCo’s job has always been to ensure the board has the skills the strategy requires. If the strategy now includes material AI transformation, agentic systems deployment and regulatory navigation under the EU AI Act, the skills required have changed. Not more technologists — more directors with the economic intuition to read what AI does to competitive dynamics, cost structures and the value of human judgment. A board effectiveness review that does not address this is answering the wrong question.

What good looks like

The boards I have seen govern AI substantively well were not, in most cases, the ones with more technical expertise on the register. The difference was a Chair who treated AI as a strategy and accountability question before a technology question — and who created space for the board to interrogate the framing rather than the numbers.

In one such room, the Chair stopped an AI strategy presentation forty minutes in and asked a single question: “What happens to this business if this plays through — what happens to the market we operate in?” The conversation that followed was the most productive AI strategy and governance discussion I have been part of. It changed the decision — not the investment level, the question the investment was designed to answer.

I have also seen the operating model done well: a three-session board sequence on a single strategic debate — market and technology understanding with external experts (information gap closed), options without a proposal (expertise drawn out across the table without bias), then a decision with clear success criteria and risks. That beats forty minutes between the CFO report and AOB. It also beats the 45-minute management pitch with 15 minutes for questions. Given the speed of AI development, this cannot be reserved for the annual strategy away day.

And — increasingly often — the board has had to make the agency question explicit. I sat through a debate on an autonomous customer-routing agent where the discussion moved from “is the model accurate enough?” to “how much can this agent spend per case without human approval; where does the human pick up; what’s the kill-switch test; who gets paged when an anomaly hits?” That conversation took ninety minutes. It was the most useful ninety minutes the board spent that year — because the agency appetite was decided before the agent shipped, not discovered after the incident.

Effective AI governance is not a framework. It is a quality of attention — and the willingness to ask the question that was not prepared for.

Before your next board meeting

Three things. Not ten.

• Watch. Which agenda items involve AI decisions — directly, or in the assumptions behind them — that the board has not explicitly discussed as AI decisions?

• Ask. Of the ten questions above, which three would most change your board’s current AI conversation? Take those three in. One is enough to shift the dynamic.

• Decide. Does your board’s current composition give you the experiential authority to govern the AI strategy you are approving? If the honest answer is no, what are you and the NomCo going to do about it today — not as a future problem?

This week in The Library

Your AI governance isn’t an IT policy. That’s why it’s failing. The companion to this Manifesto — the framework, the board’s four jobs and the six diagnostic questions that test whether your governance is real. Read after this.

Next week in The Frame

The scientists who built AI are calibrating real harm in double digits. The regulators are catching up. Next Tuesday’s Frame works through what that means for fiduciary duty — and why the boards that build governance because Brussels told them to will build the wrong thing. “Skynet didn’t have a board. Your company does.”

About The Frame

The Frame carries the editorial argument of the week — one strategic question worked through with evidence, in-the-seat experience and a so-what a director can act on. Short version in your inbox; long version on Substack for subscribers.

What this is, what it isn’t. This is one sitting director writing for fellow sitting directors. It is not NACD certification. Not Big Four broadcast. Not Board Agenda observation. Not LinkedIn governance commentary. Not vendor evangelism. UK and Anglo-European, with the regulatory rigour of FRC, FCA, EU AI Act and SEC. Read in thirty minutes. Used by Monday.

TheDirectorBrief publishes every Tuesday — AI for boards. Each issue carries five sections: The Frame (strategy), The Watch (governance and risk pulse), Five for the Chair (board and committee debate), Signal (AI news that matters, with STAT and CHART of the week), and The Library (primers, tools, templates, prompts and Monday-Morning builds). One read. Thirty minutes. In your inbox before Monday’s pack.

Subscribe free at TheDirectorBrief.com — or reply to this email. I read every response.

Dharmash Mistry sits on the boards of Halma plc, Rathbones Group, the Premier League and the Football Association. He has held board positions across more than thirty organisations spanning listed companies, regulated financial institutions, major sporting bodies and venture-backed businesses, including the BBC, British Business Bank, the Competition and Markets Authority, Hargreaves Lansdown plc, Dixons plc, Revolut and Lovefilm. Prior to this he was a Partner at the venture capital firms Balderton and Lakestar. AI for Boards is written from inside the boardroom, not from outside it.

Sources

1. BCG, AI in the Boardroom, May 2026 — survey of 625 CEOs and board members. [Primary — verify release.]

2. Grant Thornton, 2026 AI Impact Survey — agentic AI deployment and incident response readiness. [Primary.]

3. BCG, AI Radar 2026 — corporate AI spend as percentage of revenue. [Primary.]

Performance reference: MIT CISR, Board Digital Fluency and Performance, March 2025 — AI-fluent boards outperform peers by 10.9 percentage points in ROE; non-fluent boards trail by 3.8%. Carried in The Library’s board-effectiveness primer. [Secondary.]

Frameworks referenced: WEF AI Governance Toolkit (2024–25); KPMG/INSEAD Global AI Governance Principles (April 2026); McKinsey, State of AI Trust 2026 — Shifting to the Agentic Era; BCG AI Radar 2026. Agentic governance logic drawn from working paper Governing AI Agents in the Enterprise (Library, May 2026). [Primary, all.]