AI capability & operating model
Who owns the AI risk? The board's accountability question
The board's accountability structure for AI does not form unless the board requires it. One named person with budget authority, initiative authority, and reporting authority must be designated before any AI programme is funded. The governance action boards most commonly skip is the one that determines whether commercial AI outcomes ever reach the board.
The chair asks a question
I have sat in enough board meetings to know the moment when the energy shifts.
The chair asks: "What is AI actually producing for us?"
The room goes quiet. Not confused. The quiet of people who hoped that question would not come up yet.
IT talks about adoption rates. Marketing mentions efficiency gains. Sales says it is early days. The innovation team presents a quarterly deck. None of it connects to a commercial number. By the time the report reaches the board, it has been whitewashed — the teams are reporting what the programme is doing, not what it is changing. The board is receiving four activity reports and zero accountability.
If that scene is familiar, the problem is not the AI programme. It is a governance gap the board has not yet closed.
The accountability vacuum
The structural condition has a name: the accountability vacuum.
Every function deploys AI independently. IT runs infrastructure. Marketing deploys content and campaign tools. Sales runs prospecting experiments. An innovation team has a pilot with a steering committee.
Each function can justify its own activity. Nobody can connect the aggregate spend to a commercial number. The CEO cannot get a straight answer. The board cannot get a straight answer from the CEO.
This is not unusual. CIPD research shows only 18% of UK businesses have a formal AI usage policy. In 82% of organisations, the board has approved AI spend with no defined accountability structure. The accountability vacuum is not an exception. It is the norm.
Gartner research finds that 85% of AI projects fail to deliver expected business value. The question the accountability vacuum prevents the board from asking is not "which AI to deploy?" It is "who is accountable for ensuring this programme is in the 15%?" Every quarter that question goes unanswered, the capital keeps flowing. The dashboards stay green. Making a defensible keep, kill, or scale decision becomes impossible, because there is no one to give the board a number it can trust.
When no single person owns the commercial outcome of AI, the board cannot make a defensible keep, kill, or scale decision. It can only receive activity reports.
AI is a systemic business risk — not IT
IT owns the infrastructure: deployment, security, integration, uptime. IT is measured on reliability, not commercial outcome. AI risk that is systemic, reputational, competitive, fiduciary, sits above any single function.
The board that delegates AI risk to IT has delegated a governance responsibility to a function not structured to own it.
The accountability gap is not a management failure. It is a governance gap the board allowed. The management→board accountability chain does not form by accident. It requires the board to demand it.
If the board accepts "shared accountability" or "it is IT's problem" as an answer, the board has endorsed the accountability vacuum. The risk does not disappear because the board did not ask about it. It compounds.
The Companies Act makes no special provision for AI. Directors' duties of care and skill apply to AI decisions the same way they apply to any other board decision — and a committee delegation does not make those duties go away. For regulated firms, the exposure is personal: under SMCR, a named senior manager is personally liable for what AI systems do in their area. The algorithm does not absorb that liability. The named person does.
Meaningful AI has to show up in the P&L. The governance structure that makes that possible starts with who the board names accountable before the money moves.
Why shared accountability fails
When leadership teams recognise the vacuum, the first instinct is always the same: make it a shared responsibility.
A cross-functional AI council is formed. Shared objectives. Collective ownership. Each function retains its own AI activity with its own metrics.
Nobody has authority to kill a failing initiative because nobody owns the outcome. The board still receives four answers to every question.
Shared accountability without decision rights is not ownership. It is diffusion.
The committee meets. Each function presents its activity. The council produces a deck. The board receives green dashboards. The whitewashing is now institutionalised. The council's job has become presenting the programme coherently, not giving the board a straight answer.
The committee coordinates activity. It does not govern commercial outcomes.
What the board must require
The board's job is not to design the accountability structure. That is management's role. The board's job is to require it before approving the AI budget.
The chain has three links. Each requires the board to make an explicit requirement, not to assume it exists.
Link 1 — The board requires single-point accountability before approving any AI programme. Before the budget is approved, the board names one person accountable for the commercial outcome. Not a committee. Not a function. One person with budget authority, initiative authority, and reporting authority.
If the board cannot name this person at the point of approval, the board does not approve the budget. This is the stop-condition the board can set, and the governance action most commonly skipped.
