Board Oversight Gaps Exposed: Diligent's AI Governance Guide Maps Three Lines of Defense, Fairness Audits, and EU AI Act Alignment for Directors and Audit Leaders
What happened
Diligent, a recognized governance, risk, and compliance platform vendor, published AI Governance: A Guide for Boards, Risk and Audit Leaders on June 22, 2026, targeting board directors, chief audit executives, and risk leaders who must translate AI policy into organizational accountability structures. The guide covers how to allocate AI oversight responsibilities across the three lines of defense, what fairness audits and bias mitigation programs should include, and how organizations can conduct third-party AI risk assessments. It explicitly aligns its recommendations with the EU AI Act, NIST AI Risk Management Framework, and OECD AI Principles, giving compliance teams a multi-framework lens for structuring internal controls. The guide also addresses the formation of cross-functional AI ethics committees and the documentation of leadership roles, both areas where regulators and auditors are increasingly demanding evidence of formal accountability. For organizations subject to the EU AI Act's high-risk system requirements or facing audit committee scrutiny on AI risk, the guide functions as a structured implementation reference rather than a conceptual overview.
Why it matters
- ·Regulatory exposure: The EU AI Act and emerging national frameworks increasingly require documented board-level accountability and formal governance structures for high-risk AI; organizations that cannot demonstrate these structures face conformity assessment failures and potential enforcement actions.
- ·Operational impact: The three-lines-of-defense framing forces compliance, risk, and internal audit functions to delineate ownership of AI controls explicitly, exposing gaps where AI risk management currently sits in no one's formal mandate.
- ·Organizational risk: Without a chartered AI ethics committee and defined director competencies, boards risk making material AI deployment decisions without adequate literacy or escalation pathways, increasing liability exposure under both fiduciary and regulatory standards.
Governance controls affected
What to do now
- ☐Map your current three-lines-of-defense model against AI risk ownership and identify which AI control domains have no assigned line of defense accountable for them.
- ☐Review your board and audit committee charters to determine whether AI risk reporting thresholds and escalation triggers (HOC-007) are formally documented and current.
- ☐Assess whether your organization has a standing AI ethics or governance committee with a formal charter, defined membership, and decision rights, and remediate gaps against the structures described in the Diligent guide.
- ☐Initiate or update your director AI literacy assessment (BRD-001) to ensure board members can meaningfully evaluate AI risk reports and challenge management assumptions.
- ☐Cross-reference your third-party AI vendor assessments (PRC-001) against the EU AI Act, NIST AI RMF, and OECD AI Principles criteria cited in the guide, and update vendor questionnaires to reflect multi-framework requirements.
What to watch next
Compliance teams should monitor the EU AI Act's conformity assessment requirements as the enforcement timeline for high-risk systems advances, particularly how national market surveillance authorities interpret board accountability documentation. The EU AI Office is expected to issue further guidance on governance structures for high-risk AI deployers that will directly affect whether internal committee charters and three-lines-of-defense documentation satisfy regulatory expectations. Internal audit functions should also watch for emerging audit standards from the Institute of Internal Auditors on AI assurance, which are likely to reference frameworks like the NIST AI RMF and OECD Principles that this guide maps against.