Most boards think they need an AI strategy. What they need first is a way to evaluate one.
This is a subtle but consequential distinction. An AI strategy tells the board what the executive team intends to do with AI. A governance framework tells the board how to evaluate whether that strategy is credible, whether the proposed deployment is safe, and whether the organisation has the oversight mechanisms to manage what gets built. Without the second, the first is an intention document the board has no framework to interrogate.
The sequence matters because of when the decisions happen. The AI strategy arrives in a board paper, typically prepared by the CTO or a consulting firm, with a recommendation and a budget request. The board has approximately 90 minutes to respond. If the board does not have a governance framework — a defined set of questions, evaluation criteria, and oversight requirements — the response to the strategy is an approval based on confidence in the CTO rather than an assessment of the proposal’s governance quality.
That is not board governance. That is board trust. Trust is not a governance mechanism.
What an AI strategy typically contains — and what it typically omits
AI strategy documents I have seen presented to boards generally cover: what AI initiatives the company is pursuing, what the expected business benefits are, what the technology choices are, and what the investment required is. Good ones include a risk section. Excellent ones include a phased implementation plan.
Almost none of them include an answer to the question the board most needs answered: what governance structure is in place to ensure that when something goes wrong — as it will — the board will know about it, can assess it, and can act on it?
The omission is not usually cynical. It is structural. The people who write AI strategy documents are, typically, technically competent and commercially motivated. They are not hired to think about what happens when the AI system fails. They are hired to build it. The governance question is a board question, and it needs to be asked by the board before the strategy is approved — not included as an afterthought in a section the CTO writes to satisfy the governance box.
The board that has a governance framework before the strategy arrives has the standing to ask: does this strategy proposal include the risk management structure Article 9 of the EU AI Act requires? Does it specify the human oversight mechanism? Does it identify which of the proposed deployments would fall under Annex III high-risk classification? Does it include a testing and monitoring plan?
The board that does not have a governance framework cannot ask these questions, because it does not know which questions to ask.
The cost of getting the sequence wrong
The cost of getting the sequence wrong is not theoretical. It is specific and well-documented.
When a board approves an AI strategy without a governance framework, it approves a set of deployments without defined oversight mechanisms. Those deployments go into production. Problems emerge — model drift, data quality issues, edge case failures, regulatory compliance gaps. The problems reach the board as incidents, because there was no governance structure to catch them as early-warning signals.
The cost of an AI governance failure that reaches the board as an incident is typically three to five times the cost of the governance structure that would have caught it earlier. This is not a rule of thumb; it is a consistent pattern in technology governance failures across industries. The regulatory investigation costs, the reputational remediation, the customer compensation, and the board’s time dealing with the incident rather than the business are all preventable costs, and they are the costs that arise from the wrong sequence.
The right sequence is: governance framework first, then strategy review, then deployment approval. The governance framework defines what a credible AI strategy must contain. The strategy review evaluates the proposal against that framework. The deployment approval attaches governance conditions to the approved initiative.
This sequence does not slow down AI adoption. It makes AI adoption defensible — to regulators, to customers, and to shareholders.
What a governance framework does that a strategy document cannot
A governance framework is not a policy document. It is a decision-making structure. Specifically:
It defines the questions the board asks when evaluating an AI proposal. Not vague questions — specific ones. “Which Annex III high-risk categories does this deployment fall under?” “What is the escalation path from the AI oversight function to the board?” “What does the human oversight mechanism look like, and who specifically occupies the oversight role?” “What is the testing protocol before production deployment, and what criteria must the test meet before deployment is approved?”
It defines the information the board receives on a standing basis. Not incident reports — regular structured reporting on AI governance health: deployment inventory, incident log, data quality monitoring summary, regulatory compliance status.
It defines who is accountable at the executive level for each AI governance requirement, and what the board’s assurance mechanism is for each accountability. Not “the CTO is responsible for AI” — that is a delegation, not a governance structure. “The CTO is accountable for monthly reporting to the board on AI risk management system compliance, against the criteria in Schedule A” is a governance structure.
None of this is possible without the framework existing before the strategy arrives. The board that builds the governance framework first is the board that is prepared to make the strategy decision responsibly.
The governance framework does not obstruct the strategy
I want to address the objection that is sometimes raised by executive teams when a board asks to see the governance framework before approving the strategy: “This will slow us down. Our competitors are already deploying AI.”
The competitors who are already deploying AI without board-level governance frameworks are accumulating risk they have not measured. Some of them will be fine. Some of them will have regulatory findings, or AI incidents, or customer trust failures that their boards were not equipped to prevent or manage. The ones who are fine were either lucky or have informal governance mechanisms that happened to function.
Luck and informal oversight are not governance structures. A board that knows this is not obstructing AI strategy. It is fulfilling its governance obligation.
The EU AI Act’s enforcement window opens in August 2026. The boards that approved AI deployments before building governance structures are now in the position of retrospectively complying with requirements they should have addressed at the point of approval. That is a more expensive and more disruptive process than getting the sequence right from the start.
The competitors who are already deploying AI responsibly — with documented oversight, tested human review mechanisms, and board-level governance structures — are the ones building a defensible position. That is the competitive position worth replicating.
The Board AI Governance Framework is a decision-making structure designed for boards that need to govern AI before they have an AI strategy, or alongside one that is already in motion. It provides the specific questions, evaluation criteria, and oversight structures that a board needs to assess an AI proposal responsibly — and the standing governance mechanisms that allow the board to oversee AI deployment on an ongoing basis.
For boards seeking independent advisory support on AI governance design, contact Steven directly.
