Questions for boards and management

AI governance questions for boards and management teams

AI in an organization requires a language that allows boards and management teams to assess value, risk, accountability and the company's ability to execute. This list helps structure the conversation before a decision about AI strategy, budget, implementation, vendor selection or risk review.

Speak confidentiallyRequest profile

How to use this list

This is not a legal audit or a complete compliance procedure. It is a set of questions for a conversation between the board and management, and between management and the organization.

The value comes when answers lead to an owner, metric, document, decision or action. If the organization cannot answer part of these questions, the gap itself is information for the board.

10 questions for the first conversation

  1. What business problem should AI solve?
  2. Who owns AI at management level?
  3. Where does AI affect customers, employees or decisions with material impact?
  4. Do we have a register of AI use cases and owners?
  5. How do we measure value, cost, quality and adoption?
  6. What data enters AI systems?
  7. Who approves human decisions supported by AI?
  8. How do we review vendors and tool terms?
  9. What is the AI incident scenario?
  10. When is an AI project stopped?

Questions from the board to management

  1. Where is AI expected to change result, cost, quality, speed or risk?
  2. Which AI initiatives support company strategy, and which are experiments driven mainly by technology availability?
  3. What AI decisions does management want to make in the next 12 months, and which require board oversight?
  4. Who in management owns AI as a whole: strategy, risk, compliance, data, vendors and business result?
  5. How will the board be informed about progress: through project narrative or through value, risk, quality and adoption metrics?
  6. Which AI use cases may affect customers, employees, contractors, reputation or legal compliance?
  7. Does the company have a register of AI use cases, their owners and risk classification?
  8. Where does a human approve an AI-supported decision, and where do they only react after the fact?
  9. Does management have a scenario for an AI-related incident: error, data leak, discriminatory decision, hallucination or unauthorized use?
  10. What AI competence does the board, management team and key AI-using functions have today?

Questions from management to the organization

  1. Which AI systems are formally used today, and which operate as shadow AI outside organizational control?
  2. Which business processes already depend on AI, even if the organization does not yet call them AI systems?
  3. Who owns each AI use case: business, IT, compliance, security, HR, legal, process owner or vendor?
  4. What data enters AI systems and who approved its use?
  5. Can the team reconstruct the decision path: data, prompt, model, output, human in the loop and final decision?
  6. What rules apply to employees using public, enterprise and internal AI tools?
  7. Are AI vendors assessed for security, data rights, processing location, auditability and exit options?
  8. Who monitors AI output quality after implementation, not only during the pilot?
  9. How does the organization detect wrong, biased or outdated AI outputs?
  10. When is an AI project stopped if it does not deliver value or creates too much risk?

AI Act and AI literacy

For a board, the AI Act is not a topic to be checked off with one document. Since 2 February 2025, provisions on prohibited practices and AI literacy have applied. Further duties depend on the organization's role, the type of system and the risk classification. The conversation should therefore start with a map of AI use cases, not one date in the calendar.

The board does not need to conduct the legal audit. It should be able to ask management where the organization acts as provider, deployer or user of AI systems, who maintains the use case register and how the competence of people working with AI is matched to role, context and risk.

  1. Does the organization know where it acts as provider, deployer or user of AI systems?
  2. Is there an up-to-date register of AI use cases and risk classification?
  3. Do people working with AI systems have AI literacy appropriate to their role, context and risk?
  4. Does the organization know which AI use cases may affect natural persons, customers, employees or decisions with material impact?
  5. Does vendor selection include questions about compliance, documentation, security, monitoring and party obligations?
  6. Can management show the board how AI Act obligations are managed operationally, not only described in policy?

ROI and budget

  1. What business problem does the AI initiative solve?
  2. What metric will show that the project makes sense: revenue, cost, time, quality, risk, customer satisfaction or operational capability?
  3. How much does it cost to maintain the solution after the pilot: data, licenses, integrations, monitoring, updates, security and people?
  4. Does the project have a business owner accountable for the result, not only for launching technology?
  5. At what result is the project scaled, stopped or rebuilt?

Risk and control

  1. What operational, regulatory, reputational, financial and quality risks does this AI use case create?
  2. Are AI risks included in risk management, compliance, audit and internal control?
  3. Does the board receive AI information in a way comparable to other material company risks?
  4. Does the organization have a procedure for reporting and handling AI incidents?
  5. Is there a clear boundary between an AI recommendation and a human decision?
  6. Can the company explain to a customer, regulator or auditor how a material AI-supported process works?

Execution

  1. Does the AI pilot have a path to an operating process, budget, owner, quality control and monitoring?
  2. What must be true in 90 days to say that the project moved from presentation to operation?
  3. Which functions must cooperate for AI to work safely: business, IT, data, security, legal, compliance, HR, operations?
  4. Does the organization have sufficient data, processes and competence to maintain the solution after launch?
  5. Who has the authority to stop an AI project if risk grows faster than value?

When to pause the conversation

If answers are generic, scattered or dependent on one person, the board should treat it as a signal. With AI, the problem is rarely the technology itself. More often it is the absence of an owner, metrics, controls or execution capability.

In such situations, it is useful to start with a short board briefing or AI governance review.

Confidential contact