Does a board need AI expertise to govern AI?

No, but it needs enough literacy to interrogate what it is told. Most boards are recruited for finance, legal or sector standing, and the duty is reasonable care and skill, not technical mastery. What a board cannot do is defer entirely to executives or vendors on model accuracy, bias and data flows.

What is the difference between aligning to ISO/IEC 42001 and being certified?

Alignment means building your AI management system to the standard's requirements. Certification is a formal assessment that only a UKAS-accredited certification body, such as BSI, can issue. A consultancy can prepare you for certification; it cannot certify you, and a claim otherwise is a warning sign.

How often should a board review its AI risk register?

Continuously, not annually. AI capability changes between meetings, so a register that updates once a year is already stale. The practical fix is to feed the register from the systems themselves, so the board reviews live evidence rather than a snapshot assembled for the meeting.

Who should own AI risk at board level?

A named person, for every system. In financial services the Senior Managers and Certification Regime makes this explicit: a Senior Management Function holder carries AI risk in their Statement of Responsibilities. The same discipline serves every sector: an inspector should be able to see who owns each AI system that touches a real person.

Topic

AI governance for UK boards

A UK board does not govern AI against a statute. It governs against duties it already holds, principles its regulators already apply, and evidence it must be able to produce on demand. The work is to name who is accountable, choose the framework that structures the evidence, and keep that evidence live.

What is a board actually accountable for on AI?

Everything the organisation's AI does, whether or not the board understands it. Directors' existing duties of care, skill and oversight extend to AI without amendment. Accountability does not transfer to the vendor or the model: it lands on the organisation that points AI at a real decision, which means it lands on the board.

This is sharper than it sounds, because most boards now answer for capability they bought rather than built. Nobody in the company trained the model, can read its weights, or can say precisely why it produced one sentence rather than another. Yet the moment the tool acts under the company's name, the board owns the outcome, and "the model decided" is not a defence any regulator will accept. We set out that position in full in Governing the Intelligence Age.

Is there a UK law on AI that boards must comply with?

No single one. The UK has no AI Act and no dedicated AI regulator. Five voluntary principles are applied by the regulators you already answer to, on top of binding law that reaches AI without naming it: UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025.

The five principles, confirmed in the government response of February 2024, are safety, security and robustness; appropriate transparency and explainability; fairness; accountability and governance; and contestability and redress. They are deliberately abstract. They tell a board the outcomes a regulator will look for, not the controls that get there, and the space between the principle and the control is exactly the space the board must fill. Underneath the principles sits law that binds today: the ICO is lead regulator wherever AI touches personal data, and the Data (Use and Access) Act 2025 reformed the rules on significant automated decisions from February 2026. The full picture is in our guide to what UK boards govern instead of an AI Act, and every instrument is listed, dated and sourced in the UK AI Regulation Tracker.

Which framework should a board govern AI against?

ISO/IEC 42001 for the management system, with the NIST AI Risk Management Framework for risk structure. Neither is law. In the absence of a UK statute they are the most concrete, auditable evidence a board can produce that its AI is governed, and they map cleanly onto the five UK principles.

ISO/IEC 42001 produces exactly the artefacts a regulator, a procurement team or an auditor asks for: policies, named roles, risk registers, impact assessments and continual-improvement evidence. NIST's Govern, Map, Measure, Manage structure sits comfortably inside it and gives the board a defensible way to articulate how risk is identified across the AI lifecycle. One point of language matters here: only a UKAS-accredited certification body can certify an organisation to ISO/IEC 42001. A consultancy helps you align and prepare; it cannot issue the certificate. We unpack what the standard concretely asks of a board in ISO/IEC 42001 explained.

What evidence will a regulator or auditor ask to see?

Evidence that operates, not policy that sits. A named accountable owner for each AI system, a completed Data Protection Impact Assessment where personal data is processed, a record of who decided and when, and a risk register that is live, dated and owned rather than reviewed once a year.

The test we put to boards is simple: for each of the five UK principles, name the control that evidences it and the person accountable for it. Accountability means you can prove who decided and when. Transparency means a claim the model makes is checkable against its source. Contestability means a person who disagrees with a decision can have it reviewed and reversed by a human. A risk register updated annually is not evidence of governance; it is a record that governance once happened. We make that argument, and show what a living register looks like, in Make your AI risk register living evidence.

Where should a board start?

With an honest reading of where it stands. Map where AI already operates, including inside supplier systems the board cannot independently test. Name the accountable owner. Confirm which binding regimes apply. Then choose the framework that structures the evidence.

