Header image: gov-01-header.png

Two years ago, if I walked into a board meeting and said the words “AI governance,” I would have watched half the room glance at their phones. It was a compliance topic. Something the risk team was working on. A slide near the back of the deck.

That has changed, and it has changed quickly.

In April 2026, the Australian Prudential Regulation Authority sent every regulated bank, insurer, and superannuation trustee a letter. The letter did not ask entities to consider AI governance. It set out observations from a targeted supervisory review conducted in late 2025, and it said, in language regulators reserve for the moments they mean it, that governance, risk management, assurance, and operational resilience practices are not keeping pace with AI adoption. A week later, ASIC followed with its own letter on AI-driven cyber threats. In Singapore, the Monetary Authority closed consultation on formal AI Risk Management Guidelines for financial institutions. In the European Union, the Digital Omnibus of 7 May 2026 deferred the main high-risk deadline by sixteen months, but left the prohibited practices, the general-purpose AI obligations, and the €35 million maximum fine entirely untouched. In the United States, the Trump administration signed Executive Order 14365 in December 2025 and released a National Policy Framework in March 2026, both aimed squarely at federal preemption of state AI laws.

Every one of those things landed on a board agenda. Every one of them changed what boards are now expected to know.

This article is about that shift. It is about why AI governance stopped being a compliance topic and started being a board-level topic, and it is about what changed to make that happen.

From optional to expected

There is a specific line in the APRA letter that I keep coming back to. APRA observed, in polite regulatory language, that many boards had shown strong interest in the strategic upside of AI while relying heavily on vendor presentations and summaries, without sufficient examination of key AI risks.

Read that again. What APRA is saying, without saying it directly, is that boards have been briefed by the companies selling them AI, and that these briefings have substituted for effective challenge. The expectation, going forward, is that boards will maintain sufficient AI literacy to interrogate what they are being told. That is not a training recommendation. It is a supervisory expectation with enforcement teeth attached.

I want to be clear about what this means in practice. It does not mean every board member needs to read a machine learning textbook. It means boards need to know enough to ask the questions a competent second-line risk function would ask. What is our inventory of AI use cases? Who owns each one across its lifecycle? What is our concentration exposure to a single foundation model provider? What happens if that provider deprecates the model we rely on, or changes its terms, or increases pricing by an order of magnitude? What is our incident response plan for a hallucination that reaches a customer? What is our escalation path when an agentic system takes an action we did not approve?

If a board cannot answer those questions today, it is not governing AI. It is watching AI happen.

What actually changed

Three things happened between mid-2025 and mid-2026 that moved AI governance from the risk committee to the boardroom.

The first is that AI stopped being experimental. In 2023 and 2024, most enterprise AI was pilots. Small, contained, mostly harmless. By 2026, AI has moved into critical operations. It is drafting legal correspondence, screening job applications, pricing insurance policies, monitoring transactions for fraud, generating code that ships to production, and interacting directly with customers. When something moves from experimental to critical, the governance model has to change with it. The two are not the same conversation.

The second is that the regulatory environment stopped being theoretical. For most of 2023 and 2024, AI regulation was something people discussed at conferences. There were principles, frameworks, voluntary standards, thought pieces. By early 2026, there were letters to industry with implementation dates, phased obligations already in force, consultation papers in advanced stages, and litigation task forces. Enforcement is not five years away. It is here.

The third is that the operational risk profile got worse, not better. This is the counterintuitive one. As models got more capable, the ways they could fail got harder to predict. Agentic systems that can take actions across multiple applications introduced attack surfaces that no one had a runbook for. Prompt injection went from academic curiosity to documented enterprise incident. Vendor concentration became a systemic concern, because a very small number of foundation model providers underpin an increasingly large share of production AI. The APRA letter called this out specifically. Many entities were heavily dependent on a single provider for multiple AI use cases, with limited exit or substitution strategies. That is a boardroom conversation, not a procurement conversation.

The three questions every board should be able to answer

I want to give you something concrete. If your board takes AI governance seriously, it should be able to answer three questions without preparation.

The first question is: what is the highest-risk AI system currently in production in this organisation, and what happens if it fails in the way we most worry about? Notice what this question is not asking. It is not asking about the number of use cases. It is not asking about model accuracy metrics. It is asking about the specific failure mode of the specific system that keeps the CRO awake at night. A board that cannot name that system does not have an inventory. A board that cannot describe the failure mode does not have a risk assessment. A board that cannot explain the fallback plan does not have operational resilience.

The second question is: who is accountable for that system, and what evidence do we have that they are effectively discharging that accountability? Accountability without evidence is a job title. This is where most governance frameworks fall over. There is a named executive, there is a policy, and there is an approval process. But when regulators ask for evidence of continuous monitoring, model behaviour reviews, and control testing, the folder is empty. The APRA letter was specific about this. Point-in-time assurance is inadequate for probabilistic systems that change after deployment. What is expected is continuous.

