Skip to content
EasiraAI
All thinking

GOVERNANCE

AI governance for boards: what directors are accountable for

AI governance for boards is not an enterprise-scale bureaucracy problem. Here is what an Australian mid-market board is actually accountable for, and the questions to ask before approving any AI rollout.

9 min read18 June 2026Ibram Ghali

AI governance for boards comes down to a single principle Australian directors already understand: you remain accountable for the decisions your organisation makes, whether a person or a system made them. When management deploys an AI tool that drafts customer communications, classifies applications, or influences a credit or clinical decision, the board's duty of care and diligence does not lapse because the process was automated. What changes is that directors now need enough visibility to discharge that duty over systems they did not personally review. This article sets out what a mid-market board is genuinely accountable for, the questions to ask before approving any rollout, and a governance operating model sized for mid-market resourcing rather than enterprise process.

What a board is actually accountable for

Directors are not accountable for understanding how a model works. They are accountable for ensuring the organisation has a defensible system of oversight around the decisions those models influence. The distinction matters, because a great deal of board-level AI anxiety is spent in the wrong place — on the technology — when the exposure sits in governance.

Three obligations frame the accountability, and none of them are new inventions for AI.

Director duties. Under the Corporations Act, directors owe duties of care and diligence and must act in the best interests of the company. Courts assess whether a director took reasonable steps to inform themselves and to put appropriate systems in place — not whether they personally audited every decision. Applied to AI, this means a board is expected to know which material AI systems are in use, what could go wrong, and what controls exist. A board that cannot answer those questions for a system that later causes harm is carrying a documented gap.

Privacy Act 2026. The reforms introduce specific transparency obligations for automated decision-making that significantly affects individuals, alongside a substantially strengthened penalty regime — for serious or repeated interference with privacy, penalties reach the greater of $50 million, three times the benefit obtained, or 30 percent of adjusted turnover for the relevant period. Those numbers move AI oversight from an operational footnote to a board-level financial risk. We cover the detail in our Privacy Act 2026 guide.

The Voluntary AI Safety Standard. Although not legislated, the Standard's ten guardrails — including accountability and a maintained AI system inventory — increasingly define the standard of care a well-governed Australian organisation is expected to meet. Regulators reference it, government procurement asks for it, and director guidance points to it. We explain the guardrails in our breakdown of the Standard.

The uncomfortable summary: the accountability already exists. AI simply distributes decision-making into places the board has not historically had line of sight.

The questions a board should ask before approving any AI rollout

Most poor AI outcomes are not caused by exotic model failures. They are caused by a system going into production without anyone at governance level having asked plain questions. Before approving any material AI deployment — anything that touches customers, employees, money, safety, or a regulatory obligation — a board or its risk committee should be able to get clear answers to the following.

  1. What decision does this system make or influence, and who is affected? If the answer is vague, the risk assessment underneath it is also vague.
  2. Who is the named accountable owner? Not a team or a vendor — a person inside the organisation who is answerable for its performance and its failures.
  3. What is the worst realistic outcome if it is wrong, and how often will it be wrong? Every model has an error rate. The board needs it stated, not implied.
  4. Where is the human in the loop, and can that human actually override the system? Meaningful oversight means the reviewer has the information, the authority, and the time to say no.
  5. What personal information does it use, and have we assessed the privacy exposure? This is where Privacy Act 2026 obligations attach.
  6. If it makes automated decisions about individuals, can a person contest the outcome and get a genuine human review? This is a legal requirement, not a nicety.
  7. What happens when it fails — who is notified, who intervenes, and how fast? A system with no incident path is a system with no governance.
  8. Who is liable if the third-party tool causes harm — us or the vendor? Most standard AI vendor contracts push this risk back to the customer.

If management cannot answer these for a proposed rollout, the correct board decision is to defer approval, not to approve on trust. The questions are also the fastest diagnostic of governance maturity: a team that answers them crisply usually has the controls; a team that improvises usually does not.

