Articles

A Board Checklist for AI Governance in Regulated Organisations

Twelve decisions boards should document before scaling AI — ownership, residual risk, evidence, and human oversight.

By WAIG Foundation19 Jul 2026· 12 min

Introduction

Boards are asked to approve AI programmes without a shared vocabulary for residual risk, evidence, and accountability. This checklist is for regulated organisations that need decisions recorded — not slideware.

Visual · governance cockpit
AI Governance Cockpit
72AI Risk Score91Compliance Score48AI AssetsIncident HeatmapModel RegistryLLM-Prod-v3Vision-Agent-01RAG-ComplianceRedTeam-Model

Why boards struggle

AI initiatives often arrive as product demos. Assurance artefacts — evaluation sets, decision logs, escalation paths — arrive later, if at all. That sequencing creates legal, reputational, and operational exposure.

Board test: If an auditor asked tomorrow for last month’s high-impact AI decisions, could you produce owners, citations, and refusal logs?

Twelve decisions to document

  1. Inventory — Which AI use cases are live or planned, and which data classes do they touch?
  2. Owners — Named executives for model risk, data stewardship, and incidents
  3. Tiering — Residual-risk classification with go/no-go criteria
  4. Evidence — What would an auditor ask for tomorrow, and where is it stored?
  5. Oversight — Human-in-the-loop gates for high-impact decisions
  6. Residency — Where prompts, embeddings, and model logs physically reside
  7. Third parties — Sub-processor map for model APIs, hosting, and logging
  8. Evaluation — Hold-out sets, red-team cadence, and release criteria
  9. Incidents — Playbook for harmful outputs, data leakage, and drift
  10. Training — Operator literacy pathway (WAIG Academy and chapter programmes)
  11. Budget — Assurance funding as a first-class line, not a residual after demos
  12. Review cadence — Board or risk-committee refresh after material model or regulatory change
Visual · digital trust
Digital Trust Framework
TRUSTTrustPrivacyEthicsGovernanceSecurityComplianceSix Pillars of Responsible AI

Worked example

A benefits chatbot without retrieval guards or refusal policy can invent answers. A governed approach documents:

  • Allowed policy corpora
  • Citation rules before citizen-facing answers
  • Escalation to a human case worker
  • An evidence pack exportable for internal audit

See also: Human oversight patterns and Sovereign AI deployment insights.

30 / 60 / 90 day board pack

HorizonOutcome
30 daysUse-case inventory + named owners
60 daysResidual-risk tiers + HITL gates on one high-impact path
90 daysAssurance evidence pack + board briefing

Standards literacy (not legal advice)

Run a baseline with the AI Governance Maturity Assessment.

Content Attribution

Educational framing references public standards literacy. WAIG Foundation does not claim ownership of third-party standards text. Not legal, audit, or certification advice. Proprietary UAAF operational use requires written licence.

© WAIG Foundation