Skip to main content
BoardServe

AI governance

AI Governance for Boards: Building Oversight with ISO 42001 and the EU AI Act

How boards can build genuine oversight of AI risk by pairing ISO/IEC 42001 management-system structure with EU AI Act duties — roles, board questions and a gap-finding questionnaire.

The BoardServe team8 min read
A boardroom table with a director's notebook open to a page headed AI oversight, beside a printed risk register and a tablet showing a governance dashboard.

Artificial intelligence has moved from the innovation agenda to the risk register. For the AI governance, risk and compliance leads who brief boards, the challenge is no longer persuading directors that AI matters — it is giving them something they can actually oversee. The most durable way to do that is to pair the management-system discipline of ISO/IEC 42001 with the concrete obligations of the EU AI Act, then translate both into a small number of questions the board returns to every cycle.

This article sets out a practical ai governance framework board members can hold management to account against: how the two instruments fit together, where their duties reach the board, how to define roles without creating a parallel bureaucracy, and how to find the gaps before a regulator, customer or journalist does.

Why AI is now a board-level risk

AI has quietly become load-bearing. Models sit inside recruitment screening, credit decisions, fraud detection, customer service and, increasingly, the systems that produce the numbers and narrative in the annual report. That last point is what makes AI a board matter rather than a technology one.

Under the UK Corporate Governance Code 2024, Provision 29 asks boards to declare the effectiveness of their material controls — financial, operational, reporting and compliance — for financial years beginning on or after 1 January 2026. Where AI generates or influences a material control, it falls squarely within that declaration. A board cannot sign off on the effectiveness of controls it does not understand, and "the model decides" is not an explanation any director should be comfortable putting their name to. Our company secretary's guide to the 2024 Code sets out the wider reporting expectations.

The exposures are familiar even if the technology is not: discriminatory outcomes, opaque decisions affecting individuals, data protection breaches, intellectual-property leakage through third-party tools, and reputational damage from outputs the organisation cannot stand behind. The UK's Information Commissioner's Office has been explicit that existing data protection law already applies to AI, including duties on fairness, transparency and explainability. The board's job is not to master the mathematics. It is to assure itself that someone competent owns each of these risks and that the controls are real.

ISO 42001 in plain English: the AIMS

ISO/IEC 42001:2023, published in December 2023, is the world's first certifiable management-system standard for artificial intelligence. If your organisation already runs an information security management system to ISO/IEC 27001, the shape will be reassuringly familiar — 42001 follows the same high-level structure and is built to sit alongside it.

What it asks for is an AI management system (AIMS): not a document, but a working programme. In plain terms, an AIMS requires the organisation to:

  • Set scope and context — what AI you build or use, and for whom.
  • Establish leadership and policy — a stated position on responsible AI, owned at the top.
  • Run AI risk and impact assessments — including impacts on individuals and groups, not just on the business.
  • Manage the AI lifecycle — data, design, testing, deployment, monitoring and retirement.
  • Oversee third parties — because most organisations buy AI rather than build it.
  • Improve continually — measure, audit, review, correct.

The value of 42001 to a board is that it converts a sprawling, fast-moving topic into a system with owners, evidence and a review cadence. It gives directors recognisable hooks — policy, risk assessment, internal audit, management review — rather than a parade of model names. Certification is optional; the structure is useful regardless. For a board, the question is simply whether management can demonstrate each element is operating, much as you would expect for any other material control.

EU AI Act obligations and timelines that reach the board

The EU AI Act is the world's first comprehensive AI law and applies extraterritorially: a UK organisation placing an AI system on the EU market, or whose system's outputs are used in the EU, can be in scope. Penalties run to €35 million or 7% of worldwide annual turnover for the most serious breaches — higher than the GDPR ceiling — which is why this belongs on the board's radar even for organisations that consider themselves UK-focused.

The timeline matters, and it has recently shifted. The dates that remain firmly in force are:

  • 2 February 2025 — prohibited AI practices banned, and an AI literacy duty on providers and deployers.
  • 2 August 2025 — obligations for general-purpose AI (GPAI) models and the EU's governance machinery began to apply.

