Two years ago, we outlined how directors should think about oversight of AI-related risks. Since then, we have seen a steady increase in AI projects that sit squarely inside our clients’ core business functions, which raises three board oversight issues that we discuss in this Debevoise Data Blog update: (1) identifying core AI projects, (2) assigning specific management responsibility, and (3) peer benchmarking.
1. Identifying Core AI Projects
Corporate boards should consider asking management to provide them with periodic briefings on any major AI project that involves a core business operation of the company, including projects that are anticipated to significantly impact revenue, core risk or legal compliance controls, or large-scale customer experiences.
2. Designating a Senior Owner
Many substantial enterprise AI projects involve multiple senior stakeholders (e.g., CFO, COO, CCO, CLO, CIO, CRO, etc.) but it is often unclear to the board who is responsible for overall risk management. For cybersecurity, some companies have solved this lack of clear ownership by having a Chief Information Security Officer (“CISO”) with a dotted reporting line directly to Audit Committee. Accordingly, the board should consider asking management to designate one senior executive or committee who is responsible to the board for risk management and reporting for all core AI projects, perhaps allowing for a different person or committee to be designated, as appropriate, for certain key projects. As with cybersecurity, for AI, clear ownership of mission-critical risks, if any, reduces the chances of gaps and speeds up escalation and decision-making when issues arise.
3. Peer Benchmarking
As part of any reporting on core AI projects, boards should consider asking management to identify similar projects undertaken by other companies in the same industry and explain, if knowable, what risk-management controls those companies have adopted.
Bottom line: Knowing about core AI projects, having a designated senior owner of risk, and tracking similar projects at peers will position directors to help their companies capture AI’s upside while managing the risks that come with adding AI to the heart of the enterprise.
This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.