Assessing the risk of AI usage

Your board secretary mentions, almost as an aside, that they've been using a transcription app to draft the minutes. It saves them about three hours a meeting. The minutes are noticeably better than they were six months ago. Nobody on the board has asked which app, where the audio lives, or what the vendor reserves the right to do with it.

That's the shape of most AI risk inside ANZ boards right now. Not the futuristic kind. The mundane kind. Already happening, three rows down from the board table, with consequences nobody at the table has yet thought through.

This article is for the director who wants to think those consequences through before someone else does it for them.

Most board AI conversations are at the wrong altitude

The risks directors are being told to worry about – the futuristic ones – aren't the risks most boards in New Zealand and Australia are actually carrying. The risks they are carrying are simpler, more present-tense, and more legally consequential. They don't sit in the AI itself. They sit in the contract behind it, the policy around it, and the record of who decided what with its help.

The Pulse data from our recent survey makes the gap stark. Seventy-nine per cent of directors are using AI weekly. Just 9.4 per cent feel very confident with it. Three-quarters of boards receive AI information ad hoc or never. Only 17 per cent have discussed directors' liability in an AI context, and eight per cent have looked at gaps in their D&O cover. The risks that could hurt directors personally are almost entirely unexamined.

That gap has a distinctive shape. Directors aren't refusing to engage with AI. They're using it. They're just not governing it. Boards are operating with no visibility, no policy, no owner, and no record. That isn't catastrophic by any stretch – it's just bad governance, accumulating in the background until someone asks a question that wasn't anticipated.

This article is for the director who wants to escape both the paralysis ("it's too technical") and the resignation ("everyone's doing it, it's fine"), and make a deliberate call.

The four risks most boards are actually carrying today

Reframing the conversation starts with naming the four exposures directors actually face. Each one is specific, recognisable, and resolvable.

1. Confidentiality loss

Every consumer-grade AI tool, whether that’s the free tier of ChatGPT, Claude, Gemini, the transcription app the chair started using last quarter, reserves the right in its terms of service to use your inputs to train its models, share data with third parties, or retain data indefinitely. When a board secretary pastes draft minutes into ChatGPT to tidy them up, or runs a sensitive board discussion through a free transcription tool, that material has just left the organisation's control.

The recent Guardian framing for this is "shrink versus snitch" – the tools feel private, but they're not. What used to be a niche concern among lawyers is now something directors hear about over dinner.

2. Loss of legal privilege

This is the one to land hardest. In United States v. Heppner (S.D.N.Y., February 2026), a US federal court held that AI-generated legal research was not protected by attorney-client privilege or the work product doctrine. The reasoning: the platform's privacy policy reserved the right to share data with third parties, and counsel had not directed the work.

The same logic travels. If the AI tool used to transcribe or summarise a board meeting reserves the right to share or retain data, the transcript is not privileged. Even "enterprise grade" tools can produce summaries that are potentially discoverable in litigation. ANZ case law hasn't tested this yet, but it's a reasonable assumption that the same reasoning will apply when it does.

The portable version of this for a board: if your meeting is being recorded or transcribed, you should know exactly who holds that data, what they can do with it, and whether the record survives litigation discovery. "The app does it automatically" is not an answer.

3. Shadow AI

The Pulse data shows 41 per cent of organisations have informal individual AI use, and 21 per cent of leaders don't know what staff use AI for. That isn't a tooling problem. It's a records problem.

If a manager uses AI to draft a paper that ends up in the board pack, the board is making decisions on AI-influenced material with no audit trail, no review process, and no record of what the AI was asked or what it returned. When something goes wrong, "we didn't know AI was involved" is unfortunately not a defence.

4. Unrecorded decision-making

The most subtle of the four. AI tools that summarise, recommend, or pre-frame decisions effectively become participants in the governance process – but without minutes, without accountability, and without anyone signing off on what the AI said.

This is the distinction between AI used inside a governance process (transparent inputs, auditable outputs, contractual controls) and AI used around it (private prompts, no record, no accountability). The second is the problem.

A director who uses a consumer AI tool to brief themselves on a board paper is introducing an undocumented input into their own decision-making. From a fiduciary standpoint, that's a problem most directors haven't yet thought about.

And the thread tying all four together? The risk isn't abstract. It sits in the gap between what your organisation is doing with AI and what the board can see, record, and stand behind.

How big is the risk, really?

The honest answer: for most ANZ SMB boards, the risk is real but manageable. Most are not about to face a Heppner-style litigation event. Most are not in regulated industries where data leakage triggers automatic notification obligations. Most are not running models that could go rogue.

What most boards are doing is operating without visibility, without policy, without an owner, and without a record. The risk isn't so much that something dramatic happens. It's actually that something boring happens – a meeting transcript leaks, a minute gets paraphrased by a free tool, a decision gets traced back to an AI summary nobody knew about – and the board has no defensible position because it never thought the question through in the first place.

The cost of inaction is an erosion of governance quality that becomes obvious in retrospect, when somebody asks: who decided to use that tool, on what basis, and where's the policy?