The high-risk regime, however, has been deferred. Under the Commission's "Digital Omnibus", a provisional political agreement reached on 7 May 2026 postpones the requirements for standalone high-risk systems (Annex III) to 2 December 2027, and for high-risk AI embedded in regulated products (Annex I) to 2 August 2028. Formal adoption is expected to follow. A prudent board should treat this as breathing space, not a reprieve: the obligations — risk management, data governance, logging, human oversight, transparency and conformity assessment — are unchanged; only the clock has moved, and final text should be confirmed before any deadline is relied upon.

The board-level takeaway is straightforward. Management should be able to say which of the organisation's AI uses are prohibited (none, one hopes), which are high-risk, which are GPAI-dependent, and what the plan and date is for each. Reassuringly, ISO 42001 and the AI Act are complementary: an AIMS produces much of the evidence — risk assessments, lifecycle records, human-oversight arrangements — that the Act will eventually demand.

Defining roles: AI governance lead, committee and board oversight

Oversight fails when accountability is diffuse. Three layers, clearly separated, work best.

The AI governance lead owns the AIMS day to day: maintaining the AI inventory, coordinating risk and impact assessments, tracking regulatory change and reporting upward. This is an executive role, deliberately distinct from the people building or buying the models, to preserve a degree of challenge.

A committee or working group — often a cross-functional forum spanning risk, legal, data protection, security and the business — reviews material AI decisions, approves high-risk use cases and resolves trade-offs. In many organisations this reports into an existing risk committee rather than spawning a new one.

The board sets risk appetite, approves the AI policy, and tests effectiveness. The board need not own every control, but it must be clear which committee holds AI in its terms of reference, and that the people involved have the competence to challenge management. This is where a board skills matrix audit earns its keep: AI literacy and data ethics are now legitimate entries, and a candid audit will often reveal a gap worth addressing through recruitment or training.

The questions every board should ask about AI

A board demonstrates oversight through the quality of its questions. These travel well and bear repeating each cycle:

  1. What AI are we actually using — built, bought and embedded in vendor products — and who owns the inventory?
  2. Which uses are high-risk or regulated, under the EU AI Act or sector rules, and what is our compliance plan and date for each?
  3. Where does AI touch a material control captured by our Provision 29 declaration, and how is that control tested?
  4. How would we know if a model failed, drifted or behaved unfairly — what monitoring and escalation exists?
  5. What is our exposure through third parties, and what contractual and audit rights do we hold over AI vendors?
  6. Can we explain a contested AI decision to a regulator, customer or affected individual?
  7. Is our AI policy honoured in practice, including by staff using public generative-AI tools?

Constructive, non-judgemental challenge of this kind belongs in the annual board effectiveness review, and AI oversight is increasingly something an external evaluator will probe. It also intersects with disclosure: AI's role in decision-making and its workforce impacts are surfacing in ESG and diversity reporting, where the board's narrative must be defensible.

Running an AI governance questionnaire to find gaps

The fastest route from concern to clarity is a structured AI governance questionnaire, mapped to the AIMS clauses of ISO 42001 and the obligation categories of the EU AI Act. Issued to the AI governance lead, system owners and key vendors, it surfaces what the board most needs: where ownership is missing, which assessments have not been done, and which high-risk uses lack a compliance plan.

Treat the output as a gap register with owners and dates, reviewed at the relevant committee and summarised for the board — the same discipline you would apply to a board skills audit or any other governance round. A first pass rarely produces comfortable reading, and that is precisely the point: defensible oversight begins with an honest baseline.

If you would like to see how BoardServe structures AI governance questionnaires, maps them to ISO 42001 and the AI Act, and turns the results into board-ready reporting, get in touch — we are happy to walk a governance team through the approach.

Bring this into your boardroom.

See how BoardServe turns governance practice into evidence.

Book a demo

Related reading

RegulationThe UK Corporate Governance Code 2024: A Company Secretary's Guide to the ChangesBoard effectivenessBoard Effectiveness Reviews: How to Run an Annual Evaluation That Boards Actually Trust