Your organisation already uses AI. The real question is whether your board governs it, or simply tolerates it.

Thomas Collins, GAICD.

Ask most boards whether they govern AI and you get one of two answers. Either “we have a policy” or “we are still working that out.” Both miss the point. The AI is already in the building. Staff are drafting with it, coding with it, summarising customer data with it, and making decisions informed by it. The only choice the board still has is whether that use is governed or just permitted.
Permission and governance look similar from the boardroom. They are not the same thing.
The gap between use and control
Permission says the tool is allowed. Governance says the board knows where it is used, what it touches, who is accountable when it goes wrong, and how the organisation would prove any of that to a regulator or a court. Most organisations have raced ahead on use and barely started on control.
The result is shadow AI. Tools adopted team by team, often free, often outside any register, frequently fed with customer or commercial data. No one set out to create an ungoverned risk. It accumulated one helpful shortcut at a time, below the line of board sight.
A practical test
A board does not need to understand model architecture to govern AI well. It needs to know whether anyone in the organisation can answer a short set of questions with evidence rather than a shrug.
IS YOUR BOARD IN CONTROL OF AI, OR JUST PERMITTING IT?
Do we have a current inventory of where AI is used across the organisation, including the tools no one formally approved?
Where does AI touch personal, customer or commercially sensitive data, and who signed off on that?
For any decision an AI helps make about a person, can we explain how that decision was reached?
Who is the named accountable owner for AI risk, and does the board hear from them directly?
If a regulator asked tomorrow how we govern AI, what could we actually put on the table?
If the honest answer to most of these is “we would have to go and find out,” the organisation has permission without governance. That is a defensible place to start. It is a dangerous place to stay.
Australia is not waiting for an AI Act
Some boards are holding back until the law settles. The law is already moving through the regimes that exist. From 11 December 2026, privacy reforms require transparency about automated decision-making, so entities must be able to say where automated or AI-assisted decisions are made and explain them. Australia is governing AI through existing law, sector regulators and the National AI Centre’s voluntary practices, not through a single AI Act. “We were waiting for clearer rules” will not be much of a defence when the rules that already apply were enough.
What good looks like
Good AI governance is unglamorous. A live inventory of use. A clear line of accountability. A short, enforced standard for what data may and may not be put into which tools. A way for the board to see material AI risks before they become incidents. None of it requires the board to become technical. It requires the board to insist on control, not just permission.