Why the board-level AI conversation lags the operational reality.
Most board-level AI guidance assumes an enterprise risk function and a dedicated CISO. For SME directors the real governance exposure is closer and more urgent — and the frameworks that matter are tighter than the ones that get airtime at conferences.
The challenge is not that SME boards are ignorant of AI. Most directors are aware it exists, that their businesses are deploying it, and that regulators are paying attention. The challenge is that the governance conversation hasn't caught up with the operational reality. AI systems are live in production in businesses that have no formal AI register, no pre-deployment review, and no board reporting framework.
From a director's perspective, this is a fiduciary exposure. The ASIC guidance on cyber risk — and its emerging framing on AI risk — is moving toward the same accountability standard that applies to financial controls: if you couldn't describe it to a regulator, you weren't governing it. The question for every SME board is whether they can meet that bar today.
What I'd want answered at the next SME board meeting.
- If your business deployed an AI system tomorrow and it made a commercially material error before lunch, who at this table could explain to a regulator why it happened?
- Can management name every AI system currently in production — what it does, what data it touches, and who owns it operationally?
- What is the pre-deployment review process for AI tools? Who signs off, and what are the criteria?
- How are AI vendor contracts structured? Do they include audit rights, data handling obligations, and liability clauses for model failures?
- What does the board receive in terms of AI reporting? Is it operational metrics, or does it include risk and governance indicators?
- If a key AI vendor failed or was acquired tomorrow, what is the business continuity position?
The three gaps that tell you the governance work hasn't started.
- No one can name the systems. If management can't name every AI tool currently in production in five minutes, the board has a governance gap, not just an information gap.
- No pre-deployment review. AI tools adopted by business units or individuals without any formal sign-off create vendor dependency and data handling exposure with no board visibility.
- No audit rights. AI vendor contracts that don't include the right to audit model behaviour, data usage, or failure-mode handling leave the board with accountability but no levers.
What an SME board gains, and what it's betting against.
The upside for SME boards that get this right is real: operational leverage, faster decisions, lower cost of execution in customer service and back-office functions. The businesses that deploy AI thoughtfully — with clear ownership, proper vendor contracts, and meaningful board reporting — will outperform those that treat it as a productivity tool with no governance wrapper.
ASIC's evolving position on technology governance is explicitly moving toward director personal liability for failures that could have been foreseen and managed. A commercially significant AI error — wrong customer data, a biased lending decision, a privacy breach — in a business with no governance framework is a regulatory and reputational event. For a medium private or NFP board, it is an existential one.
An SME board should demand a one-page AI register at the next meeting. Not a policy document. A list — what systems, what they do, who runs them, what the failure mode looks like, and what the board reporting cadence will be going forward. If the management team can't produce it in fourteen days, that is itself the finding. It tells you exactly where the governance work starts.
Researched and drafted by Brad's agentic AI team. Edited and published by Brad Ferris.