Board-level AI governance: the oversight that separates value from accumulated risk

In barely two years artificial intelligence has entered almost every company: marketing, sales, the supply chain, back-office processes. It entered from the bottom, function by function, often without anyone at the top governing its perimeter. And here is the problem that 2026 puts at the centre of the boardroom agenda: AI is everywhere in operations, and almost nowhere in control. The thesis, plainly stated: the risk is not adopting AI, it is adopting it without the board governing it. A company that uses AI in ten processes and oversees it in none is not at the cutting edge: it is exposed, and it does not know it.

The figure that captures the gap. According to the 2026 ISS STOXX analysis of 3,048 companies across the Russell 3000 and S&P 500, only 8% disclose board-level oversight of artificial intelligence, around 9% have formal policies for AI development, deployment and monitoring, and just 16% have at least one director with specialised AI expertise; only 4% have two or more, and three quarters of all oversight cases concentrate in five sectors. In the background, operational adoption is now near-universal (McKinsey, State of AI). Translated: AI is used everywhere, controlled almost nowhere, and the expertise to control it is missing in the very room where it should be decided. The gap is not technical; it is a gap of governance.

Two notions not to confuse. The operational use of AI is the deployment of tools across processes: who picks them, integrates them, extracts efficiency from them. AI governance is something else: it is the set of bodies, delegations, written rules and checks through which the board decides which risks the company is willing to run with AI, who answers for them, and by what metrics both its value and its danger are measured. The first is a matter of function; the second is a matter of the board. Confusing the two levels is the original error: delegating to the IT department a choice that is, in substance, a choice of enterprise risk, and therefore the board's to make.

The traps that accumulate risk in silence. The ways to fail are few and recurring. AI as an IT project: treated as technology to implement rather than risk to govern, it falls off the board's radar. Unmapped risk: data leaking out, bias in decisions, hallucinations passed off as reliable output, third-party models beyond one's control, regulatory exposure as the EU AI Act imposes rising obligations. Diffuse accountability: when everyone uses AI and no one oversees it, in case of harm there is no responsible party, there is a void. And the costliest, governance declared but not implemented: policies that exist on paper and not in real mechanisms, a cosmetic reassurance that an experienced investor, or a regulator, will not miss. None of these is a technology problem. They are all problems of control.

Why it matters now. Three forces converge in 2026. Regulation: the EU AI Act is now operational and introduces obligations proportionate to risk, with accountability that runs up to the top. Capital: investor patience is finite, and the gap between those who demonstrate solid governance and those who merely claim it is widening, at entry as at exit. And the nature of the risk itself: AI is not a neutral tool added to processes, it is a lever that amplifies value and error alike, and a lever is governed, not left loose. This is why board oversight of AI is, according to the leading governance sources, the declared priority of 2026: not as a fashion, but because the cost of non-control has become visible.

How Krymax steps in. We bring AI control into the board's decision process, with a perimeter defined from day one. We map where AI is already in use and what risk it carries, and we build an AI risk register legible at board level. We design the bodies and delegations: who decides the acceptable risk threshold, who answers for it, at what cadence the board reviews exposure. We write the policies that actually work, anchored to mechanisms and not to slides, aligned with the AI Act's obligations. We set dual KPIs: of value (where AI truly shifts the margin) and of risk (where AI can cost dearly), because a board must see both in the same picture. All of it in boardroom-ready deliverables, legible to a bank or an investor. With Swiss rigour, confidentiality and accountability for the numbers. And with a firm principle: when the mandate ends, control stays in the company, so that AI governance is not a dependency on the consultant but a way of deciding that holds on its own.

In 2026 AI no longer separates companies into those that use it and those that do not: almost all of them use it. It separates them into those that govern it and those that submit to it. The first create governed value; the second accumulate a risk they never chose to run. That is exactly where we work.