UK boards are now formally expected to demonstrate informed oversight of AI — and nearly three-quarters currently lack the expertise to do it. In April 2026, KPMG and the INSEAD Corporate Governance Centre published a global framework of five AI Board Governance Principles, setting out precisely what boards must own, ask, and decide as AI moves from experiment to enterprise infrastructure. For UK senior executives, this is the clearest articulation yet of what responsible AI oversight looks like — and the gap between that standard and current boardroom practice is significant.

This is not a theoretical concern. The KPMG Global AI Pulse Survey found that 73% of boards are perceived to have only moderate or limited AI expertise, at the same moment when regulators, investors, and institutional shareholders are scrutinising AI governance more closely than ever. The question for UK boards is not whether to engage — it is whether they can demonstrate they already have.

Why Is AI Governance Now a Board — Not Just a Management — Responsibility?

Boards have long been able to delegate AI strategy to management, treating it as a technology delivery question. That delegation is no longer defensible. Three forces are converging to place AI governance squarely at board level in 2026.

First, the regulatory environment has hardened. The EU AI Act’s major enforcement milestone arrives in August 2026, the FCA and Bank of England issued a joint statement in May 2026 flagging systemic risk implications of advanced AI in UK financial services, and the UK government’s sector-by-sector approach is producing enforceable expectations. Under the Senior Managers and Certification Regime, named individuals — not the organisation in the abstract — carry accountability for material governance failures.

Second, the risk profile of AI has changed. Agentic AI systems — where AI takes autonomous actions across business processes — are now deployed by 87% of UK business technology decision-makers, according to research by Logicalis. Yet only a quarter of those organisations have strong governance in place. That is not an IT gap. It is a board oversight gap.

Third, investors and institutional shareholders are asking direct questions. Where a board cannot demonstrate it understands how AI is deployed, monitored, and controlled within the organisation, governance credibility suffers — and so does the firm’s ability to attract long-term capital on favourable terms.

Executive Action

• Request a board-level AI maturity briefing from your CTO or CDO — framed around governance, not just capability.
• Confirm which named senior managers carry accountability for AI-related decisions under your SMCR mapping, and whether those statements of responsibility are current.
• Ask your General Counsel to assess exposure under the EU AI Act if your organisation processes EU data or operates across borders.

What Are the Five AI Board Governance Principles — and What Do They Demand of UK Boards?

The KPMG/INSEAD framework is structured around five principles. Each one maps directly to questions a UK board should be able to answer before the end of 2026.

1. Strategic Oversight for Long-Term Value Creation. Boards must provide active direction on how AI serves the organisation’s strategic purpose — not simply ratify what management proposes. This means understanding AI’s role in competitive positioning, capital allocation, and risk appetite at a level sufficient to challenge executive recommendations. Boards that treat AI strategy as a management matter they periodically hear updates on are not meeting this standard.

2. Active Technology and Security Oversight. Boards must engage directly with AI-related technology risk — including third-party model dependency, data sovereignty, and the cybersecurity implications of AI-enabled attack vectors. This is not the same as understanding individual tools. It means the board is asking whether the organisation’s AI stack creates concentration risk, regulatory exposure, or resilience gaps that have not been mitigated.

3. Workforce Transformation and Human Accountability. As INFORMD has reported, AI workforce planning is already a board accountability question — with graduate hiring down and role profiles being rewritten at pace. The KPMG/INSEAD principle goes further: boards must ensure that productivity gains from AI are not achieved by removing human judgement from decisions where human accountability remains legally or ethically required. That distinction matters particularly in regulated sectors.

4. Building Trustworthy AI. Boards must satisfy themselves that the organisation’s AI systems meet standards for explainability, fairness, and regulatory compliance — and that there is a credible internal process for identifying and remediating failures. For UK boards, this connects directly to the ICO’s guidance on automated decision-making under UK GDPR, and to the FCA’s expectations around model risk in financial services.

5. The Work of the Board Itself. This is the principle most often overlooked: AI is changing how boards can and should operate. From AI-assisted board papers to automated regulatory monitoring, boards need to consider both the opportunities and risks of AI in their own oversight processes — and establish appropriate guardrails for their own use of these tools.

Executive Action

• Map each of the five principles against your current board agenda and committee structure. Identify which principles have no formal owner and no standing agenda slot.
• Commission a targeted board skills assessment against AI governance competencies — the INFORMD executive knowledge tools include practical assessments designed for board members and C-suite leaders.
• Ensure your Audit or Risk Committee has a standing agenda item covering AI model risk, third-party AI dependency, and regulatory horizon for AI.

How Should UK Boards Structure Their AI Oversight — Practically?

