AI Governance: Directors Must Shift AI Oversight from the Server Room to the Board Room

Key Points

• We are experiencing an AI boom which is not unlike the dot-com boom times in the late 1990s which was fuelled by unfettered optimism about technology advancements.

• In 30 years, our fallible belief systems, the tech "wild west", knowing our customer, and the marketing of "vapour-ware" hasn't changed all that much.

• What has changed is, despite Australia’s patchwork of AI governance controls, company directors can now be held personally liable for AI governance failures - they have skin in the AI game.

Twenty-five years ago, there was a mad rush for companies to have an online presence, or go out of business. It was labelled the "new economy". The internet and online shopping was the next big thing. The technologist’s warnings were dire, predicting deserted shopping malls and the end of the department store as we knew it. Some of you may remember the heady dot-com days, which kick-started many IT careers in and around the Y2K fiasco, including mine.

During the dot-com days, companies lavishly spent millions on a ".com" internet address, flawed business models, implementing novel technology, all for a tentative consumer that wasn't quite ready to go all-in on e-commerce. Many companies went broke; fortunes were lost and reputations damaged.

In hindsight, one factor that fuelled dot-com was the unfettered optimism that the technology was better than it actually was. Bricks and mortar stores would soon die a cruel and quick death thanks to digitisation of commerce. The outcome didn't live up to the promise and the boom went bust when reality kicked in. But there are some great e-commerce success stories 25 years on such as ebay, Amazon, Google and others.

So, in 2026, billions of dollars are going into an artificial intelligence (AI) revolution at a furious pace. The big AI break-through came about 5 years ago with advancements in generative AI along with the necessary IT infrastructure improvements to quickly process large amounts of data that an AI system needs to do its thing. As of early 2026, roughly 58% of employees report using artificial intelligence regularly at work, with about a third using it on a daily or weekly basis according to Gallup. Many of the current generation of managers, trying to make their way in a largely digital world, won't know or remember much about the good old dot-com days.

The tech innovators and entrepreneurs will always be there, courting us with the next big thing. That’s what they do, and you can't blame them because when their solution sells, they can become instant millionaires. 

Some company’s boards are making big bets on AI reinventing their business model or gain competitive advantage, which has a way too familiar ring about it. So here we are. Deja vu all over again. A new generation of people not old enough to remember the late 1990s gold rush, bustling in to claim their AI stake.

So what is happening in today's AI boom compared to dot-com?

Fallible belief systems persist 

Firstly, I plied my trade battling poor-quality data input systems and databases from the 1990s, knowing all too well the “garbage in garbage out” mantra and its consequences. The technology sector is acutely (and cynically) aware of "Garbage In, Gospel Out" which describes the dangerous tendency for people to believe artificial intelligence outputs as truth ("gospel") regardless of the accuracy, quality, or biases of the initial input data ("garbage"). Every Generative AI tool comes with a content warning: Please check for accuracy. Many don't.

We know more about our customer or do we?

Secondly, we have better tools to give us a much better understanding our customers and their needs. New tools allow us to make small changes to test the market rather than go all in. Marketing managers now prioritise the "customer experience", in which trust plays a big role in fostering recurring purchases. It’s a commercial imperative to be a trusted brand and be transparent in how AI enhances a customer's experience. We've already seen numerous data breaches from big brand names like Optus, Medibank, Canva, Service NSW, Qantas and Latitude. What I am seeing today is a mad rush to implement AI but I am wondering where the customer is in those business cases? I cannot remember one good "AI agent" service experience I've had when forced to interact with a machine as the first point of contact when something goes wrong with a product I've bought.

The tech wild west is still pretty wild

Thirdly, using agile principles, we’re much better at managing IT projects particularly the notion of “failing fast”. Many companies haven’t progressed their AI projects beyond a proof-of-concept stage, essentially successfully failing early with some useful evidence to quickly abandon an immature AI use case or a fruitless project. Unless an AI product or service solves a problem at a price the market can afford, we have nothing to sell. That didn't stop the wild west companies in the 1990s selling “vapour-ware” as it’s known in IT circles. Today's wild west cowboys are out there, with new technology solutions looking for a problem.

A Director can now be personally liable

Lastly, and most importantly, strengthening of the Corporations Act by Australian governments (remember the Banking Royal Commission?) in the last 10 years has substantially increased penalties for misconduct and broadened the scope of personal liability for Directors to use AI responsibly.

Yes, Directors and Board Members can now be held personally liable for AI failures within their company, particularly if those failures result from a breach of their duty of care, diligence, or oversight obligations.

AI regulations

Despite the history lessons from the dot-com era, our Federal Government has adopted a "light touch" AI regulatory approach to the non-government sector through the Voluntary AI Safety Standard (VAISS). The Australian Public Service is mandated to use the Digital Transformation Agencies AI Technical Standard. State and local governments are strongly advised to adopt this AI governance framework.

On August 2, the European Union Artificial Intelligence Act, the first legal framework on AI, comes into force. I believe mandatory regulation in Australia is inevitable, we just need a couple more spectacular Ai failures to lock that in.  It’s only a matter of time, sadly.

Shift the oversight from the server room to the board room

To fulfill Corporations Act obligations, Directors must shift AI oversight from the server room to the boardroom, ensuring they understand, verify and validate any new AI technologies, implement good AI governance, and ensure a human oversees it. 

The trouble is you can’t directly apply tried and true management methods of procuring, implementing and supporting traditional IT to AI systems. There are enough aberrations in the AI lifecycle to keep Directors and executive teams on their toes. For starters, companies are buying potential, not a product. AI systems evolve over time, they degrade, develop bias or drift. More upfront work is needed in developing vendor shared-responsibility, validating input data (the garbage in), more rigorous testing, extensive ongoing monitoring and, last of all, a solid decommissioning plan if things do go pear-shaped. 

Why AI governance is needed right now

AI systems involve a lot more effort to implement them safely. My article on Copilot, calls out the risks of quiet AI convenience. It is much easier to implement AI governance at the same time a new AI system is implemented.

In the next 24 months, I am confident there will be numerous stories about biased AI algorithms used to hire, manage or fire people or incorrect bot advice or diagnosis resulting in consumer injury. And lots more.

There will be plenty of AI failure cases that will raise a corporate eyebrow or two across the board table from unsupervised, unapproved, uncontrolled or unsafe AI systems that cause harm. Boards can not rely on AI-generated information, nor delegate their fiduciary responsibilities to a machine. 

The irrational exuberance of the dot-com days has long been forgotten. But personal liability means Directors now have some skin in the AI game.

Stay safe,

Bruce

ABOUT ME

I write all my own content, you can tell by the odd typo and occasional missing word. I use AI for my research. I also teach organisations how to implement the Australian AI Governance Standard and confidently transition to AI systems. To learn about my upcoming public AI Governance workshops visit: Public workshops

To learn more about AI Governance, check out my Hitchhikers Guide to AI Governance Podcast visit: Hitchhikers Guide to AI Governance Podcast