Rapid advances in artificial intelligence have put boards of directors in an unfamiliar position. They are increasingly asked to greenlight projects built on powerful AI systems, from predictive algorithms to generative AI in customer service. AI governance is a board-level responsibility, and it does not begin with technical frameworks like NIST or with waiting for regulation like the EU AI Act. It begins with accountability. Boards need to ask pointed questions that put responsibility and oversight at the center before any significant AI deployment is approved. Drawing on leading governance practice, here are the five questions every board should put to management to make sure an AI project is being deployed responsibly.
1. Who is formally accountable for AI-driven decisions?
When an AI system makes or shapes decisions, whether credit approvals, pricing, hiring, or customer interactions, who answers for the outcomes? Treating AI as a black box, with accountability lost across a maze of teams, is not acceptable. Mature organizations assign accountability explicitly for each part of AI use. The board should ask:
- Who owns model development and validation?
- Who owns risk acceptance, the judgment that the model's accuracy and fairness are good enough to put into use?
- Who is accountable for operational outcomes, the business impact or the errors the system might produce?
If the answers are vague or spread thinly across committees, that is a red flag. Clear accountability means that when something goes wrong there is a designated leader or team responsible for understanding the failure and fixing it. Without it, escalation paths blur and responses stall, which is precisely what regulators and courts will punish. A board should approve an AI deployment only once it is satisfied that accountability is assigned and understood at every level, from the people building the model to the executive signing off on its use.
2. Where is AI already in use, and where should it be used?
It is surprisingly common for a board to lack a full inventory of the AI already running inside its organization. AI can hide in vendor tools or in unsanctioned experiments. You cannot govern what you cannot see. Before approving anything new, directors should ask management for a clear view of all existing AI systems and planned deployments, including third-party AI embedded in the software the company already uses, such as a CRM or an HR platform. The value of the question is that it forces visibility. Only with an inventory can the organization apply consistent standards and risk assessments. It also ties AI back to strategy. The board should press the question of whether AI is being deployed where it truly adds value, rather than chasing hype. Well-governed companies make deliberate choices about where AI belongs and where it does not, based on strategic benefit and risk appetite. Organizations that run this exercise often discover both places where adoption has outpaced oversight and places where AI could help if it were introduced carefully.
3. What decisions will AI automate, and what must always involve human judgment?
Not every decision should be handed to an algorithm. The board needs to understand where management will draw the line between automated and human decision-making for the use case at hand. This is often an ethical and risk question at once. A company might allow AI to auto-approve low-risk loans but require human review for declines or higher-risk cases to protect fairness. Discussing these boundaries up front forces the company to define its risk tolerance and its ethical stance deliberately. If no one has thought about where human oversight must remain, in safety-critical or customer-sensitive situations, for example, the governance is not yet there. Clear human-in-the-loop policies also protect the company legally and reputationally. If an AI makes a controversial call, you can show the guardrails were designed in from the start.
4. How will we stay in control of AI over time, and prove it when challenged?
Approving an AI deployment is not a one-and-done event. The board should confirm that the company has an ongoing oversight program, with mechanisms to monitor performance, detect issues such as model drift, where accuracy or behavior changes over time, and escalate problems quickly. If an AI that started out unbiased begins producing discriminatory outcomes six months later as the data shifts, will the organization catch it? Staying in control also means disciplined change management. When the model or its data are updated, who reviews and approves the change?
Evidence is the other half. The board has to be confident that if a regulator, a customer, or a court asks how the company governs this AI, the company can answer with documentation and data: auditable records of model reviews, performance metrics, and the decisions made while overseeing the system. In effect, AI should be treated like any other enterprise risk, with a formal governance process, regular reporting to the board or a committee, and a documented trail of oversight. If management cannot explain how it will maintain control and demonstrate governance under scrutiny, the deployment is not ready.
5. How are we managing the AI risks introduced by third-party vendors?
For many companies, the biggest AI exposure comes not from models they build but from models they buy or integrate. If a bank relies on a third-party AI for fraud detection or customer screening, any failure of that system is still the bank's problem. The board should ask how management folds AI risk into vendor due diligence and ongoing oversight. Has it inventoried which vendors use AI in their services? Do contracts address transparency, audit rights, and notification when the AI changes? Regulators, including the US Consumer Financial Protection Bureau, have made clear that outsourcing a function does not outsource accountability. If a vendor's AI causes a compliance breach by making biased decisions, the company using it bears the consequences. The question matters because it surfaces whether management is looking past its own internally built AI to cover supply-chain risk, which tends to go unnoticed until something breaks. If vendor AI was not part of the original governance plan, the board should insist it become part of the plan before any new deployment proceeds.
The bottom line
Each of these questions is designed to cut through technical jargon and reach the heart of AI governance. A board that can confidently say who is accountable, where AI is used, how human judgment is preserved, how oversight is maintained, and how vendor AI is managed has very likely done its job. A board that cannot answer them should not rush to approve a rollout until it can. The risks, legal, ethical, and reputational, are simply too high. By putting accountability first, directors ensure that any AI deployed on their watch is held to the same rigor and responsibility as the rest of the business. In a climate where regulators and stakeholders are increasingly wary of unchecked AI, asking the right questions is the board's strongest tool for keeping innovation aligned with governance.