Governing the Upside: Why board guidance on AI is mostly brakes and limited steering
- Dr John H Howard

- 18 hours ago
- 7 min read
John H. Howard, 16 July 2026
A library with a missing shelf

Boards now have no shortage of guidance on artificial intelligence.
Director institutes have published well-crafted guides anchored in directors' duties and organised around the elements of safe and responsible AI governance. Audit firms offer governance roadmaps. Law firms publish oversight playbooks. Governance platforms supply committee charters and reporting templates.
Read across this library, and a pattern emerges. Almost all of it concerns oversight, risk, controls and compliance. Almost none of it addresses the question a board exists to answer: how should this organisation use AI to develop its business, create new value and out-innovate its competitors?
The guides know about the imbalance. Most open by declaring that AI offers opportunity as well as risk, and some state plainly that boards moving beyond compliance towards strategic foresight will be best placed to capture value. The trouble is what follows. Risk receives frameworks, checklists, escalation protocols and disclosure templates. Strategy receives a paragraph of encouragement. A director who followed the guidance faithfully would be well protected and poorly focused.
Table 1: How current board AI guidance treats the two halves of the duty
Dimension | Treatment of risk | Treatment of strategy |
Tools provided | Frameworks, checklists, escalation protocols and disclosure templates | A paragraph of encouragement |
Committee ownership | Audit, risk or technology committees with defined charters | No settled home; strategy discussions occur without an AI-specific method |
Reporting to the board | Structured risk registers, incident reports and assurance dashboards | Rarely specified |
Authorship of guidance | Director institutes, law firms, audit firms and governance platforms | No equivalent authorship base |
Consequence of omission | Visible, priced by liability and enforcement history | Invisible; a missed opportunity almost never ends up in court |
Why the imbalance is built in
This is no accident of drafting. It reflects who writes the guidance and how liability works. The authors are director institutes, law firms, audit firms and governance software providers. Their expertise, and their commercial offering, concern the prevention and detection of failure. They write what they know, and they write for the risk committee that buys their services.
Directors' duties reinforce the tilt. Under Australian corporations law, liability attaches visibly to failures of oversight, and enforcement history has established that leaving material risks to management is no defence. A missed strategic opportunity, by contrast, almost never ends up in court. The law prices omissions of oversight and ignores omissions of strategy, so guidance written by lawyers does the same.
Committee placement completes the picture. Most boards have lodged AI within their audit or risk committees, or in technology committees modelled on them, and the subject has adopted their language and routines. Strategy discussions, where they occur, happen elsewhere and without any AI-specific method. Survey evidence suggests the discomfort is real: in one recent international survey, fewer than one director in ten rated their board as having strong AI expertise, the lowest score in any area covered.
Direction is part of the duty

The compliance reading of directors’ duties is a partial one. Under the Corporations Act, the business of a company is managed by or under the direction of its board. Direction is the operative term. Boards approve strategy, allocate capital, appoint and appraise the chief executive, and set the terms on which management may pursue opportunity.
The duty of care and diligence runs in both directions. A director exercising reasonable care should be satisfied that the company is positioned to compete, and not merely that it is shielded from harm. The business judgment rule protects informed decisions taken in good faith after due inquiry. It offers little shelter to a board that never reached a judgment at all.
Direction setting is exercised through instruments that lie within the board’s own control. The board sets its agenda, determines the information it receives, decides which committee holds a subject, and specifies the skills for which it recruits. Each of these choices is discretionary. On present evidence, it would appear that each is being exercised in ways that work against strategic engagement with AI.
Governance codes point the same way. The ASX Corporate Governance Council asks boards, in broad terms, to approve strategic objectives, to satisfy themselves that the entity holds the resources and culture needed to achieve them, and to oversee management’s capacity to deliver. Nothing in the arrival of AI displaces those expectations. Guidance that quarantines AI within the risk function treats a strategic technology as a compliance exception.
The result is a question of proportion rather than of legality. A board that devotes its entire AI agenda to control frameworks, and none of it to where the technology takes the business, has not discharged its duty more safely. It has discharged half of it.
Figure 1: The board's AI duty runs in both directions: current guidance equips only one of them

What a compliance-first approach costs
How a subject is framed shapes how it is handled. Guidance that treats AI as a hazard to be contained, rather than a technology to be applied, shapes what boards ask, what management prepares, and in the end what organisations do.

