Audit-first AI governanceThe questions a board should ask about AI
An oversight memo for directors and audit committees. Your job is not to understand the model. It is to confirm that the controls exist — and to know the difference between a policy that describes good intentions and a control that actually stops a bad action.
Boards are accountable for risk oversight, and that accountability does not pause because the risk is technical or novel. Yet most board-level discussion of AI stops at strategy and opportunity and never reaches the part that should worry a director most: AI is now making consequential decisions inside the business, and the controls around those decisions are frequently weaker than the controls around far less consequential things the board already scrutinizes.
This is not a memo about how AI works. A director does not need to understand a model's architecture any more than an audit committee needs to read the general ledger's source code. The oversight question is narrower: when this system acts, what stops it from acting badly, and can we prove what happened afterward? That is a controls question, squarely within the board's competence. The throughline for every question below is the same — a document describing good intentions is a weak answer; an enforced control with an auditable record is a strong one. If management answers a control question with a policy, the board has learned that the control may not exist.
Seven questions to put to management
Ask these directly. For each, the contrast between a weak and a strong answer is the whole point: it tells you whether you are being shown governance or a slide about governance.
1. Where is AI already taking consequential actions — not just advising?
Establish the actual footprint. There is a large difference between an AI that drafts a recommendation a person then approves, and an AI that approves, denies, prices, sends, or moves money on its own. The board needs an inventory of the second category.
A weak answer sounds like: "We use AI to assist our teams and improve productivity." That describes a tool, not an actor, and usually means no one has drawn the line between advising and acting.
A strong answer looks like: a specific list of decisions the AI takes autonomously, the impact of each, and which actions a human still approves before they take effect. If management cannot produce that inventory, the board has found its first gap — you cannot oversee a footprint no one has mapped.
2. When the AI is wrong, who is accountable — and can we prove what happened?
AI will be wrong sometimes. Oversight is about ownership and reconstructability when that happens, not about preventing every error.
A weak answer sounds like: "The model is highly accurate," or "the vendor handles that." Accuracy is not accountability, and a vendor does not absorb your accountability to your customers or regulators.
A strong answer looks like: a named owner for each class of AI decision, and a decision record showing — for any specific case — which agent acted, what it was permitted to do, what it checked, what evidence it relied on, and what it concluded. Accountability that cannot be evidenced is an assertion; the strong version is a record you could put in front of a third party.
3. Can we stop a bad AI action before it reaches a customer, or only detect it after?
This is the question that separates real control from monitoring. Detecting a bad outcome after a customer has been harmed is damage control. Preventing the action is control.
A weak answer sounds like: "We have dashboards and alerts," or "we review a sample monthly." Those are after-the-fact; they tell you how bad it already got.
A strong answer looks like: a control that sits before the action — the AI proposes, and a deterministic check decides whether the action is allowed, blocked, or escalated to a human before it ever reaches the customer. Ask "what would have stopped this," and you should hear about a gate, not a report.
4. What is escalated to a human, and is that escalation enforced or aspirational?
Most AI policies promise that high-stakes decisions go to a person. The question is whether that promise is wired into the system or written in a binder.
A weak answer sounds like: "Our policy requires human review for significant decisions." A policy requirement is not an enforcement mechanism, and people under deadline pressure route around aspirational checkpoints constantly.
A strong answer looks like: escalation the system itself enforces — defined thresholds above which the AI cannot complete the action without a named human approving it, with that approval captured in the record. "Cannot" is the word to listen for. If a person could skip the review and nothing stops them, it is aspirational.
5. Could we hand an examiner or regulator a decision record tomorrow?
This is the audit committee's question, and it is unforgiving. The test is not whether you have logs somewhere; it is whether you can produce, for a specific contested decision, a record created at the moment the decision happened.
A weak answer sounds like: "We could pull that together if we needed to." A record assembled after the fact — timestamps from one system, model output from another, an analyst's recollection from a third — is a reconstruction, built by the party with an interest in the outcome, after the outcome is known. Everyone in the room discounts it.
A strong answer looks like: a contemporaneous, signed decision record that already exists for every consequential action, tamper-evident and reproducible, retrievable without a project. The bar is "we can show you," not "we can build you that."
6. Which AI is vendor-supplied, and how is that third-party risk governed?
Much of the AI acting inside the business is not built in-house. The board already understands third-party and concentration risk; this is that risk, with a model inside it.
A weak answer sounds like: "We use a leading provider," as though the brand is the control. The provider's reputation is not your governance.
A strong answer looks like: a map of which vendor models touch consequential decisions, what the institution can and cannot see into, and — critically — that the institution's own controls sit around the vendor's output. The vendor proposes; your gate still decides. Bounded authority and an auditable record apply to vendor-supplied AI exactly as they do to your own.
7. What is our policy versus what is actually enforced?
This question frames all the others, and a board is uniquely positioned to force it. The gap between the written policy and the enforced control is where governance either works or quietly does not.
A weak answer sounds like: handing the board the AI policy document. The existence of a policy tells you what the organization intends, not what the system does.
A strong answer looks like: management walking the board from each policy commitment to the control that enforces it and the record that proves it ran — and being candid about the commitments still aspirational. Honesty about the gap is a sign of maturity. A board should be more comfortable with "here is what we enforce today and here is what we are still building" than with a policy that claims everything and enforces who-knows-what.
What the board is really confirming
Read together, these questions test for one thing: bounded authority with evidence. Does each AI actor operate inside limits the organization set in advance? Is there a control before the action that can allow, block, or escalate it? Is there evidence after the action that a third party could examine? If yes, the board can oversee AI the way it oversees anything else. If the answers are policies, the board is overseeing intentions — and the remedy is to keep asking "can you show me" until management either shows or admits it cannot.
Key takeaways
- Confirm the controls, not the model. Every question above is a controls question — squarely the board's competence — and the first job is to inventory where AI acts autonomously, not just where it helps.
- Prevention beats detection. A control before the action that can allow, block, or escalate is governance; a dashboard that flags harm afterward is damage control.
- "Enforced" and "aspirational" are different words for a reason. If a person could skip the required human review and nothing stops them, the escalation is a wish — and the record has to already exist, because "we could pull it together" fails the examiner test.
- A policy is not a control. When management answers a control question with a document, the board has likely found a gap.
KAiM helps institutions map these controls and enforce them. The principle is that AI proposes and deterministic evaluators enforce — controls before the action, evidence after, bounded authority throughout, and a signed decision record for every consequential decision. KAiM Helm is at the design-partner and controlled-demonstration stage; the controls described here are real and demonstrable, and we make no customer-deployment or certification claims.
If your board wants real answers to these questions rather than reassurances, a Control Gap Assessment is the place to start. It is a scoped read of where AI is already taking consequential actions in your organization, which of those actions are governed by an enforced control versus a policy, and what a decision record would actually show today — with honest status for each. It gives the board something it can act on, in its own language.