Effective AI governance isn't an IT department concern — it's a board-level fiduciary responsibility. In 2026, organisations deploying AI without a formal governance framework aren't just taking a strategic gamble; they're accumulating regulatory liability under the EU AI Act and UK GDPR that can result in fines running to tens of millions of pounds. The fix isn't complicated, but it does require accepting that "we'll sort compliance later" is no longer a viable position.
I've sat in enough board meetings where AI was discussed in the same breath as "exciting opportunity" and "we should probably look into that" to know that the governance conversation is arriving about eighteen months too late for most organisations. This article is the one I wish someone had put in front of those boards before the pilots went live.
What Does "AI Governance" Actually Mean for a Board?
AI governance is the set of policies, accountability structures, and technical controls that determine how AI systems are built, deployed, monitored, and retired within an organisation. It covers who owns decisions when an AI model produces a biased output, what happens when an autonomous agent takes an action nobody explicitly authorised, and how you demonstrate to a regulator that your AI is doing what you claim it's doing.
That last part is where most organisations are currently standing in their socks on a cold floor, realising they haven't got an answer.
Governance is not a single document. It's not a policy that lives in SharePoint and gets reviewed annually by someone who wasn't in the room when it was written. It's an ongoing operational discipline — and in 2026, it's table stakes.
Is Cybersecurity Really a Board Issue Now — Not Just an IT Issue?
Yes. And if your board still thinks otherwise, that's the most important thing to fix before you read another word of this article.
The World Economic Forum's Global Risks Report 2024 listed AI-generated misinformation and cybersecurity as two of the top five global risks. The UK Government's Cyber Security Breaches Survey 2024 found that 50% of UK businesses experienced a cybersecurity breach or attack in the preceding 12 months. These aren't abstract threats. They are operational disruptions with material financial consequences.
When you connect AI systems — particularly agentic AI that can take autonomous actions — to your core infrastructure, you expand the attack surface considerably. An AI agent with access to your CRM, your finance system, and your email doesn't just represent productivity gains. It represents a very attractive target for anyone who wants access to all three simultaneously.
Boards have a duty of care to shareholders, employees, and customers. That duty now explicitly includes AI risk. The question isn't whether to engage with this — it's whether you're going to do it proactively or reactively, after something has gone wrong.
What Does the EU AI Act Actually Require — and When?
The EU AI Act is the world's first comprehensive legal framework for artificial intelligence. It came into force in August 2024, with a phased implementation timeline that means the most significant obligations are landing now and throughout 2025–2026. If your organisation operates in or sells into EU markets, this applies to you regardless of where you're headquartered.
The Act classifies AI systems by risk level:
- Unacceptable risk — Prohibited outright. Includes AI used for social scoring, real-time biometric surveillance in public spaces, and subliminal manipulation. These were banned from February 2025.
- High risk — Subject to strict conformity assessments, transparency requirements, and human oversight obligations. Covers AI used in hiring, credit scoring, critical infrastructure, law enforcement, and education. Full requirements apply from August 2026.
- Limited risk — Transparency obligations apply. Chatbots must disclose they are AI. Deepfake content must be labelled.
- Minimal risk — No specific legal obligations, though good practice frameworks still apply.
The penalties for non-compliance are not a slap on the wrist. Violations of the prohibited AI provisions can attract fines of up to €35 million or 7% of global annual turnover, whichever is higher. High-risk system violations carry fines of up to €15 million or 3% of turnover.
For context: if your organisation is using an AI tool in your HR process to screen CVs or assess candidates, that is classified as high-risk under the Act. The burden of proof — that the system is fair, explainable, and subject to human oversight — sits with you, not the vendor.
What About UK Organisations Post-Brexit?
The UK is taking a different approach. Rather than a single AI Act, the UK Government is pursuing a sector-by-sector, principles-based framework — asking existing regulators (the FCA, ICO, CQC, and others) to apply AI-specific guidance within their domains. The AI Safety Institute is conducting frontier model evaluations, and the ICO has published detailed guidance on generative AI and data protection under UK GDPR.
