The Board-Ready AI Risk Brief: One Slide, Three Columns, One Meeting

A scene from last quarter

I sat in a pre-board call with the COO of a financial services firm. Her deck was forty pages. The board chair had asked her three questions in advance. She had four hundred slides of answer. She looked at the deck on the screen, looked at me, and said, "I am going to lose them by page nine."

She did not present the forty-page deck. She presented one slide. Three columns. Five rows. The conversation finished in forty minutes. The strategy was approved. Everything else moved to the appendix where it belonged.

I have watched dozens of these conversations now. The executives who finish in one meeting all bring the same slide. The executives who walk out with a deferred decision all bring a deck. What follows is what to put on the slide and what to leave in the appendix.

What the board is actually worried about

Strip every board AI question down and three concerns sit underneath. Will this embarrass us in public. Will it expose us to a regulator or a lawsuit. Will it lock us into a strategic dependency we cannot exit.

Every other question is a variation. Plan your brief to answer all three directly and the rest of the conversation becomes operational, not existential.

The five risks that matter

These are the five that belong on the slide. One row each. Risk on the left. Control in place in the middle. Named owner on the right.

1. Hallucination and incorrect answers. A confident wrong answer is reputational and legal exposure. The control is not faith. It is architecture. Every answer grounded in a cited source. The model constrained to refuse when retrieval is empty. A continuous evaluation set measuring hallucination rate weekly. The number the board needs is the measured rate, the trend, and the escalation when it crosses threshold.

2. Data leakage. Sensitive data going to a model provider or surfacing to a user who should not see it. The controls are identity-aware retrieval, PII redaction in transit, no-training contractual commitments from the model provider, regional residency where regulation requires it, and a per-conversation audit log. The number the board needs is which data classes are in scope, which are out, and who reviews the boundary every quarter.

3. Model and vendor concentration. This is the risk boards under-discuss and that ages the worst. A platform that locks you to a single model or a single vendor is a strategic dependency that compounds. Model prices move. Providers have outages. Geopolitics reshapes availability. The controls are multi-model architecture, prompt and data portability, and contractual exit terms. The number the board needs is the cost and timeline of switching providers under three scenarios.

4. Regulatory drift. Regulation will keep evolving. The control is not prediction. It is governance primitives in place. Audit logs. Human oversight. Transparency notices. Data minimisation. Deletion on request. The number the board needs is which jurisdictions you operate in, which regulators are relevant, and whether the platform roadmap is keeping pace with each.

5. Operational fragility. AI systems fail in ways traditional software does not. Latency spikes. Model drift. Retrieval degradation. Prompt regressions. The controls are observability built for AI, runbooks for the common failure modes, and a fallback path to human handling when the system is degraded. The number the board needs is what the worst recent week looked like and what changed after it.

Five rows. Five controls. Five owners. That is the slide. Everything else is appendix.

The three risks that get over-reported

Three concerns that consume disproportionate board time and merit a calmer treatment.

AI replacing the workforce wholesale. The actual pattern in 2026 is more nuanced. AI absorbs repetitive volume. Humans shift toward higher-value and more emotional work. Headcount mix evolves rather than collapses. Frame the workforce conversation as redesign. The board will hear the difference.

"Bias" as a generic risk. Real bias risks exist in hiring, lending and healthcare, and they require specific controls. For customer support and internal knowledge, the bias risk is narrower than the headline suggests, and the controls (grounded retrieval, refusal patterns, human oversight) are the ones already in place for accuracy.

Existential or speculative AI risk. Important industry conversation. Distracting board conversation. Acknowledge it. Point to your controls. Move on.

If the board wants to spend forty minutes on one of these three, give them ten. The remaining thirty belong on the slide.

The risk the board is under-reporting

Inaction. Every quarter spent in evaluation and committee is a quarter your competitor is in production. The cost of delay rarely appears on a risk register. It is often the largest line in the actual three-year P and L impact.

A defensible brief includes a row for inaction risk and quantifies it. The board has never been shown that row in most of the briefings I have seen. The first time they see it, the strategic conversation accelerates by a quarter. I have watched this happen more than once.

The slide that ends the discussion

One slide. Three columns. Five rows for the risks that matter. One row for inaction risk. Owner named on every row. Status in plain language: green, watching, action needed.

No paragraphs. No screenshots of the assistant. No vendor logos. The board can ask any question they want. The chart already answers most of them, and the ones it does not answer point at the appendix.

I have never seen this slide fail to close the conversation. I have seen forty-page decks fail to close it many times.

What to promise the board

Three commitments that demonstrate maturity without overclaiming.

Every production AI use case will have a measured success metric and a measured risk metric, both reviewed quarterly. No use case launches without a human escalation path and an audit trail. The platform choice will preserve model and data portability, so the strategy survives the next industry shift.

Short enough to remember. Strong enough to defend. Honest enough to keep.

What to refuse to promise

Two commitments boards sometimes ask for that I would decline.

Zero hallucinations. The honest target is a measured rate below a defined threshold, monitored continuously. Promising zero sets up the first deviation as a crisis instead of a known operational event.

Full in-house control. The honest position is a deliberate mix of buy and build, with portability as the guarantee. Promising full control commits you to a build path that the finance case rarely supports. The board will respect a clear answer more than an ambitious one.

The test I would run before the board meeting

Hand the slide, without the supporting deck, to three executives who were not in your working group. Two from the business, one from the second line of defence. Ask each of them, separately, to summarise the strategy and the residual risk in two sentences.

If all three give you the same summary, the slide is ready for the board. If they give you three different summaries, the slide is doing the job of a deck. Rewrite it before the meeting.

If you want a second pair of eyes on the slide before it goes to the board, book a working session. I will not pitch the platform. I will read your row on each of the five risks, tell you where the control is genuinely in place and where it is hand-waving, and flag the row that will draw the hardest question. The strongest briefs go to the board with the owner named on every row. The strongest of those go in with inaction risk priced.