The most visible consequence is adoption without transformation. Organisations deploy AI as an efficiency overlay, in drafting assistance, meeting summaries and coding support, while products, pricing, channels and organisational design remain untouched. The technology is domesticated before it can be applied. The economics of general-purpose technologies suggests this is exactly how productivity gains are forfeited: returns arrive when firms reorganise around a technology, not when they simply install it.
A second consequence follows a pattern familiar from earlier transitions, described elsewhere in our work as the migration of value. When incumbents hesitate, value moves along the chain to those who act: platform and model providers, data-rich intermediaries, and new entrants carrying no legacy. A board that has fully discharged its compliance obligations may preside over a business whose margin has quietly moved elsewhere.
There is a cultural cost as well. When the board's only AI questions concern incidents, vendors and controls, management learns to present AI defensively. Proposals arrive pre-shrunk to fit the risk appetite statement. Experimentation is deterred not by prohibition but by the absence of any forum in which an ambitious proposal could be heard on its merits.
What the missing guidance would say

None of this is an argument against good governance. Responsible deployment is a precondition of durable value, and the existing guidance addresses real obligations well. The argument is for symmetry: boards should be able to interrogate the upside with the same rigour they apply to the downside. What would that involve?
The starting point is a distinction between AI as a general-purpose technology and AI in applied, industrial form. Strategic value does not arrive with a foundation model licence. It arrives when the technology is embedded in products, services and decisions specific to an industry, in combination with assets the organisation holds or builds: proprietary data, domain expertise, workforce capability and redesigned processes.
Comparative evidence on that point is accumulating. Research being finalised at the University of Technology Sydney has examined innovation districts and ecosystems across some thirty countries and the conditions under which investment in AI converts into measurable productivity. The recurring finding is that the technology travels freely between places while the complements around it do not.
Those complements include proprietary data, applied research capacity, workforce skills, and the management and governance practices that permit organisational redesign. Where the last of these is missing, adoption stalls at the level of tooling. The study describes the gap between technical adoption and organisational change as a management chasm, and locates responsibility for crossing it well above the chief information officer. Publication is expected later in 2026.
A board equipped for that conversation would put questions of the following kind to management, with the persistence it currently reserves for the risk register.
Where does AI change the economics of our customers, and what does that imply for what they will pay us for in three years?
What business could a well-funded entrant, starting today with no legacy, build against us using this technology?
Which of our capabilities and assets appreciate under AI, and which depreciate? What are we doing about each?
What is our cost of inaction, priced with the same discipline we apply to the risk register?
These questions can be organised into a workable framework across five domains: market and customer value, business model and revenue, capability and complements, ecosystem position, and investment and portfolio governance. Set alongside the established elements of safe and responsible governance, the two frameworks would give a board what it currently lacks: one set of tools governing the downside, and one governing the upside.
Table 2: A five-domain framework for governing the upside
Domain | Illustrative board questions |
Market and customer value | Where does AI change the economics of our customers, and what does that imply for what they will pay us for in three years? |
Business model and revenue | What business could a well-funded entrant, starting today with no legacy, build against us using this technology? |
Capability and complements | Which of our capabilities and assets appreciate under AI, and which depreciate? What are we doing about each? |
Ecosystem position | Where is value likely to migrate along our chain as AI diffuses, and which partnerships and data positions secure our place in it? |
Investment and portfolio governance | What is our cost of inaction, priced with the same discipline we apply to the risk register? |
The opportunity for practice and policy
For directors, there is a clear message: Compliance is necessary and insufficient, and the board that treats its AI obligations as complete once the governance framework is in place has answered the easier of its two questions.
For policymakers, the imbalance in guidance may help explain a wider puzzle: strong AI adoption statistics sitting alongside weak productivity outcomes. If boards are equipped only to contain the technology, diffusion will be broad and shallow.
References
Brynjolfsson, E., Rock, D., & Syverson, C. (2021). The productivity J-curve: How intangibles complement general purpose technologies. American Economic Journal: Macroeconomics, 13(1), 333–372.
Howard, J. H. (2025). The handbook of innovation ecosystems. Acton Institute Publishing.
Howard, J. H. (2026). Making sense of AI in 2026: A framework for policy and practice. Acton Institute Publishing.



Comments