This doesn't mean UK organisations are off the hook. If you sell into Europe, the EU AI Act applies. And UK GDPR's requirements around automated decision-making — specifically Article 22, which gives individuals rights regarding decisions made solely by automated processes — are very much in force and increasingly scrutinised.
| Regulatory Framework | Jurisdiction | Key Obligation | Max Penalty | Applies From |
|---|---|---|---|---|
| EU AI Act (High Risk) | EU / organisations selling into EU | Conformity assessment, transparency, human oversight | €15m or 3% global turnover | August 2026 |
| EU AI Act (Prohibited) | EU / organisations selling into EU | Full prohibition on listed use cases | €35m or 7% global turnover | February 2025 |
| UK GDPR (Article 22) | United Kingdom | Right to human review of automated decisions | £17.5m or 4% global turnover | Ongoing |
| DORA (Digital Operational Resilience Act) | EU financial services | ICT risk management, third-party oversight, incident reporting | Up to 1% average daily global turnover (per day) | January 2025 |
| UK ICO Generative AI Guidance | United Kingdom | Lawful basis for training data, transparency to users | Enforced under UK GDPR | Ongoing |
How Do You Build a Responsible AI Deployment Framework?
A responsible AI framework is not a document. It's a set of repeatable processes that run every time you adopt, deploy, or retire an AI system. Here's how I approach this with organisations — and the sequence matters.
Step 1: Conduct an AI Use Case Inventory
You cannot govern what you haven't mapped. Start by identifying every AI system currently in use across the organisation — including the ones your IT department didn't sign off on. (More on that shortly.) Classify each one by the EU AI Act risk tiers. This is usually a more uncomfortable exercise than people expect, because the answer is rarely "we only have two AI tools." It's more often "we have seventeen, three of which nobody can fully explain."
Step 2: Audit Model Bias and Output Quality
For every AI system in a decision-affecting role, you need to understand what data it was trained on, what it optimises for, and where it can fail. Bias doesn't always look like obvious discrimination. It can be as subtle as a model trained predominantly on data from one demographic producing systematically different recommendations for another. You need both technical audits and domain expertise to catch this.
Step 3: Establish Explainability Standards
Explainability (sometimes called XAI — Explainable AI) is the ability to provide a coherent account of why an AI system produced a particular output. For high-risk systems, this isn't a nice-to-have; it's a regulatory requirement. Build into your procurement criteria that any AI vendor must be able to demonstrate explainability for consequential decisions.
Step 4: Define Human-in-the-Loop Thresholds
Not every AI decision needs human review. But the ones that affect people's employment, credit, health, or legal status do. Define explicitly — in writing, in policy, in system design — at what point a human must be in the loop before an AI output becomes an action.
Step 5: Maintain Data Sovereignty
Data sovereignty refers to the principle that data is subject to the laws of the country in which it is collected or stored. When your organisation uses a third-party AI platform, you need to know: where is your data going? Is it being used to train the vendor's model? Is it stored in jurisdictions with adequate data protection? These questions belong in every vendor contract negotiation, not as an afterthought.
What Is "Shadow AI" and Why Should the Board Care?
Shadow AI is the organisational equivalent of finding out your employees have been using the office printer to run a side business. It refers to the use of AI tools — typically consumer-grade generative AI applications — by employees without IT knowledge, security assessment, or organisational approval.
A 2024 study by Microsoft and LinkedIn found that 78% of AI users are bringing their own AI tools to work, bypassing organisational procurement entirely. That means a significant proportion of your workforce is pasting customer data, internal strategy documents, and proprietary information into platforms that your legal team has never reviewed and your security team has never assessed.
This isn't a behaviour problem. It's a leadership problem. People use shadow AI because the officially sanctioned tools don't meet their needs, or because there are no officially sanctioned tools at all. The response isn't to ban everything and wait for people to comply. That approach has never worked with shadow IT, and it won't work with shadow AI either.
The response is to create a governed path for experimentation — a safe environment where employees can use AI tools with appropriate guardrails, where usage is visible, and where the organisation learns from what's actually being tried rather than pretending it isn't happening.
Practical Controls for Shadow AI
- Implement Data Loss Prevention (DLP) policies that flag or block the transmission of sensitive data to unapproved external platforms.
- Establish a pre-approved AI tool register — a curated list of assessed tools employees can use without individual approval.
- Create a lightweight AI tool request process so employees can flag tools they want assessed, rather than just using them anyway.
- Train staff on what constitutes sensitive data and why it matters — not through a 45-minute compliance e-learning module that everyone clicks through at speed, but through genuine conversation about real scenarios.
- Appoint an AI Governance Lead — someone with authority to make decisions, not just to write policies.
What's the Difference Between AI Ethics and AI Compliance?
This distinction matters more than most governance frameworks acknowledge. Compliance is the floor — the minimum standard required to avoid regulatory sanction. Ethics is the ceiling — the standard required to build and maintain trust with customers, employees, and society.
An AI system can be fully compliant with the EU AI Act and still be doing something that most reasonable people would consider wrong. Compliance asks: "Are we breaking any rules?" Ethics asks: "Are we doing the right thing?" Both questions deserve serious attention, and they don't always produce the same answer.