The third question is: how is our AI risk appetite different from our general risk appetite, and where do we draw the lines we will not cross? This one separates organisations that have thought about AI seriously from organisations that have not. A general risk appetite statement does not tell you whether you will use AI to screen job applicants. It does not tell you whether you will let an agent send emails on a customer’s behalf. It does not tell you whether you accept a specific error rate on a fraud model when the false positives fall disproportionately on one demographic group. Those are AI-specific lines, and they need AI-specific consideration.

What boards should not do

Two failure modes are worth naming.

The first is delegation without visibility. Some boards, faced with a topic they find technical, delegate governance to a management committee and stop asking questions. This is exactly the pattern the APRA letter identified as failing. The delegation is fine. The absence of visibility is not. A board that has delegated AI governance still needs regular, structured reporting that lets it exercise effective challenge. Not a vendor demo. Not a technology update. Structured reporting on risk exposure, incidents, control effectiveness, and material changes.

The second is over-caution that looks like governance. There is a version of AI governance that consists entirely of saying no. No new use cases. No external tools. No experimentation outside sanctioned channels. This is not governance. It is abdication with paperwork. Its predictable consequence is shadow AI, which we will spend an entire article on later in this track, and which is now a documented material risk in most enterprises. Governance that does not enable the responsible use of AI will produce the irresponsible use of AI, because employees will use the tools anyway.

The APRA letter is worth quoting on this indirectly. It called for a step-change in AI-related risk management and governance, not for a moratorium on AI. What regulators are asking for is disciplined adoption, not blocked adoption.

Figure 1: The three converging pressures

Diagram 1: gov-01-diagram1.png

Figure 1 shows why AI governance moved to the board level in 2026. Three pressures converged. Operational risk increased as AI moved from pilots to critical operations. Regulatory pressure intensified as EU, Australian, Singaporean, and US authorities issued binding or supervisory expectations. Board accountability rose as directors’ duties began to interact with AI decisions in ways that mirror how they interact with any other material operational risk. The middle of the diagram is where a board actually sits. That intersection is the job.

The proportionality point

I want to close on something important. Nothing in this article suggests that a mid-sized professional services firm needs the same AI governance apparatus as a systemically important bank. Proportionality is a real principle, and every regulator I have referenced applies it explicitly. The MAS guidelines apply proportionately to size and complexity. APRA is clear that smaller entities should apply the observations in proportion to their scale. The EU AI Act carves out SMEs from many of its heaviest obligations.

But proportionality means different intensity of the same discipline. It does not mean an exemption from the discipline itself. A small firm still needs an AI inventory, still needs named accountability, still needs a risk assessment for its material use cases, and still needs a plan for what happens when a model fails or a vendor changes terms.

The thing that stopped being optional in 2026 was the discipline. The intensity is still yours to calibrate.

Figure 2: The governance maturity gap

Diagram 2: gov-01-diagram2.png

Figure 2 illustrates the gap that regulators are now specifically calling out. Most organisations sit somewhere on a maturity curve that runs from “no formal governance” through “documented policies” and “operational controls” to “continuous assurance.” The APRA and MAS observations, taken together, describe a sector that has largely reached the “documented policies” step, and largely stalled there. Regulators are now signalling that documented policies without operational controls, and operational controls without continuous assurance, are no longer sufficient. That is the gap that boards are being asked to close, and it is the gap that the rest of this track is going to help you close.

Where this track is going

This is article one of seventeen. The rest of the track builds out from here.

The next two articles set up the philosophy and the risk landscape. Article 2 is about how to build guardrails that do not kill innovation, because a governance model that does is a governance model that fails. Article 3 walks through the specific AI risk landscape: bias, hallucination, privacy, and security, and how they show up in practice.

Then we get into the jurisdictional detail. Article 4 gives you a practical map of what is in force where by late 2026. Articles 5 and 6 dig into the EU AI Act. Article 7 covers the US federal reset and the state-level divergence. Article 8 goes deep on Australia, where the supervisory shift of April and May 2026 is the most consequential recent development. Article 9 covers Singapore and the broader APAC picture.

After that, batch two moves to frameworks and controls: NIST AI RMF, ISO/IEC 42001, model risk management, model documentation, responsible AI in practice, third-party and shadow AI risk, agentic AI governance, and finally incident response and audit readiness.

If you are reading this and thinking that AI governance is a topic your board should be spending more time on, you are correct. The evidence for that is now in writing, from multiple regulators, on multiple continents, dated within the last six months.

Let’s get to work.