A governance operating model sized for mid-market

The failure mode we see most often is a board that reads enterprise AI governance material, concludes it needs a dedicated AI ethics committee and a full-time governance function, and then does nothing because that is plainly disproportionate for a mid-market firm. The honest position is that a mid-market organisation needs five things, and none of them require a new department.

1. An AI system inventory. A single register of every AI system in production use — including the quietly adopted ones inside existing SaaS tools. For each entry: purpose, accountable owner, data inputs, and a risk tier. This is the foundational artefact; the Voluntary AI Safety Standard treats it as a guardrail in its own right, and without it the board cannot oversee what it cannot see.

2. Named accountable owners. Every material system has one person answerable for it. Accountability that is shared across a committee is accountability that belongs to no one.

3. Risk tiers. Not every AI use warrants the same scrutiny. A tool summarising internal meeting notes is not the tool deciding who gets a loan. A simple three-tier scheme — low, material, high — lets the board concentrate oversight where consequence is highest and leave low-risk productivity uses to lightweight policy.

4. Human oversight proportional to tier. High-tier systems get documented approval workflows and a genuine human check before action. Material-tier systems get monitoring and periodic review. Low-tier uses get an acceptable-use policy. Oversight effort should track consequence, not treat every use identically.

5. An incident response path. One documented procedure for what happens when an AI system produces a wrong, harmful, or unexpected output — who is notified, who can pause the system, and when the board is told. Most mid-market firms can extend an existing incident process rather than build a new one.

That is the whole model. It fits inside an existing risk committee, uses roles the organisation already has, and produces exactly the evidence a regulator or a court would look for.

Governance responsibilities at a glance

LayerResponsible forTypical owner in a mid-market firm
Board / risk committeeApproving material rollouts; reviewing the AI inventory and risk posture; ensuring an incident path existsBoard, quarterly
Executive sponsorOwning the operating model; escalating high-tier risks to the boardCEO or CFO
Accountable system ownerPerformance, monitoring, and incident response for a specific systemFunction lead (e.g. Head of Ops)
Privacy / compliancePrivacy Impact Assessments; automated-decision disclosures and review pathwaysExisting compliance role
All staffFollowing the acceptable-use policy; reporting concernsEvery employee

Common questions

Do we need an AI ethics committee? For most mid-market firms, no. The oversight belongs in your existing risk committee. A separate committee adds process without adding control, and it can dilute accountability by spreading it across a group.

We only use AI features inside tools we already licence — does governance still apply? Yes, and this is the most common blind spot. AI embedded in your CRM, accounting platform, or productivity suite still makes or influences decisions and still processes personal information. It belongs in the inventory.

What does "meaningful human oversight" actually mean? A human reviewer who has the information, the authority, and the practical ability to override the AI's output — and who genuinely does so when warranted. A reviewer who approves everything by default is not oversight; it is a rubber stamp with a person's name attached.

Is the Voluntary AI Safety Standard mandatory? No legislation mandates it directly. But it increasingly defines the expected standard of care, and regulators, procurement processes, and director guidance all reference it. Treating it as optional is a governance risk in itself.

Where boards should start

The practical entry point is not a policy document — it is knowing what you actually have. Most boards discover, on first asking, that more AI is in production than anyone had catalogued, that named ownership is missing, and that no incident path exists. Establishing the inventory, assigning owners, and setting risk tiers closes the largest part of the exposure in weeks, not quarters.

Our Senior AI Advisory service works directly with boards and executives to stand up a right-sized governance operating model, and our AI Readiness Audit includes a governance gap analysis against Privacy Act 2026 obligations and the Voluntary AI Safety Standard. Both are delivered by senior practitioners on a fixed fee, with the framework handed over for your team to run.


Unsure what your board is currently accountable for as AI enters the business?

Contact us to discuss where your AI governance stands and the shortest path to a defensible oversight position.

Want this applied to your business?

Book a free discovery call. We'll map your specific exposure to the rules and the 90-day plan to address it.

Book a free discovery call