One observation
An AI tool your board approved in March is rarely the same tool by the time the annual review comes round. The model underneath changes, the usage spreads to teams the sign-off never contemplated, and the controls drift through routine engineering. None of it is misconduct, and none of it reaches the board, because each change looks too small to table. What runs in production is a descendant of the thing you approved, and nobody decided to approve that. Dr Karl George MBE calls this the pacing problem, and the fix is not more meetings. It is standing governance written into the system itself, so the rule holds on every transaction rather than at every meeting. Read the full argument in The pacing problem: capability outpaces board ratification.
One risk
Reading "no UK AI law" as "no obligation". The UK has no single AI Act, by design: regulators you already answer to apply five voluntary, cross-cutting principles within their existing remits. But the binding law underneath has not gone anywhere. UK GDPR and the Data Protection Act 2018 govern your AI wherever it touches personal data, and the EU AI Act can reach UK organisations through their EU footprint. The voluntary layer on top is the lens your regulator will use, which means the burden sits with your board to show its existing duties already cover how you use AI. The layered picture is set out in The UK has no single AI Act. What your board governs instead.
One action
Restructure your AI risk register around the NIST AI Risk Management Framework's four functions: Govern, Map, Measure, Manage. The discipline this imposes is simple. Every risk you list must have a named owner, a place it lives, a way it is measured (with a source and a date), and a control that does something. A row that cannot fill the Measure column is not a managed risk; it is a hope. A register that has read "human review in place, amber" for three quarters is describing a state your organisation has already left. The working method is in Make your AI risk register living evidence, not a spreadsheet.
One resource
ISO/IEC 42001 explained: what it asks of a board. The first international AI management system standard, read clause by clause from a board's seat: what it concretely requires, and the honest difference between aligning to the standard and being certified against it. Useful before anyone in your organisation says "we are 42001 compliant" in a tender.
That is a full issue. One observation, one risk, one action, one resource, once a month, in about five minutes.