Six questions for your next board agenda

The board's job is not to become an AI expert. It's to ensure the organisation is treating AI the way it treats any other governance-relevant input: with named accountability, defined boundaries, documented decisions, and proportionate oversight.

Helen van Orton and Alexie O'Brien have been working with boards on what that looks like in practice. Their starting point (and a useful one for any board reading this) is six questions worth putting on the next agenda. They don't require a director to understand the technology. They require the director to apply governance discipline to AI the way they would to any vendor, any data classification, and any accountability question.

1. Do we know which AI tools are being used in our organisation, and by whom?
2. What data is going into those tools, and do we have clear rules about what must not?
3. Who is accountable for AI governance, and are they reporting to the board?
4. Which AI-specific risks have we explicitly discussed, and which haven't we?
5. Are we treating AI as a technology issue or as a strategic governance issue?
6. Have we discussed our exposure as directors – including liability and D&O coverage – in the context of AI?

Boards that can answer these are in a different position to boards that can't. The 19 per cent of organisations in the Pulse data with a named owner for AI governance are dramatically better placed than the 81 per cent without one – not because they have an AI expert, but because they have a governance leader who can hold these questions on the board's behalf.

Naming an owner doesn't solve the problem. It creates the conditions for the problem to get solved.

So how do you decide what's right for your board?

There is no universal answer. What's right for a given board depends on three things:

• Risk profile of the data. A charity board handling beneficiary data has different obligations from a sports club board handling membership lists. A private school board recording safeguarding discussions is a different proposition again.
• Maturity of the organisation. A board with no AI policy is not ready for agentic AI. A board with a named owner, an AI policy, and quarterly reporting is in a different position to consider what comes next.
• The board's appetite for being early versus being safe. Both are legitimate stances. The problem is drifting into one rather than choosing it.

Used well, AI is a real opportunity for boards – "stress test scenarios, support improved research and challenge exec assumptions and bias," as one director put it in the Pulse survey responses. That's a board using AI to do governance work, not a board outsourcing governance to AI. Yes, the distinction matters.

The most useful framing: the board doesn't need to get this perfect. It needs to be deliberate. The boards that get this right won't be the ones with the most sophisticated AI use. They'll be the ones that can answer, on the record, what AI is being used, by whom, on what data; who is accountable; and how the board sees it.

This represents a core governance obligation rather than a mere technical hurdle. Boards have always evaluated the inputs that drive their decision-making, from financial statements and audit results to legal counsel and executive reports. While AI may be a novel format for such information, the underlying principles of oversight remain unchanged.

The tools you use to govern are themselves governance choices. The board management platform your organisation runs on, the AI features inside it, the contracts behind those features – these are not technology decisions. They're governance decisions. And the boards that treat them that way will be the ones that hold up.

FAQs

What's the difference between consumer-grade AI and governance-grade AI, in practical terms?

Consumer-grade AI is what most people mean when they say "AI" – the free or low-cost tools designed for individuals, where the vendor reserves broad rights over your inputs in exchange for the convenience. Governance-grade AI is AI deployed under contractual terms appropriate for sensitive organisational data: no training on your inputs, no third-party sharing, defined data residency and retention, and a clear audit trail. The distinction isn't really about the model. It's about the contract and the controls around it.

Does "enterprise pricing" mean a tool is safe for board use?

Not automatically. Enterprise pricing usually buys volume, support, and admin features. It doesn't always buy a different set of data terms. The Heppner reasoning is a useful reminder: a court will look at what the privacy policy actually says, not at what the customer paid. Read the data processing addendum, not the price page.

What about ANZ case law – is the privilege concern US-only?

ANZ courts haven't tested this yet. But the legal principles underpinning the Heppner reasoning – that privilege depends on a reasonable expectation of confidentiality, and that broad data-sharing terms erode that expectation – aren't US-specific. It's a reasonable assumption that the same logic will travel when an ANZ case eventually arises. Treating board transcripts as potentially discoverable is the prudent default until then.

How do we introduce an AI policy to a board that's never had one?

Start small. Name an owner first – one person, a governance leader rather than an AI expert. Get visibility on what's actually in use across the organisation. Set the first set of boundaries on data that must never enter consumer AI tools. The first board update can simply say "we've started." The rhythm of reporting matters more than the maturity of the policy at week one.

Should we just ban AI in board meetings until we've sorted this out?

Most boards that try this find it's already too late – the tools are embedded in the platforms staff use every day, and the board can't ban what it can't see. A more workable position is to name what's in scope, set the data rules, and treat the rest as a transition. "No consumer AI on sensitive board material" is a clear rule. "No AI" is rarely enforceable.

Resources for your board

When you're ready, here's how BoardPro can help.

• Start a free trial: Run a whole board meeting cycle for free, no credit card needed.
• Book a demo: See BoardPro in action in a 30-minute demo.
• There are two ways to be an AI-enabled director. Only one works: Read part one of this series – why how you adopt AI is itself a governance decision.