At least one director on your board is summarising the board pack in ChatGPT. I'd put money on it. No policy covers it, no risk register entry mentions it, and nobody has raised it at a meeting, because nobody wants to be the one who admits to it first.

I run facilitated sessions with UK boards on exactly this question, and the pattern is remarkably consistent. When you create the conditions for honesty (Chatham House rules, no minutes, no judgement), directors describe a level of AI use that the board, as a body, has never discussed.

What directors are actually doing

The genuinely common uses, in roughly descending order of frequency:

  • Summarising the board pack. A 200-page pack arrives five days before the meeting. A free AI tool turns it into two pages in forty seconds. Of course people are doing this.
  • Preparing questions. "I'm a non-executive director reviewing a proposal to outsource our finance function. What should I be asking?" This is one of the better uses of the technology, incidentally.
  • Translating jargon. Directors quietly asking a chatbot what the CTO's paper actually means. If your board needs this regularly, that's a reporting problem, not a director problem.
  • Drafting. Chair's statements, committee reports, appraisal feedback, sensitive emails.
  • Due diligence. Researching counterparties, acquirers, and prospective fellow directors.

None of this is irrational. Most of it is exactly the productivity benefit the technology promises. KPMG's Board Leadership Center survey found directors consistently cite productivity as generative AI's top benefit, while also reporting that very few boards have any real GenAI expertise of their own. The same gap shows up at the index level: The Conference Board found that 83% of S&P 500 companies now disclose AI as a material risk, while only 2.7% of directors have any disclosed AI expertise. The technology arrived faster than the capability to govern it. Your board is not unusual.

Why it's a board problem, not an IT problem

The issue is not that directors are using AI. It's that they're doing it with the most sensitive material a company produces, on personal accounts, with no agreed rules.

Walk through what's actually in a board pack: management accounts, forecasts, legal advice, personnel matters, deal discussions. Paste that into a free consumer AI tool and several things may be true at once: the content leaves your jurisdiction; it sits on infrastructure you have no agreement with; and depending on the tool and its settings, it may be retained and used to train future models. If the pack contains personal data, you have a UK GDPR question. If it contains legal advice, you may have just weakened privilege. If it contains market-sensitive information about a listed counterparty, you have a more serious problem still.

And the regulatory direction of travel is unambiguous. The Financial Reporting Council has now published guidance on AI use twice: its AI in Audit guidance in June 2025, and its Generative and Agentic AI guidance in March 2026, the first of its kind from any audit regulator globally. The documents are addressed to auditors, but the principle the FRC keeps repeating travels well beyond audit. Mark Babington, the FRC's Executive Director of Regulatory Standards, put it in one sentence:

“If you use this technology, you are still accountable for it. You can't blame it on the box.” Mark Babington, FRC

For directors, that's not a new principle: it's the old one restated. Section 174 of the Companies Act requires reasonable care, skill and diligence. Delegating your reading to a tool that invents numbers roughly as confidently as it reports them does not discharge that duty. If an AI-generated summary misses the one line in the pack that mattered, "the software didn't flag it" will not be a defence anyone enjoys giving.

What to stop doing this week

  • Stop putting board materials into free-tier AI tools. This is the single highest-risk habit, and the most common. Free tools, personal accounts, default settings: that combination should simply end.
  • Stop using personal accounts for anything board-related. If the organisation provides an enterprise AI tool, use that. If it doesn't, that's a gap to raise, not a licence to improvise.
  • Stop pasting names, financials, and counterparties. If you must use AI to think through a board issue, strip it to the pattern: "a company of X size considering Y" rather than the real documents.
  • Stop treating the output as advice. AI-generated text is a draft from an articulate stranger who hasn't seen your company and occasionally lies. Verify before it influences a decision.

What good looks like

The boards that handle this well don't ban the technology, because prohibition just drives usage further underground. They do four things:

  1. They surface actual usage. One honest conversation, properly facilitated, gets the real picture on the table. You cannot govern what nobody will admit to.
  2. They provide a sanctioned route. An enterprise-grade tool with a no-training data agreement, available to every director, kills most of the shadow usage on its own.
  3. They adopt a short policy. Two pages, three tiers: what's always fine, what needs safeguards, what's never acceptable. I've written a step-by-step guide to producing one in an afternoon.
  4. They put it on the risk register. With an owner and a review date. AI use that has a home in your governance machinery gets discussed; AI use that doesn't gets discovered.

The uncomfortable truth is that your directors' AI use is currently governed by whatever each individual privately considers sensible. For most boards, that's a wider spread than anyone around the table would be comfortable seeing written down. The fix isn't dramatic. It's one honest session, one short policy, and one line on the risk register. That is a remarkably small price for being able to answer "yes" when someone finally asks whether the board has this under control.