A new report from The Conference Board: “From Principles to Practice: Governing AI in the Corporation” examines how large companies are operationalizing AI governance, drawing on survey data from 130 governance, sustainability, and citizenship executives, as well as insights from Chatham House Rule convenings. The findings show that while many companies have established formal AI principles and embedded governance into risk and oversight structures, implementation remains uneven—particularly as organizations begin to address the broader workforce, environmental, and regulatory implications of AI at scale.
Among the key takeaways:
- AI principles and implementation: Nearly two-thirds (63%) of companies report having an enterprise-wide framework or principles, with implementation focused primarily on internal governance or risk frameworks (53%), employee training (53%), and system design (44%), rather than external disclosures or supplier standards.
- Internal governance structure: Just over half (52%) of companies report a centralized enterprise-wide AI council, steering committee, or equivalent, while others rely on decentralized or function-level coordination (29% and 7%, respectively), and 12% report no formal coordination.
- AI risk priorities: Cybersecurity and data breach risk rank as the top AI concern, followed by privacy, legal liability, and regulatory compliance, while workforce and environmental risks rank significantly lower.
- Board oversight of AI: Audit committees remain the most common AI oversight body, but since 2023 there has been a shift toward technology committees, reflecting a broader view of AI as both a risk and strategic issue.
- Board AI fluency and development: Only 23% of respondents rate their boards as highly AI literate, and most boards are building knowledge through discussions in regular board or committee meetings (67%), management or expert briefings (49%), and engagement with external advisors (42%), with fewer pursuing formal education or recruitment of AI experts.
- Board skills composition: Boards are adding technology and cybersecurity expertise (51% and 27%, respectively) far more rapidly than AI-specific expertise (3%), suggesting a broader capability-building approach.
- External frameworks adoption: Companies most frequently align their AI governance with the NIST AI Risk Management Framework (70%), the EU AI Act (53%), and emerging US state-level regulations (51%).
The report also addresses AI integration into enterprise risk management, regulatory readiness, environmental impacts, and workforce implications, among other governance considerations not noted above.
Access additional resources on our AI page.
This post first appeared in the weekly Society Alert!