Link 2 — Management names the owner; the owner reports directly to the board. The accountability owner is not the CTO. The CTO owns infrastructure. It is not the head of the AI council. It is the person the board has given all three decision rights to. That person gives the board a straight answer at every quarterly review: what did this produce, was it worth it, scale or stop. The framework for when to kill an AI pilot only becomes actionable when this person exists and has the authority to act on its answer.
Link 3 — The board holds the owner accountable for outcomes, not activity. Adoption rates. Hours saved. Usage frequency. These are activity metrics, not accountability.
The board's standard is commercial: did this initiative move a number the board already governs? Pipeline. P&L. Market position. If it did not, the board's question is not "when will it?" but "who is accountable for the fact that it has not, and what changes next quarter?"
Three links. Each requires the board to require it explicitly.
In my work with boards and NEDs, I call this the pre-budget accountability condition: no AI budget is approved until the board has named one person with three decision rights. Every RACI matrix and three-lines-of-defence model describes accountability after the budget is approved. The board's real leverage is before, and this is the concept no current governance framework names explicitly.
Single-point accountability is not a management choice. It is a board requirement.
Frequently asked questions
Who should own the commercial outcome of AI in an organisation?
One person, not a committee, who answers three questions: what did this produce, was it worth the investment, and should the board scale it or stop it? That person needs budget authority, initiative authority, and reporting authority. The board names this person before the AI budget is approved. Without decision rights, accountability is nominal.
Why does shared accountability for AI outcomes fail?
Shared accountability without decision rights is diffusion, not ownership. When responsibility is distributed across a cross-functional committee, no single person has authority to kill a failing initiative, redirect budget, or give the board a straight answer. The committee coordinates activity. It does not govern commercial outcomes.
What is the accountability vacuum in AI programmes?
The accountability vacuum is the structural gap where every function deploys AI independently (IT, marketing, sales, operations) but no single person is accountable for the commercial outcome as a strategic capability. Each function can justify its own activity. Nobody can connect aggregate AI spend to a commercial number.
Why is AI a systemic business risk rather than an IT risk?
IT owns infrastructure: deployment, security, integration, uptime. IT is measured on reliability, not commercial outcome. AI risk that is systemic, reputational, competitive, fiduciary, sits above any single function. The board that delegates AI risk to IT has delegated a governance responsibility to a function not structured to own it.
What should the board require before approving any AI programme?
One named person with three decision rights: budget authority, initiative authority, and reporting authority. Budget authority to fund or defund initiatives. Initiative authority to start, scale, or kill. Reporting authority to give the board a straight answer at every review. If the board cannot name this person at the point of approval, the budget should not be approved.
What does the management→board accountability chain look like in practice?
The board requires single-point accountability before approving the budget. Management names the owner and gives them the three decision rights. The owner reports to the board at every quarterly review with three answers: what did this produce, was it worth the investment, scale or stop. The board holds the owner accountable for outcomes, not activity. Three links. Each requires the board to require it explicitly.
What to do next
This is not a complex governance project. The question to take into your next board meeting: is there one named person who will give the board a straight answer at every quarterly review? If nobody can name that person, you have found the problem — and it is bigger than which AI to deploy.
Both the accountability structure and the measurement architecture must be in place for a board to govern AI commercially. The former is what this article establishes. The latter is addressed in how boards make defensible AI investment decisions.
If you are working through the accountability question for your board, Subscribe to Agentic Leaders. I write monthly on AI governance at board altitude. Or work with Stefan if you would prefer to work through it directly.
Stefan Finch is an AI board advisor and founder of Graph Digital. He has spent 25 years across enterprise and mid-market technology, including board-level AI advisory engagements.
Key takeaways
- AI is a systemic business risk, not an IT one. The board that delegates AI risk to IT has delegated a governance responsibility to a function not structured to own it.
- The accountability vacuum is the norm. CIPD research shows 82% of UK organisations have approved AI spend with no defined accountability structure.
- Shared accountability without decision rights is diffusion. A cross-functional AI council is not the governance structure the board needs.
- Single-point accountability requires three decision rights: budget authority, initiative authority, and reporting authority. Without all three, the title is ceremonial.
- The pre-budget accountability condition: no AI budget should be approved until the board has named one person with these three decision rights. This is the governance action boards most commonly skip.
- The management→board accountability chain has three links: the board requires, management names, the board holds accountable. None forms by accident.
