NACD Tells Boards to Recalibrate AI Risk Appetite and Assign Clear Governance Ownership in 2025 Outlook
What happened
The National Association of Corporate Directors published Tuning Corporate Governance for AI Adoption as part of its 2025 Governance Outlook series, offering boards a structured approach to AI oversight without displacing existing governance frameworks. The guidance instructs directors to identify responsible leaders for AI accountability, assess how AI materially shifts the organization's risk profile, and treat data governance as a core strategic input rather than a downstream IT concern. It directly names AI hallucinations and algorithmic bias as risk categories that boards must understand and monitor, placing those concerns at the same level as financial and operational risk. The document is framed as an adaptation guide, acknowledging that most boards have governance infrastructure in place but arguing that AI demands deliberate recalibration of how that infrastructure operates. The guidance is US-focused but draws on principles applicable across jurisdictions where fiduciary duties extend to technology risk oversight.
Why it matters
- ·Regulatory exposure is increasing: securities regulators and state legislatures are beginning to scrutinize whether boards have adequate AI competency and oversight structures, meaning gaps identified by the NACD guidance could surface in enforcement or litigation contexts.
- ·Operational impact is direct: assigning named accountability for AI governance and integrating data governance into strategic planning requires immediate changes to committee charters, reporting lines, and board information flows, not just policy updates.
- ·Organizational risk is compounded by inaction: boards that cannot demonstrate they have assessed how AI changes the company's risk profile face heightened exposure in shareholder derivative suits, regulatory examinations, and ESG disclosures where AI governance maturity is increasingly a rated criterion.
Governance controls affected
What to do now
- ☐Map current board committee charters to confirm that AI risk oversight is explicitly assigned, with named accountability at the director and executive level, and update charters where that assignment is absent or ambiguous.
- ☐Commission a formal assessment of how AI deployment has altered the organization's risk profile, specifically documenting hallucination-related exposure and algorithmic bias risk in business-facing AI systems, and present findings to the full board.
- ☐Evaluate whether existing board-level AI reporting covers the data governance dimensions the NACD guidance identifies as strategic, including training data quality, lineage, and bias assessment, and close gaps in the reporting cadence.
- ☐Conduct a director AI literacy assessment using a structured competency framework and schedule targeted education for directors who will sit on or chair committees with AI oversight responsibility.
- ☐Review AI risk appetite and tolerance documentation to confirm it reflects current AI deployment scope, including generative AI and any agentic systems, and seek formal board ratification of updated thresholds.
What to watch next
Compliance teams should monitor whether the SEC expands its AI governance disclosure expectations in proxy guidance or comment letters, as the NACD's framing of AI oversight as a board fiduciary matter increases the likelihood that regulators will look for corresponding disclosures in proxy statements and 10-K risk factor sections. State-level corporate governance legislation, particularly in Delaware, may also begin referencing AI oversight standards as a benchmark for duty of care analysis. Additionally, proxy advisory firms including ISS and Glass Lewis are expected to update their governance rating methodologies to incorporate AI board competency criteria, which will affect voting recommendations for companies that have not formalized their oversight structures.