The questions a board reliably returns to about AI risk — and how to answer each one with evidence rather than assurance.
AI now touches revenue, operations and regulatory exposure, so it has moved onto the board agenda alongside cyber and financial risk. Boards do not need to understand model internals. They need to know that the organisation can answer a small set of recurring questions clearly, consistently and with evidence behind each answer. That oversight duty is reflected across the major frameworks: the OECD AI Principles place accountability among their core values, ISO/IEC 42001 makes leadership and top-management responsibility an explicit clause, and the NIST AI Risk Management Framework opens with a Govern function that sits above the rest of the lifecycle.
The five questions below are the ones that surface most often. For each, the goal is a defensible answer drawn from a living record rather than a point-in-time slide.
Almost every other question depends on this one. A board wants to know whether there is a single, current inventory of AI systems — built, bought and embedded in third-party tools — rather than a best guess. Answer it with a maintained inventory that names each system, its purpose, its data, its business owner and its risk tier. Completeness matters more than length: a board takes more comfort from "this list is kept current and we know how we keep it current" than from a large but stale catalogue.
The follow-up is which obligations apply and where the organisation stands against them. Map each material system to the regimes it falls under — for many organisations that means the EU AI Act's risk classification and obligations for high-risk systems, alongside sector rules. Answer with a short readiness view per regime: what applies, what is in place, what is outstanding, and the dates that matter. Avoid implying full compliance where work is still open; boards respond better to an honest gap list with owners and dates.
Accountability is a recurring theme because, without a named owner, no one is answerable when a system misbehaves. For each material AI system there should be a single accountable owner on the business side, not only in a central function. Answer by showing that ownership is recorded against every entry in the inventory and that owners have accepted the controls and obligations attached to their systems.
It is not enough to say controls exist; a board wants assurance they are operating. Answer with coverage and evidence: what proportion of in-scope systems have the expected controls in place, and how fresh the supporting evidence is. Pair the headline number with a short list of the most significant open issues and their remediation status, so the picture is honest rather than uniformly green.
AI spend can grow quickly and quietly. Boards increasingly ask what AI costs, whether that cost is attributed to the teams and use cases driving it, and whether the value justifies it. Answer with a cost view tied to owners and outcomes rather than a single aggregate number, so the board can see where spend concentrates and whether it is under control.
The common thread is that each answer should trace back to a maintained record an assessor or auditor could inspect — an inventory entry, a control result, a piece of dated evidence, an owner's sign-off. Keeping those records current between meetings is what turns a board update from a reassurance exercise into genuine oversight.
How TrustedAIGov helps. The Governance Platform maintains the inventory, control coverage, ownership and evidence that these board questions draw on, so an update is generated from a live record rather than assembled by hand. Its structure is designed to support board oversight and to stay aligned with the accountability and governance expectations in the OECD AI Principles, ISO/IEC 42001 and the NIST AI RMF Govern function.
Turn governance data into clear, evidenced answers to the questions your board keeps asking.