The most dangerous risk in a boardroom is the one everyone agrees exists but no one can explain. Corporate filings now mention AI oversight. Committees are formed. Yet the gap between signaling and control is widening. If disclosure is rising threefold while understanding stays flat, fragility is compounding, not falling.
Nearly half of Fortune 100 companies now cite AI risk as a board-level concern, a sharp jump from last year. The National Association of Corporate Directors says most boards discuss AI, but many have not built it into governance, strategy, or risk monitoring. A study found 38 percent of business leaders believe their directors do not know how AI is actually used across the firm. That is not oversight. It is theater. Goodhart’s law applies: once AI compliance becomes the target, compliance becomes the game. The metric improves while the risk hides. Boards are buying the optics of control and selling off the substance.
A system is only as robust as its chokepoint. AI has several. Compute supply is concentrated in a few cloud providers and GPU vendors. Foundation models are controlled by a short list of firms. Legal terms often limit vendor liability and leave customers carrying operational and regulatory risk. That is concentration risk masquerading as innovation. The correlated exposure is obvious: a model change, cloud outage, or API pricing shift propagates across customers at once. Call it the inverse of diversification. If five lines of business rely on one model ecosystem, the board does not own five independent bets. It owns one bet multiplied. In markets, correlated tail risk is how good companies go to zero.
Banks spend years validating models they use to price credit. Most non-financial firms now deploy far more complex models in days. Model drift, hallucination, prompt injection, data leakage—these are not one-off bugs. They are features of a probabilistic system pointed at tasks it only partially understands. Boards allow claims of accuracy rates without base rates. They hear “95 percent” without asking “95 percent of what distribution, under what shifts, and with what cost of a bad miss?” In engineering, we run fault trees. In AI, many are running demos. If directors cannot map critical use cases to failure modes and circuit breakers, they do not have a risk framework. They have a press release.
When boards do not set guardrails, regulators do. New rules are moving from concept to enforcement. Bias audit requirements for automated hiring are now live in New York City. Global regimes, from Europe’s AI legislation to existing privacy and cybersecurity standards, are converging on documentation, explainability, and accountability. The SEC has raised the bar on cyber incident disclosure. Plaintiffs’ lawyers are active when algorithms deny credit or filter out job applicants. Regulators and courts will not accept “the vendor did it” as a defense. A board that has not cataloged where AI makes consequential decisions, what data feeds them, and how to shut them off is not governing a technology. It is underwriting an unpriced liability.
Directors face pressure from investors, regulators, and employees to show mastery of AI. Many cannot articulate where it is embedded, what data it touches, or what controls exist. That is not a moral failing. It is a literacy problem. The solution is not to make every director a data scientist. The solution is to make the questions non-negotiable. Where does AI make, recommend, or nudge decisions with financial, legal, or reputational stakes? What is the audit trail? What are the thresholds for human review? What are the leading indicators of drift? How do we test for bias and misuse? And the most important inversion: in which parts of the business should we deliberately not use AI because the harm multiplier exceeds the benefit? Boards that avoid that last question are not slow. They are blind.
AI magnifies agency problems. Middle managers are rewarded for speed and cost savings. Vendors are rewarded for adoption. Both create good slide decks. Neither is paid for tail risks that emerge a year later in a different department. Goodhart’s law shows up again: measure response time, and staff will ship faster, even if the failure rate rises where no one is counting. In game theory terms, AI deployment inside a firm is a repeated prisoner’s dilemma. The dominant strategy for each actor is to push forward. The cooperative outcome—measured, controlled rollout—requires enforceable rules and aligned pay. Without that, you get a patchwork of shadow systems, unvetted prompts, and brittle dependencies. Boards should assume this behavior unless incentives are rewritten and audited.
Antifragility is not about avoiding shocks. It is about benefiting from small ones and blocking the big one. In practice: inventory every AI use case and vendor. Map decision criticality, data sensitivity, and escalation paths. Build kill switches and quiet periods by design. Separate experimentation from production through clear access controls and an air gap. Run pre-mortems and red-team exercises on business-critical flows. Demand independent audits for high-stakes tools, not just bias screens but security, data lineage, and resilience. Negotiate vendor terms that treat data and downtime as shared risks, with real remedies. Cap model complexity where explainability is required by law. Fund internal capability for basic validation, not to replace vendors but to verify them. Most of all, create a single accountable owner at the executive level, with authority across silos, and a board committee that reads more than dashboards.
Boards are told they must move fast or be left behind. That framing hides the real trade. In power law markets, a few capture most of the upside. Everyone else absorbs the cost of adoption, integration, and compliance. Speed amplifies that asymmetry. The upside is thin and delayed for most; the downside is immediate and concentrated for the unprepared. The correct lens is probability-weighted survival. The firms that last build AI like they build safety systems: minimum viable dependency, maximum observable control. They accept short-term envy to buy long-term option value. The rest confuse activity with progress, stack black boxes on black boxes, and call it strategy. AI will not break these companies. Their own governance gaps will.
