AI Governance in Strategic Business Applications

AI is becoming integral to organisations across their value chains, utilised in both internal and consumer-facing initiatives. Applications include hiring processes, fraud detection, customer support, and personalised services.

The presence of AI in corporate strategy has significantly raised its profile on board agendas. Research indicates that boards proficient in AI have achieved an average return on equity that is 10.9 percentage points higher than their industry counterparts, positioning AI as a key driver for efficiency, speed, and competitive gain.

From Competitive Advantage to Governance Risk

However, the deeper integration of AI into both core and ancillary business functions introduces various structural risks. One major concern is vendor control. Data managed by third-party AI applications may be reused or retained beyond the intended purposes, jeopardising confidentiality.

Moreover, reliance on third-party AI increases exposure to regulatory scrutiny. Deploying companies are likely to be held accountable, regardless of their limited insight into the model’s architecture, training datasets, or system updates.

Additionally, AI deployment raises significant privacy issues, as personal data traverses opaque systems, which complicates compliance with data protection regulations. Furthermore, errors, biases, and inaccuracies may result in misleading or discriminatory outcomes. The lack of transparency in testing and remediation adds to these difficulties.

AI Risk in Practice: Insights from Recent Deployments

Regulatory bodies and courts are increasingly examining failures linked to AI. For example, Trivago faced penalties after its ranking algorithm favoured hotel listings from advertisers who paid higher commissions, misleading users about the best available prices, as identified by Australia’s competition regulator.

Internal AI usage has also posed risks. Employees entering sensitive organisational data into generative AI tools have prompted a reassessment of data confidentiality and permissible use within companies.

Organisations are bolstering their governance frameworks by establishing AI oversight committees, formulating internal policy guidelines, and educating their workforce. Developments at the regulatory level are propelling this evolution. As the EU’s AI Act approaches enforcement, investors in the EU stress that boards must oversee the design, deployment, and monitoring of AI as part of their governance responsibilities.

In the US, commentators note that boards may be held accountable for AI failures, especially in situations where AI plays a critical role in the business model, operations, or operates within high-risk environments.

India’s Approach to AI Governance

India is following a unique, evidence-based strategy for AI governance. Instead of implementing a broad AI statute, the emphasis is on applying common principles for responsible AI across various sectors. These principles were initially outlined by the Reserve Bank of India in its FREE-AI committee report aimed at the financial sector.

Subsequently, the Ministry of Electronics and Information Technology supported them in the India AI governance guidelines. Together, they highlight the necessity of embedding principles such as trust, fairness, accountability, transparency by design, and safety to mitigate AI risks. These principles are being translated into actionable governance standards.

For instance, the RBI has advised regulated entities to adopt AI policies that are board-approved, addressing governance, ethics, accountability, and risk appetite. Similarly, the Securities and Exchange Board of India has recommended that market participants identify senior management personnel to oversee AI throughout its lifecycle, backed by clear accountability frameworks.

These frameworks are not intended to be a universal checklist but signal how senior management should approach AI adoption oversight.

Three Practical Steps for Boards

For boards aiming to deploy AI responsibly without sacrificing agility, three key steps can be taken:

First, evaluate AI usage and develop a foundational governance policy.

Initiating responsible AI adoption necessitates organisational clarity. Boards should initiate a comprehensive mapping exercise to identify AI applications, their purposes, and potential impacts. Use cases should be categorised into consumer-facing and internal deployments, facilitating risk assessment and the creation of an AI inventory that includes use cases, data inputs, vendors, and associated risks. This inventory can serve as a cornerstone for the organisation’s AI governance policy.

Second, prioritise vendor transparency and contractual protections.

Building on India’s policy discussions, deploying entities are likely to remain accountable for outcomes generated by third-party AI models. Boards should clarify the functionalities of AI systems, potential failure points, and data utilisation. Contracts with vendors must set explicit limitations on the re-use of enterprise or customer data for AI training and establish clear ownership of outputs, audit rights, and liability safeguards.

Third, institutionalise board-level reporting, continuous monitoring, and incident response.

India’s evidence-led method of managing AI risks can aid in crafting suitable risk assessment and classification frameworks. Organisations should incorporate AI incident reporting and ongoing monitoring into their governance strategy. Boards are encouraged to adopt internal policies that foster early detection and honest reporting of AI-related incidents.

At a minimum, boards should require regular reports on significant AI use cases, key risks, vendor dependencies, and control efficacy. This reporting should be coupled with a clearly defined incident response playbook that covers escalation, evidence preservation, and fallback strategies.