Skip to content

AI Governance for UK Boards

A practical primer for directors: why AI is now a board issue, the questions to ask, and the frameworks you can align to.

Download as PDF · 4 pages

The full guide is below. No account needed.

Why AI is now a board issue

AI stopped being an IT question the day it started shaping decisions your organisation is accountable for. Arrears triage in a housing association. Credit and pricing in a financial services firm. Grant assessments in a charity. Admissions sifting in a university. In each case the decision reaches a real person, and the duty to govern that decision sits where it always has: with the board.

What makes this urgent rather than theoretical is that accountability does not transfer with the technology. The board remains answerable for AI it bought rather than built, for AI running inside supplier systems it cannot independently test, and for AI its staff adopted without asking. UK regulators have been explicit about this in their own vocabularies: the Regulator of Social Housing holds the board rather than the vendor accountable for outcomes, the SRA confirms solicitors stay personally accountable for AI outputs, and the Senior Managers and Certification Regime attaches a named individual to AI risk in financial services.

There is no single UK AI Act to comply with, and that makes the board's position harder, not easier. Five voluntary principles, confirmed by the government in February 2024, are applied by the regulators you already answer to. Underneath them sits law that binds today: UK GDPR and the Data Protection Act 2018 wherever AI processes personal data, and the Data (Use and Access) Act 2025, which reformed the rules on significant automated decisions from February 2026. Without a single rulebook to point at, the burden is on the board to show its existing duties already cover how AI is built, bought and used.

Six questions every board should answer

These six surface most of the exposure in any sector. They are the questions we would put to your board, and the ones an inspector, auditor or regulator will reach for in their own words.

  1. Where is AI already operating across the organisation, including inside supplier systems, and which of those uses shape decisions about real people?
  2. Who at board level owns AI risk, system by system, and could we name that person to a regulator without checking?
  3. Which of our AI uses cross the automated decision-making threshold, and could we evidence notice, a route to contest and meaningful human review for each?
  4. How have we tested these systems for bias and unfair outcomes against the people our decisions affect, and who is accountable for that testing?
  5. Could we explain a given AI decision, in plain terms, to the person it affected, to our regulator and to a court?
  6. What evidence of all of the above could we produce this week, without assembling it specially for the request?

A board that can answer all six has working AI governance. A board that cannot answer the first one should start there: you cannot govern an estate you have not mapped.

The frameworks you can align to

With no UK statute, voluntary frameworks are the most concrete, auditable evidence a board can produce. Two matter most.

ISO/IEC 42001, published in December 2023, is the first international AI management system standard. It is built on the same Plan-Do-Check-Act structure as ISO 27001 and produces the artefacts a regulator or procurement team asks to see: policies, named roles, risk registers, impact assessments and continual-improvement evidence. It maps cleanly onto the UK's five principles.

The NIST AI Risk Management Framework, published in January 2023, is voluntary and US in origin, but its Govern, Map, Measure, Manage structure has become the common language for AI risk across UK, EU and US teams, and it sits comfortably inside an ISO/IEC 42001 management system.

Frameworks give the governance its shape. The evidence has to be live. An AI risk register updated once a year is not evidence of governance; it is a record that governance once happened. Map each of the five UK principles to a control that operates and a person who owns it, and keep the register dated, owned and fed by the systems themselves.

What we do not claim

Honesty about certification is part of governance. Only a UKAS-accredited certification body, such as BSI, can certify an organisation to ISO/IEC 42001. A consultancy, including this one, helps you align to the standard and prepare for certification. It cannot issue it, and you should treat any claim otherwise as a warning sign. The same discipline applies to security postures: a documented target is not the same as the current state, and a board should always know which it is being shown.

This guide is dated and reflects our reading of UK guidance at the time of writing. It is general information, not legal or compliance advice.

Where does your board's AI governance actually stand?

Ten questions across accountability, policy, risk, data and capability. You'll get a readiness score, where to focus first, and a recommended next step. It takes about two minutes.

Take the Board AI ScorecardBrowse all guides

Free · ~2 minutes · your score shown straight away.