AI Governance Institute logo
AI Governance Institute

Intelligence for Compliance and GRC Teams

← News

NACD Board Governance Guide Raises the Bar on Director AI Competency and ERM Integration

Source

Director Essentials: Implementing AI Governance

National Association of Corporate Directors (NACD)

Via National Association of Corporate Directors (NACD)

What happened

The National Association of Corporate Directors published Director Essentials: Implementing AI Governance, a structured guide addressed directly to corporate directors rather than to management teams or legal counsel. The guide requires boards to integrate AI risk into enterprise risk management frameworks as a discrete category, not as an extension of existing technology or cyber risk buckets. It directs directors to assess their own AI competency and close identified gaps, and to establish AI-specific KPIs that allow boards to track governance performance over time. The publication does not carry the force of law, but NACD guidance has historically been treated by courts, securities regulators, and institutional investors as a baseline statement of what reasonable board oversight looks like. Organizations already aligning with the ISO/IEC 42001:2023 – Information Technology – Artificial Intelligence – Management System or the NIST Artificial Intelligence Risk Management Framework Playbook will find the NACD guide largely consistent with those frameworks, but the guide's board-facing framing makes it operationally distinct.

Why it matters

  • ·Regulatory and litigation exposure: Courts and the SEC have increasingly used recognized practitioner standards to assess board oversight adequacy in securities and derivative actions; NACD guidance now gives plaintiffs and regulators a named benchmark against which director conduct on AI risk can be measured, raising the stakes for boards that have not formally addressed AI governance.
  • ·Operational impact on ERM and reporting programs: The requirement to establish AI-specific KPIs and integrate AI risk into ERM frameworks means compliance and risk functions will need to produce board-ready AI risk data on a recurring basis, which most organizations do not yet have a formal process to generate.
  • ·Director competency as a governance gap: The guide's call for boards to assess and close their own AI competency creates a new accountability layer above management; organizations that cannot demonstrate director-level AI literacy may face heightened scrutiny from institutional investors and proxy advisory firms applying AI governance criteria.

Governance controls affected

What to do now

  • Map the NACD guide's requirements against your current board reporting cadence and identify gaps in AI-specific risk data delivered to directors.
  • Commission a director AI competency assessment using BRD-001 criteria and document findings before the next board cycle.
  • Update your ERM framework to classify AI risk as a standalone category with defined risk appetite and tolerance statements under BRD-006.
  • Develop at least three AI-specific KPIs for board consumption, covering risk exposure, incident trends, and governance program maturity, and establish a reporting baseline.
  • Brief the audit committee on the NACD publication and its implications for board oversight adequacy, and capture that briefing in board minutes to create a contemporaneous record.

What to watch next

Compliance teams should monitor whether the SEC references the NACD guide in future AI-related disclosure guidance or enforcement actions, as agency staff have previously cited NACD publications when evaluating board oversight adequacy. Institutional investors and proxy advisory firms are also refining their AI governance voting criteria for the 2027 proxy season, and the NACD guide is likely to inform those frameworks. Organizations subject to the SEC AI Governance Guidance should assess whether their current board disclosures satisfy the elevated competency and ERM integration expectations the NACD publication now codifies. Any forthcoming NACD updates to this guide, particularly if they incorporate sector-specific obligations, should be tracked and compared against existing internal governance documentation.

AI Governance Weekly

Weekly intelligence on AI regulation, enforcement, and governance. Every Thursday.

Powered by Buttondown.

Related Coverage

Research2026-07-03

NACD Board AI Governance Guide Puts Director Competency and ERM Integration at the Center of Oversight Accountability

The National Association of Corporate Directors (NACD) has published 'Director Essentials: Implementing AI Governance,' a practical guide establishing what boards must do to govern AI responsibly at the enterprise level. The guide calls on directors to integrate AI risk into enterprise risk management frameworks, assess their own AI competency, update committee charters, and establish AI-specific KPIs. Compliance teams can use the guidance to benchmark board-level accountability structures and identify gaps in governance program design.

Research2026-06-30

U.S. AI Action Plan Shifts AI Risk Ownership to Corporate Boards, Harvard Ethics Center Warns

The Harvard University Ethics Center published a commentary on November 10, 2025, analyzing the governance implications of America's AI Action Plan for private-sector organizations. The commentary argues that the plan's preference for reduced federal regulation transfers primary AI risk management responsibility to corporate boards and senior executives. This shift elevates board accountability and executive liability as central compliance concerns for U.S. enterprises.

Corporate Policy2026-06-27

NACD Tells Boards to Recalibrate AI Risk Appetite and Assign Clear Governance Ownership in 2025 Outlook

The National Association of Corporate Directors has published board-level guidance urging directors to refine existing oversight mechanisms for AI adoption, designate accountable leaders, and integrate data governance as a strategic priority. The guidance addresses how AI reshapes corporate risk profiles, including exposure to hallucinations and algorithmic bias. It applies broadly to US-listed companies and any organization where the board has formal oversight responsibilities for technology risk.