In my experience, organisations that treat AI governance purely as a compliance exercise tend to build frameworks that satisfy auditors and frustrate everyone else. Organisations that approach it as an ethical commitment tend to build frameworks that people actually follow, because the reasoning behind them makes sense.
The practical difference: a compliance-first framework tells employees what they cannot do. An ethics-first framework helps employees understand why certain boundaries exist and equips them to make good judgements in novel situations that the policy didn't anticipate — which, with AI, is going to happen constantly.
A Plain-English AI Governance Checklist for Boards
If you're walking into a board meeting next week and want to know whether your organisation has the basics covered, here's what to ask:
- Do we have a complete inventory of all AI systems currently in use? Including those not procured through IT.
- Have we classified our AI use cases by risk level against the EU AI Act tiers?
- Do we have a named AI Governance Lead with actual authority, not just a title?
- Can we demonstrate explainability for any AI system involved in consequential decisions about people?
- Do our vendor contracts address data sovereignty — specifically where data is stored and whether it's used for model training?
- Do we have human-in-the-loop thresholds defined in writing for high-risk AI decisions?
- Have we assessed our exposure to shadow AI? And do we have a constructive response to it?
- Is cybersecurity explicitly on the board agenda — not just in the IT committee report?
- Do we have a process for ongoing model monitoring — not just pre-deployment testing?
- Have we reviewed our AI governance framework in the last six months? Given the pace of regulatory development, annual reviews are already out of date.
If the answer to more than three of those is "I'm not sure," that's the starting point for the conversation, not a reason to avoid having it.
Frequently Asked Questions
Does the EU AI Act apply to UK companies after Brexit?
Yes, if your organisation provides AI systems or services to users in the EU, or if the outputs of your AI systems are used within the EU, the Act applies to you. Brexit did not create a regulatory exemption for UK organisations operating in European markets. UK-only operations fall under the UK's own framework — currently principles-based and sector-led — but this is evolving rapidly.
What counts as a "high-risk" AI system under the EU AI Act?
High-risk systems include AI used in recruitment and HR decisions, credit and insurance scoring, critical infrastructure management, education and vocational training assessments, law enforcement, border control, and the administration of justice. If your AI system makes or significantly influences decisions in any of these areas, you're in high-risk territory and subject to the full conformity assessment requirements.
What is an AI governance framework and what should it include?
An AI governance framework is a structured set of policies, roles, processes, and technical controls that govern how AI is adopted, deployed, monitored, and decommissioned within an organisation. At minimum, it should include: an AI use case inventory, risk classification criteria, a vendor assessment process, data sovereignty requirements, explainability standards, human-in-the-loop thresholds, incident response procedures, and a regular review cycle.
How do I stop employees using unauthorised AI tools?
Prohibition alone doesn't work — the evidence from a decade of shadow IT tells us that clearly enough. The more effective approach is to create a sanctioned, governed pathway for AI experimentation alongside technical controls (DLP policies, approved tool registers) and genuine education about why the boundaries exist. People comply with rules they understand and that they believe are reasonable.
What is model drift and why does it matter for governance?
Model drift occurs when an AI model's performance degrades over time because the real-world data it encounters has changed from the data it was trained on. A credit risk model trained on pre-pandemic economic data will drift significantly in a post-pandemic environment. Governance frameworks must include ongoing monitoring — not just pre-deployment testing — to catch drift before it produces harmful or embarrassing outputs.
Do charities and non-profits need to comply with AI regulations?
Yes. Regulatory obligations apply based on what an AI system does and who it affects, not on the legal structure of the organisation deploying it. A charity using AI to make decisions about beneficiary eligibility, for example, would be operating a high-risk system under the EU AI Act. The governance requirements are the same; the resources available to meet them may be considerably more constrained, which is a real and legitimate challenge for the sector.
How often should an AI governance framework be reviewed?
Given the pace of regulatory development and the speed at which AI capabilities are evolving, I'd argue that annual reviews are already insufficient. A quarterly review cycle for the framework itself, with continuous monitoring of AI system outputs, is a more realistic posture for 2026. Build in a trigger for out-of-cycle reviews whenever a significant new regulation is published, a new AI capability is deployed, or an incident occurs.
Nicholas Hodder is a digital transformation leader, speaker, and advisor with over 20 years of experience helping organisations navigate the gap between technology strategy and operational reality. He advises boards, executive teams, and public sector organisations on AI governance, responsible deployment, and culture-first change management.
If your board is ready to have the AI governance conversation properly — before the regulator starts it for you — get in touch to discuss an AI Governance and Ethics Advisory engagement.
