CIOs Navigate Growing Demands on Risk, Data, and Board Reporting in AI Governance
In recent years, the adoption of artificial intelligence has surged within enterprises, embedding itself deeply into core business processes. This rapid integration has significantly altered the technology landscape and has been particularly reflected in corporate risk disclosures. A report from The Conference Board’s Governance and Sustainability Center reveals remarkable changes regarding how companies handle AI-related risks, marking a new era in corporate governance.
As of 2023, only 12% of S&P 500 companies acknowledged AI as a material business risk in their annual filings. By 2025, this figure skyrocketed to an astounding 83%. This dramatic rise signifies a growing awareness among executives about the potential risks and implications of AI within their organizations. However, while many organizations approach AI with optimism—predicting productivity gains by an overwhelming 80%—they are also acutely aware of the looming workforce disruptions anticipated by 75% of surveyed executives.
The complexities surrounding this dual sentiment present a formidable challenge for Chief Information Officers (CIOs), who are tasked with managing rapid technological advancements while simultaneously addressing the risks they pose to the organization. Establishing effective governance measures to mitigate these risks adds a layer of complexity to their already demanding roles. Andrew Jones, a principal researcher at The Conference Board and the report’s author, articulates this shift, stating that within just a few years, companies have transitioned from mere experimentation with AI to its practical integration into business operations. This shift has necessitated a greater awareness of the associated risks.
Amidst these developments, many organizations have begun to implement structured frameworks for their AI initiatives. Approximately 70% of companies now incorporate AI into their risk inventories or heat maps, while 63% have established enterprise-wide AI principles. Furthermore, 52% of companies have formed centralized AI councils to foster governance and cross-functional oversight. Despite this movement toward enhanced governance, the approach remains inconsistent, often viewed through the lenses of technology, legal compliance, and operational risks while neglecting broader implications such as workforce impact and sustainability.
With governance responsibilities increasingly falling on the shoulders of CIOs, the role has expanded from simply deploying AI to overseeing its governance. This change is regarded as significant within the industry. Cybersecurity, data privacy, and legal liability emerge as the primary AI-related risks companies prioritize. According to Jones, discussions with Chief Information Security Officers (CISOs) highlight the centrality of AI in contemporary security concerns, as the evolving attack surface poses additional challenges that keep security leaders up at night.
To successfully manage risks associated with AI, collaboration between CIOs and CISOs becomes essential. While the CISO takes ownership of the technical aspects of cybersecurity and managing the attack surface, the CIO is increasingly responsible for overseeing AI visibility, data governance, and risk tiering. This delineation of responsibilities underscores the importance of efficient communication and workflow between these two critical roles to ensure comprehensive risk management.
Despite their vital role in governance, many boards remain inadequately prepared to grapple with AI complexities. Only 23% of governance leaders report high AI fluency among board members, with independent directors possessing AI-specific expertise rising minimally from 1.5% to just 2.7% between 2021 and 2025. In contrast, broader technology expertise among board members saw a significant increase from 20% to 51% during the same timeframe. This gap presents a unique challenge for CIOs as they work to convey AI risks and governance concerns to boards that may lack the requisite technical understanding.
Delivering reports that effectively communicate the risks, use cases, and governance structures requires CIOs to think strategically about which information should be prioritized to resonate with board members. Jones emphasizes the need for boards to have clarity regarding AI applications within the company and associated risks. He suggests that directors do not need to become experts in AI but should develop an understanding that empowers them to ask the right questions and discern quality responses.
At the heart of sound AI governance lies effective data management. A consensus exists among CIOs that data governance and control represent the top priority for AI governance, with 74% of executives highlighting its importance. As organizations grapple with the complexities of data management, Jones notes that the rise of AI has compelled a renewed focus on clean, well-governed data as the critical foundation for effective AI initiatives.
To build a robust AI governance program, CIOs are advised to adopt a systematic approach. This begins with a comprehensive inventory of AI use cases, encompassing internal tools, vendor offerings, APIs, and employee applications, ensuring visibility is achieved across the enterprise. Subsequently, evaluating this inventory and establishing risk tiers will flag sensitive data interactions and high-stakes business functions. Jones advocates linking AI governance to established cybersecurity structures and enhancing board reporting based on these frameworks.
Importantly, Jones cautions that AI governance cannot be a static initiative; it must evolve alongside advancements in technology. Organizations that established sound governance programs six months ago may find themselves at a disadvantage today due to the rapid pace of technological change. Continuous evolution, therefore, is not just a best practice but a necessity for organizations aiming to maintain an effective governance framework.
As the landscape of AI continues to shift, the responsibility for driving governance, risk oversight, and board engagement will increasingly rely upon the strategic leadership of CIOs who must deftly navigate these challenges.