The duties differ by sector: a housing association answers to the Regulator of Social Housing, a financial services firm to the FCA and PRA, a charity's trustees to the Charity Commission. The starting discipline is the same everywhere. The free Board AI Scorecard gives a board that first reading across accountability, policy, risk, data and capability in about two minutes, and the articles below take each duty further.

Articles in this topic.

Five horizontal strata on a near-white field, threaded by a single violet line descending from the top layer to the base

AI governance for UK boards

The AI governance framework UK organisations actually need

A working AI governance framework has five connected layers — principles, policy, controls, evidence, assurance — and a 90-day route to stand one up.

ArticleDr Karl George MBE12 June 202612 min read

Eight stacked rectangular panels on a near-white field, one traced in violet, suggesting the ordered sections of a policy document

AI governance for UK boards

What a UK AI policy must include in 2026

The eight working parts of a defensible UK AI policy, what each section is for, and why a template without controls is a disclaimer, not governance.

ArticleDr Karl George MBE12 June 20268 min read

Three violet lines crossing a near-white field towards a single marked boundary, suggesting routes into regulatory scope

AI governance for UK boards

Does the EU AI Act apply to UK organisations?

Three routes pull UK organisations into the EU AI Act. A plain-English decision guide for boards: scope, roles, risk tiers and the June 2026 timeline.

ArticleDr Karl George MBE12 June 20269 min read

A closed violet square frame interlocking with an open four-segment ring on a near-white field, suggesting a certifiable system holding a risk cycle

AI governance for UK boards

ISO 42001 vs NIST AI RMF: which do you need?

One is a certifiable management system standard, the other a voluntary risk framework. How a UK board chooses between them — or runs both inside one AIMS.

ArticleHamada Mahdi12 June 20268 min read

Twenty short violet strokes ranked in five columns on a near-white field, one stroke raised like a hand asking a question

AI governance for UK boards

20 questions every UK board should ask about AI

Twenty AI questions for UK boards, grouped into five areas, each with the artefact a good answer produces and the UK rule it rests on.

ArticleDr Karl George MBE12 June 202610 min read

Dozens of faint grey marks drifting beneath a single violet boundary line on a near-white field, a few marks crossing above it

AI governance for UK boards

Shadow AI: the policy boards need before the ban reflex

Staff already paste work into consumer AI. The answer is not a ban: discover use, triage it into three bands, provide sanctioned tools, police the line.

ArticleDr Karl George MBE12 June 20268 min read

A navy grid of cells with one violet diagonal line, a static register turning live

AI governance for UK boards

Make your AI risk register living evidence, not a spreadsheet

An AI risk register that only updates quarterly is already stale. Structure it with NIST's Govern-Map-Measure-Manage and feed it from the systems themselves.

ArticleDr Karl George MBE9 April 20268 min read

Stacked navy horizontal layers with one violet seam, representing the layered clauses of a management system standard

AI governance for UK boards

ISO/IEC 42001 explained: what it asks of a board

What ISO/IEC 42001 concretely requires of a board across clauses 4-10 and Annex A, and the honest difference between aligning to the standard and being certified.

ArticleDr Karl George MBE19 March 20268 min read

Five converging lines on a near-white field, one highlighted in violet, suggesting principles aligning to a single standard

AI governance for UK boards

The UK has no single AI Act. What your board governs instead

There is no UK AI statute. Your board governs against five voluntary, regulator-applied principles, which makes voluntary frameworks the practical route to compliance.

ArticleDr Karl George MBE5 March 20268 min read

Questions directors ask.

Does a board need AI expertise to govern AI?: No, but it needs enough literacy to interrogate what it is told. Most boards are recruited for finance, legal or sector standing, and the duty is reasonable care and skill, not technical mastery. What a board cannot do is defer entirely to executives or vendors on model accuracy, bias and data flows.
What is the difference between aligning to ISO/IEC 42001 and being certified?: Alignment means building your AI management system to the standard's requirements. Certification is a formal assessment that only a UKAS-accredited certification body, such as BSI, can issue. A consultancy can prepare you for certification; it cannot certify you, and a claim otherwise is a warning sign.
How often should a board review its AI risk register?: Continuously, not annually. AI capability changes between meetings, so a register that updates once a year is already stale. The practical fix is to feed the register from the systems themselves, so the board reviews live evidence rather than a snapshot assembled for the meeting.
Who should own AI risk at board level?: A named person, for every system. In financial services the Senior Managers and Certification Regime makes this explicit: a Senior Management Function holder carries AI risk in their Statement of Responsibilities. The same discipline serves every sector: an inspector should be able to see who owns each AI system that touches a real person.

Find out where your AI exposure sits.

We'll tell you plainly what's worth doing, what isn't, and what a board or regulator will expect to see. No pitch deck.

Book a 15-minute call See what we've built

No obligation · no pitch.