NACD Calls on Boards to Restructure AI Oversight, Flagging Bias, Hallucination, and Privacy as Core Governance Risks
What happened
The National Association of Corporate Directors (NACD) published Tuning Corporate Governance for AI Adoption as part of its 2025 Governance Outlook series, targeting boards of directors at companies of all sizes and sectors globally. The guidance argues that existing board oversight frameworks were not designed with AI in mind and require deliberate adaptation rather than mere extension of current committee mandates. It identifies four priority control areas: bias management, hallucination risk in generative AI outputs, data privacy, and continuous monitoring of AI's evolving impact on the enterprise risk profile. The document emphasizes cross-functional governance structures that bridge technology, legal, risk, and business functions under board-level visibility. While non-binding, the guidance carries practitioner weight given NACD's role as the primary professional body for U.S. corporate directors.
Why it matters
- ·Regulatory exposure is rising as securities regulators and institutional investors increasingly scrutinize whether boards have adequate AI oversight structures in place, meaning gaps identified in NACD-aligned governance benchmarks can surface directly in shareholder engagement, proxy advisory assessments, and SEC disclosure reviews.
- ·Operational impact is significant because the guidance explicitly links hallucination risk and model drift to board-level reporting obligations, requiring compliance teams to translate technical AI failure modes into risk metrics that non-technical directors can assess and act on.
- ·Organizational risk is compounded by the cross-functional mandate: without a defined committee charter or clear decision rights for AI governance, accountability gaps between legal, technology, and risk functions will persist and become harder to defend in litigation or regulatory inquiries.
Governance controls affected
What to do now
- ☐Assess whether your board or a designated committee has a documented AI oversight charter with defined decision rights, escalation thresholds, and reporting cadences, and remediate gaps against the NACD framework.
- ☐Map the four NACD control areas (bias, hallucination risk, privacy, and risk profile monitoring) to existing internal controls and identify which lack board-visible metrics or reporting owners.
- ☐Build or update a board AI risk reporting template that translates technical AI performance indicators into business risk language, covering at minimum model drift, fairness metrics, and privacy incident trends.
- ☐Conduct a director AI literacy assessment to determine whether current board members have sufficient competency to evaluate AI risk reports, and design a targeted education program to close identified gaps.
- ☐Review your AI risk tolerance and appetite documentation to confirm it has been formally approved at board level and reflects AI-specific scenarios including generative AI hallucination events and third-party model failures.
What to watch next
Compliance teams should monitor whether institutional proxy advisory firms such as ISS and Glass Lewis incorporate AI board oversight criteria into their 2025 and 2026 governance scoring frameworks, as NACD guidance frequently precedes such shifts. The SEC's ongoing review of AI-related disclosure obligations under existing securities rules may also create formal reporting requirements that align closely with the NACD recommendations, particularly around material AI risks. Additionally, the emergence of investor-facing AI governance frameworks, including work from the Oxford Martin School on investor AI governance, signals that voluntary board-level guidance is converging toward investor-enforceable expectations.