Most UK boards do not need a dedicated AI committee. What they need is deliberate integration of AI governance into existing structures — with clear accountability, regular cadence, and a meaningful information flow from management.

The structures that work typically share three characteristics. First, there is a named executive — usually the CTO, CIO, or CDO — who is accountable to the board for AI governance and who provides a regular, structured update that goes beyond capability announcements to include risk metrics, regulatory developments, and governance incidents. Second, the Risk or Audit Committee has explicit terms of reference covering AI-related risk, with access to independent expert advice where the internal capability is limited. Third, the board has approved — not simply noted — an AI governance policy that sets out risk appetite, prohibited use cases, oversight thresholds for new AI deployment, and escalation procedures.

Research from Deloitte UK’s 2026 State of AI in the Enterprise report found that organisations where senior leadership actively shapes AI governance achieve significantly greater business value than those where governance is delegated to technical teams alone. This is not a compliance argument. It is a commercial one.

The INFORMD board strategy templates include a technology governance review framework suitable for adapting to AI oversight — covering committee terms of reference, executive reporting structures, and policy approval workflows. The INFORMD executive briefing library carries the full suite of AI regulatory intelligence for UK senior leaders.

Executive Action

• Review your Risk or Audit Committee terms of reference. If AI model risk, third-party AI dependency, and regulatory AI exposure are not explicitly in scope, update them before your next board cycle.
• Confirm that your board has formally approved an AI governance policy — not simply received a management presentation about AI strategy.
• Schedule a board-level AI governance review for Q3 2026, ahead of the EU AI Act’s August enforcement milestone and the FCA’s expected further guidance in autumn.

What Does Good Board-Level AI Oversight Actually Look Like?

The KPMG/INSEAD framework is explicit that boards should not step into management — their role is to ask the right questions, set appropriate risk appetite, and hold management accountable for the answers. In practice, that means boards need to be capable of asking meaningfully challenging questions, not just receiving and approving management reports.

Boards with strong AI oversight typically ask: What are the five highest-risk AI deployments in this organisation right now, and what controls are in place? Where are we dependent on AI systems we do not own or fully understand? What would a material AI failure look like for this organisation — operationally, reputationally, and regulatorily — and do we have a tested response? What is our exposure to the EU AI Act, and who owns that assessment?

If your board cannot currently answer those questions with confidence, that is the governance gap. INFORMD tracks these developments continuously so UK senior executives have the intelligence they need to ask the right questions at the right time.

INFORMD provides intelligence briefings for senior business leaders across technology, finance, strategy, and compliance. Based in Milton Keynes, UK, we help executives stay informed and act with confidence. Explore our full library of executive briefings or speak to our team.

Stay ahead. Subscribe to INFORMD’s executive briefing at informd.co.uk/services.

Frequently Asked Questions

What is the KPMG and INSEAD AI Board Governance framework?

Published in April 2026 by KPMG International and the INSEAD Corporate Governance Centre, the AI Board Governance Principles provide a global framework of five principles covering strategic oversight, technology and security, workforce transformation, trustworthy AI, and the board’s own governance processes. The framework was developed with input from experienced board members globally and is designed to help boards ask the right questions about AI without crossing into management territory.

Are UK boards legally required to oversee AI?

There is no single UK statute that mandates board-level AI oversight, but the requirement emerges through several overlapping frameworks. Under UK GDPR and the ICO’s automated decision-making guidance, organisations must be able to explain and challenge AI-driven decisions affecting individuals. In UK financial services, the FCA and PRA’s model risk expectations and SMCR accountability requirements place individual senior manager liability on AI-related governance failures. The EU AI Act applies to UK organisations deploying AI to EU users or processing EU data. Boards that cannot demonstrate active oversight face regulatory, reputational, and investor exposure.

How do boards build AI competence without becoming technical experts?

The KPMG/INSEAD framework is explicit that boards do not need technical expertise — they need governance literacy. That means understanding AI risk in business terms, knowing which questions to ask management, and being able to evaluate whether the answers are adequate. Targeted board skills assessments, structured executive education, and regular briefings from an independent source are the most practical routes. Bringing an NED with relevant technology or AI experience onto the board — or engaging an independent adviser — is increasingly common in FTSE 250 and mid-market organisations.

What should a UK board do before the EU AI Act enforcement milestone in August 2026?

Before August 2026, UK boards should ensure they have a clear picture of any AI systems their organisation deploys that interact with EU users, processes EU personal data, or could be classified as high-risk under the Act’s categories. The board should confirm that management has completed an AI system inventory, assessed risk classification, and that there is a named individual accountable for EU AI Act compliance. Boards in regulated sectors should also review the FCA and Bank of England’s May 2026 joint statement on AI systemic risk and confirm their internal governance structures are consistent with the expectations it sets out.