FRC AI guidance boards should not be read as a new AI rulebook. As of 17 June 2026, the board anchor is the 2024 UK Corporate Governance Code, its live guidance, and FRC AI material for audit and reporting.
That answer matters because the Financial Reporting Council has not replaced board duties with an AI-specific code. A board still governs AI through risk appetite, principal and emerging risk assessment, material controls, reporting quality, audit committee oversight and evidence. The difference is that AI can now sit inside each of those areas.
Key takeaways
- The UK Corporate Governance Code 2024 has applied to financial years beginning on or after 1 January 2025; Provision 29 applies from financial years beginning on or after 1 January 2026.
- Provision 29 asks boards to declare the effectiveness of material controls, and the FRC says material controls are company-specific. AI can be material when it affects reporting, operations, compliance, data protection or reputation.
- The Corporate Governance Code Guidance explicitly prompts boards to ask about responsible artificial intelligence in reporting and treats information technology risks, including artificial intelligence, as possible material controls.
- The FRC's AI publications for audit and corporate reporting do not move accountability from people to systems. In March 2026, the FRC said audit accountability remains with firms and Responsible Individuals even when AI tools are used.
- A defensible board response is an evidence pack: AI inventory, risk appetite, material-control map, testing record, reporting route and assurance plan.
What FRC AI guidance boards should actually follow
Start with the Code. The FRC says the 2024 Code applies to companies listed in the commercial companies category or the closed-ended investment funds category, regardless of where they are incorporated. It also notes that many other companies choose to follow the Code voluntarily, and that large private companies in scope of the Companies (Miscellaneous Reporting) Regulations 2018 disclose governance arrangements against a framework such as the Wates Principles.
For AI, three Code points carry the weight. First, Principle O says the board should establish and maintain an effective risk management and internal control framework, and determine the principal risks the company is willing to take. Second, Provision 28 requires a thorough assessment of emerging and principal risks. Third, Provision 29 requires the board to monitor the risk management and internal control framework and review its effectiveness at least annually.
The live FRC guidance, last updated on 3 June 2026, gives the practical route. It says the guidance is not mandatory, not prescriptive and not part of the Code itself. It also says the board has ultimate responsibility for risk management and internal control, even where work is assigned to a committee. That is the point for AI: the audit or risk committee may do the work, but the board still reaches its own conclusion.
AI appears in the guidance in two places that boards should not miss. In the strategy questions, the FRC asks whether the board is aware of emerging technologies, including responsible artificial intelligence, being used by the company, for example in reporting. In the material controls section, the FRC says controls can include information and technology risks, including cybersecurity, data protection and new technologies such as artificial intelligence.
The FRC's audit-specific AI materials make the same accountability point in a different context. The AI in Audit page lists June 2025 guidance on documenting AI tools in audit and March 2026 guidance on generative and agentic AI. The March 2026 FRC announcement says regulatory accountability for AI tool deployment and audit quality remains unchanged, and that the human auditor is always accountable. That principle is useful beyond audit: AI may assist, but a named person signs off the judgement.
Who this applies to
For listed companies in scope of the Code, the question is direct: could an AI system, supplier model, finance workflow or reporting assistant affect a material control or a principal risk? If yes, it belongs in the board's risk and control conversation before the annual report asks for a conclusion.
For large private companies and regulated organisations outside the listed-company perimeter, the Code is still useful as a board discipline. The FRC says corporate governance is not only important for the largest companies. A housing association, charity, professional-services firm or public body may not report against Provision 29, but the same evidence logic appears in sector regulation: name the risk, name the control, test it, and keep the record.
This also sits beside the UK's AI-regulation model. The government response to the AI White Paper confirmed five cross-sectoral principles for existing regulators to apply within their remits: safety, security and robustness; transparency and explainability; fairness; accountability and governance; and contestability and redress. Those principles are not the FRC Code, but they help boards decide which AI controls deserve evidence. Our UK AI regulation tracker keeps that landscape dated, and our ICO AI code of practice guide covers the personal-data layer.
What the board needs to decide
Before management brings a policy, the board should make five decisions.
- Which AI systems are in scope for board oversight: bought, built and embedded tools, including AI inside supplier products.
- Which AI risks are principal or emerging risks, and how they sit inside the risk appetite the board has approved.
- Which AI controls are material because a failure could affect reporting, operations, compliance, data protection, shareholder decisions or stakeholder interests.
- Which committee will monitor the evidence, and which matters must return to the full board.
