What Questions Should Directors Be Asking About AI?

Recent (2025) McKinsey research found that 66% of directors report limited to no knowledge or experience with AI, yet 88% of organizations are already using AI in at least one business function. A PwC survey found a significant gap between how executives and directors perceive AI as a risk — with nearly half of executives rating it a major concern, compared to only 10% of directors.

For directors who recognize the need to engage more deeply with AI, a practical starting point is knowing which questions to ask. Here are six that cut to the heart of how AI is being deployed, managed, and governed inside the organization.

Start with visibility in AI usage

"What AI systems are currently in use across our organization — and who approved them?"

This is a foundational question. In many organizations, AI tools are being adopted at the business unit level — by marketing teams, finance departments, HR functions — without any centralized tracking or approval process. This question establishes whether the organization knows what it has deployed - and how it got there. It is a basic, solid oversight/governance question for any Director to ask about AI.

Probe for accountability in AI risk

"Who in management owns AI risk — and what does that actually mean in practice?"

When a director asks this question, they should be listening for specifics: Does this person have budget authority? Do they have the power to pause or halt an AI deployment? Are they reporting to the board, or only to the CEO? Many organizations have responded to AI governance pressure by assigning a title — Chief AI Officer, AI Risk Lead — without defining what that role actually controls. Governance that exists on paper but lacks real authority is not governance.

Understand the AI data foundation

"What data are our AI systems trained on or using — and do we have the rights to it?"

This question opens up several important areas of risk that boards should understand. Are the organization's AI tools using proprietary data in ways that could create intellectual property exposure? Is customer or employee data being fed into third-party systems without adequate privacy protections? Have the necessary consents and rights been established? These are not hypothetical concerns — they are active sources of legal and regulatory risk in every organization using AI.

Understand how AI failures are handled

"What happens when an AI system gets it wrong — and what is the escalation path?"

The purpose of this question is to understand whether the organization has a clear, tested process for identifying failures, escalating them, and correcting them before they cause significant harm. Directors should be asking whether incident response plans exist for AI failures the same way they exist for cybersecurity events or operational disruptions. If management hasn't thought this through in advance, that itself is a risk worth surfacing.

Ask about AI fairness and bias

"How do we know our AI systems aren't producing discriminatory outcomes?"

This question matters on two levels. The first is legal and regulatory. In many jurisdictions, discriminatory outcomes produced by automated systems carry real liability, regardless of whether discrimination was intended. The second is reputational risk. Public trust erodes quickly when organizations are seen to be using AI in ways that produce unfair results. This question also tests what monitoring and testing infrastructure management has in place for AI-produced outcomes.

Connect AI to strategy

"Are we using AI to do existing things faster — or to fundamentally change how we compete?"

This question reveals whether management has a coherent strategic thesis about AI, or whether adoption has been largely reactive.

Different trategic approaches to using AI carry very different implications for investment, risk, workforce, and competitive positioning. A board that doesn't know what the AI strategy is cannot meaningfully evaluate whether the it is appropriate, adequately resourced, or aligned with the broader direction of the business.

Questions directors should ask about AI - Summary

Strong AI governance doesn't require directors to be technical experts. What it does require is the willingness to ask specific, probing questions and to expect answers that are equally specific. The questions above won't make a director an AI specialist. But they will make the board a more effective check on how AI is being used inside the organization — which is exactly what good governance looks like.

Sources

McKinsey & Company. The AI Reckoning: How Boards Can Evolve. December 2025. https://www.mckinsey.com/capabilities/mckinsey-technology/our-insights/the-ai-reckoning-how-boards-can-evolve

PwC & The Conference Board. Board Effectiveness: A Survey of the C-Suite. May 2025. https://www.pwc.com/us/en/services/governance-insights-center/library/board-effectiveness-and-performance-improvement.html

Jim Crocker is an AI governance consultant and board director. He writes about what boards and senior executives need to know about AI at jimcrockerai.com.

This blog is part of the AI Director series: AI Governance Questions Answered