How do we report AI risk to the board and audit committee?

Board members are not AI experts, and they should not have to be. The purpose of board AI risk reporting is to give directors enough information to fulfill their fiduciary obligation to oversee material risks — not to brief them on model architectures or prompt engineering. That distinction should shape everything about how you structure the report.

The core content of a board AI risk report has five components. First, the risk inventory: how many AI systems are in production, distributed by risk tier, and how has that distribution changed since last quarter. Second, the incident log: what AI-related incidents occurred, what their severity was, and what remediation was taken. Third, regulatory developments: what new regulations, enforcement actions, or guidance relevant to the organization's AI footprint appeared in the period. Fourth, maturity scores: where does the organization stand against its governance objectives, and is the trajectory improving. Fifth, the watchlist: the two or three things most likely to produce a material loss, regulatory action, or reputational harm in the next 12 months.

What should not be in the board report: granular technical findings, individual model performance metrics, or operational details that belong in management reporting. The board needs to know that the loan scoring model had a fairness drift incident and was remediated — not the details of the embedding layer update that caused it.

The most important governance design decision in board AI reporting is the escalation threshold: the specific conditions that trigger immediate notification outside the normal quarterly cycle. Organizations that define these thresholds in advance are far better prepared to handle incidents than those that make the call in the moment.

Common escalation triggers include: any incident classified as Critical severity under the incident response framework; any regulatory enforcement action or formal inquiry involving AI systems; any model failure that has or could have materially affected customers, employees, or partners; and any significant governance gap identified by an external auditor. The threshold for what counts as "material" varies by organization and should be set in consultation with Legal.

Escalation thresholds should be documented, approved by the board or audit committee, and tested in tabletop exercises before they are needed. A common gap is having thresholds on paper that have never been operationalized — no one has walked through the notification process, and the first real incident reveals that the escalation chain has broken links.

Effective board oversight of AI risk requires directors who understand enough about AI to ask the right questions. That does not mean deep technical knowledge — it means understanding what risk classification means, why agentic systems require different controls than predictive models, and what kinds of harms can result from inadequate governance. Most boards currently lack this baseline.

The most effective approach is to build literacy incrementally through the reporting itself. A well-structured board report, delivered consistently, teaches directors what to ask over time. Supplementing this with an annual director AI briefing — focused on the governance landscape, not technical detail — accelerates the process. Several organizations have found value in bringing in an external AI governance expert once a year to present directly to the board.

The measure of success is not whether directors can explain neural networks. It is whether they ask follow-up questions about the AI risk report, whether they connect AI risks to enterprise risks they already understand (reputational, regulatory, operational), and whether they are comfortable making resource allocation decisions based on AI risk data.