- What assurance is enough. The FRC says external assurance on material controls is not required by default; the board decides whether internal work is enough or whether independent testing is needed.
The answer should be minuted as a decision frame, not as a technology update. If the board cannot say which AI controls are material, it cannot make a Provision 29-style declaration with confidence.
Controls and evidence for an AI material-control review
The FRC guidance says a board should form its own view on effectiveness based on evidence it obtains. For AI, that means building the evidence before the annual-report wording is drafted.
| Board question | Control to operate | Evidence to keep | Owner |
|---|---|---|---|
| Where is AI used in reporting, decision support or supplier workflows? | AI system inventory with owner, purpose, data class, supplier and model-change trigger | Current register, supplier disclosures, procurement records | Company secretary with CIO or CTO |
| Which AI risks are principal or emerging? | AI risk appetite and risk-register criteria tied to business model, reputation and stakeholders | Board-approved appetite statement, dated AI risk register, scenario notes | Chief risk officer |
| Which controls are material? | Control library that links each material AI risk to a preventive, detective or corrective control | Control map, test plan, control failures, near misses and remediation log | Risk, internal audit or assurance lead |
| Can AI-assisted reporting be trusted? | Human sign-off, source traceability and version control for AI-assisted reporting drafts | Review logs, source packs, change history, audit committee paper | CFO and audit committee |
| Can a person contest an AI-influenced decision? | Human review route for significant decisions and a record of outcomes | Review requests, decisions changed, response times, policy wording | Accountable executive owner |
| Are suppliers changing the risk after approval? | Contractual notification and re-assessment trigger for material AI or model changes | Contract clauses, vendor updates, re-test records | Procurement and legal |
This is where the questions every UK board should ask about AI become operational. The answer is not "management is aware". The answer is the artefact in the evidence column.
Framework mapping: FRC, UK principles, ISO 42001 and NIST
The FRC deliberately does not prescribe one internal-control framework. Its guidance says the board may use a recognised framework or standard, where relevant to the area being reported against. For AI, the practical pattern is to map the Code and UK principles onto ISO/IEC 42001 and the NIST AI Risk Management Framework, then test whether each row has evidence.
| Framework or duty | What it contributes | Board evidence |
|---|---|---|
| FRC Code and guidance | Board responsibility for risk appetite, principal risks, material controls, monitoring, review and annual reporting | Minuted risk appetite, AI material-control map, annual review evidence |
| UK AI principles | Regulator-facing outcomes: safety, transparency, fairness, accountability and redress | Principle-to-control mapping with a named owner and operating evidence |
| ISO/IEC 42001 | A management-system structure for AI, covering policies, objectives, processes, risk and continual improvement | Scope, AI policy, risk and impact assessments, management review minutes; see our ISO 42001 board guide and ISO 42001 checklist |
| NIST AI RMF 1.0 | A voluntary risk framework built around Govern, Map, Measure and Manage | Risk maps, measurements, treatments and a repeatable review cycle |
| FRC AI audit guidance | Audit-specific guidance on AI documentation, output confidence and professional judgement | Audit committee paper explaining where AI tools are used, how outputs are checked and who remains accountable |
The mapping should not become a spreadsheet exercise. Use it to answer one board question: which AI uses could cause a control failure that matters to investors, customers, regulators or people affected by the decision?
Next step: turn the guidance into an evidence pack
Common mistakes are predictable. The first is waiting for an FRC AI code that may never arrive. The second is treating AI as an IT risk only, when the FRC guidance also points to reporting, stakeholder impact, supply chains, culture and material controls. The third is accepting a policy as evidence, when the annual report needs a conclusion based on monitoring and review.
Start with the free Board AI Accountability Check if the question is whether named accountability exists. Use the Board AI Scorecard if the board needs a baseline across accountability, policy, risk, data and capability. If the issue is wider regulatory scope, use the UK AI regulation tracker alongside our guide to the UK not having a single AI Act and the AI governance framework UK organisations actually need.
If the evidence needs to be board-ready rather than self-assessed, the GovernIQ diagnostic maps actual AI use to the Code, the UK principles, ISO/IEC 42001 and NIST, then leaves the board with the control map and evidence gaps it can act on.
Sources: FRC UK Corporate Governance Code 2024 · FRC Corporate Governance Code Guidance · FRC AI in Audit · FRC March 2026 generative and agentic AI audit guidance announcement · FRC AI and Corporate Reporting · UK government AI regulation response · ISO/IEC 42001 · NIST AI Risk Management Framework
