What directors should ask before approving AI in the business, and the controls that make the answer yes.
For a board, the real question about AI is not whether it works, but whether the organisation can defend how it was used. Governance is the set of controls that lets you answer yes with confidence.
Start with four questions. Where does a human approve consequential actions? What does the system log, and can you reconstruct any decision after the fact? How is performance monitored, so drift is caught early? And how is all of this reported in terms the board and an auditor can read?
These are the same disciplines a finance function already applies to any process that touches money or customers. The mistake is treating AI as special and bolting it on without them, then discovering you cannot explain what the system did when someone asks.
Ownership matters too. A board should expect the organisation to own the code, the prompts and the data, rather than renting a system it cannot inspect. That is what makes independent review possible.
Treat autonomy as a setting you raise on evidence. Begin with a human in the loop, measure the error rate, and relax the controls only as the record justifies it. Governance is not a brake on AI; it is what lets you use it without taking on risk you cannot see.
