As a board director in 2026, you don't need to understand AI technically. You need to understand AI well enough to govern it — to ask the right questions in board meetings, to evaluate management's AI strategy, and to spot the risks that should be escalated. Here's the practical guide.
1. What is our AI operating-model thesis? Not "do we use AI" — every company does now. The board-level question: how does management think AI changes how the business is organized and operated? If there's no thesis, that's a signal.
2. What's our written AI policy? Every board should see the policy document. Approved tools, prohibited uses, verification standards, escalation paths. If management can't produce one, that's the first thing to require.
3. Where is AI material to our risk profile? Customer-facing AI? AI in financial decisions? AI in hiring? Each has specific risk patterns boards should understand.
4. What's our AI capability gap vs. competitors? If competitors are operating AI-native and you're not, that's a strategic deficit boards should see articulated and addressed.
5. Who owns AI strategy at the company? A diffuse "everyone uses AI" answer means no one owns it. Real AI capability requires either a named executive or an external partner (fractional or consultancy) with accountability.
1. Annual AI policy review. The policy should be reviewed yearly minimum. Tools, practices, and risks evolve faster than that — but annual review is the floor.
2. Incident reporting. AI mistakes that result in customer harm, data exposure, or reputational damage should be reportable to the board. This isn't paranoia — it's normal risk discipline applied to a new category.
3. Board-level disclosure on material AI dependencies. If a critical workflow depends on a single AI vendor, the board should know. This is no different from disclosing customer concentration.
4. AI as a permanent agenda item. Not just when something goes wrong. Quarterly AI updates from management force ongoing governance discipline.
1. Hallucination risk in client-facing outputs. AI sometimes invents facts. Where this gets in front of customers (proposals, support responses), it's a brand and legal risk.
2. Vendor dependency. Building critical workflows on a single AI vendor creates concentration risk. Multi-vendor posture is increasingly expected.
3. Talent migration risk. AI-fluent employees are increasingly hired away by AI-native competitors. Boards should track AI-related attrition.
4. Underinvestment risk. The inverse of the above — companies that under-invest in AI fall behind on cycle time and quality. This is a strategic risk, not an operational one.
If management cannot articulate an AI strategy in clear language. If there's no written policy. If competitors are visibly outpacing you on AI-driven productivity. If there's been a meaningful AI-related incident. If AI-related spend is increasing without measurable output gains.
Any of these warrant board discussion beyond the standard agenda. Several of them warrant calling in external assessment — see what is an AI audit for what a board-grade diagnostic looks like.
— Bill Colbert, Treetop Growth Strategy