Risks of Ignoring AI in Boardroom Decisions

Too many Professional Services firms are still hiring like it’s 2015, treating AI as a side project or something that only touches tech. Over 60% of tasks performed by auditors, IT specialists, and data engineers can now be automated or augmented by AI tools. But exposure isn’t the risk, inaction is. High-exposure roles that adopt AI are seeing surging demand and productivity. Those that don’t? They're stagnating or shrinking. The gap isn’t hypothetical, it’s already visible in hiring patterns, compensation trends, and who’s getting promoted. It is well documented that in Professional Services, AI is reshaping the entire pyramid. Junior roles are disappearing or being redesigned. Mid-level work is increasingly dependent on AI fluency. And in functions like HR, finance, and research, AI has already become a core part of the job. Ignoring this isn’t caution, it’s a slow-motion loss of relevance. For senior leaders, the mandate is clear: model AI adoption yourself. Incentivize it across teams. Redesign roles around it. The firms, and the individuals, who learn to work with AI are already outperforming those trying to work around it. And the cost of waiting is growing by the day.

Board Directors: A flawed algorithm isn’t just the vendor’s problem…it’s yours also. Because when companies license AI tools, they don’t just license the software. They license the risk. I was made aware of this in a compelling session led by Fayeron Morrison, CPA, CFE for the Private Directors Association®-Southern California AI Special Interest Group. She walked us through three real cases: 🔸 SafeRent – sued over AI tenant screening tool that disproportionately denied housing to Black, Hispanic and low-income applicants 🔸 Workday – sued over allegations that its AI-powered applicant screening tools discriminate against job seekers based on age, race, and disability status. 🔸 Amazon – scrapped a recruiting tool which was found to discriminate against women applying for technical roles Two lessons here: 1.\ Companies can be held legally responsible for the failures or biases in AI tools, even when those tools come from third-party vendors. 2.\ Boards could face personal liability if they fail to ask the right questions or demand oversight. ❎ Neither ignorance nor silence is a defense. Joyce Cacho, PhD, CDI.D, CFA-NY, a recognized board director and governance strategist recently obtained an AI certification (@Cornell) because: -She knows AI is a risk and opportunity. -She assumes that tech industry biases will be embedded in large language models. -She wants it to be documented in the minutes that she asked insightful questions about costs - including #RAGs and other techniques - liability, reputation and operating risks. If you’re on a board, here’s a starter action plan (not exhaustive): ✅ Form an AI governance team to shape transparency culture 🧾 Inventory all AI tools: internal, vendor & experimental 🕵🏽♀️ Conduct initial audits 📝 Review vendor contracts (indemnification, audit rights, data use) Because if your board is serious about strategy, risk, and long-term value… Then AI oversight belongs on your agenda. ASAP What’s your board doing to govern AI?

A lot of companies think they’re “safe” from AI compliance risks simply because they haven’t formally adopted AI. But that’s a dangerous assumption—and it’s already backfiring for some organizations. Here’s what’s really happening— Employees are quietly using ChatGPT, Claude, Gemini, and other tools to summarize customer data, rewrite client emails, or draft policy documents. In some cases, they’re even uploading sensitive files or legal content to get a “better” response. The organization may not have visibility into any of it. This is what’s called Shadow AI—unauthorized or unsanctioned use of AI tools by employees. Now, here’s what a #GRC professional needs to do about it: 1. Start with Discovery: Use internal surveys, browser activity logs (if available), or device-level monitoring to identify which teams are already using AI tools and for what purposes. No blame—just visibility. 2. Risk Categorization: Document the type of data being processed and match it to its sensitivity. Are they uploading PII? Legal content? Proprietary product info? If so, flag it. 3. Policy Design or Update: Draft an internal AI Use Policy. It doesn’t need to ban tools outright—but it should define: • What tools are approved • What types of data are prohibited • What employees need to do to request new tools 4. Communicate and Train: Employees need to understand not just what they can’t do, but why. Use plain examples to show how uploading files to a public AI model could violate privacy law, leak IP, or introduce bias into decisions. 5. Monitor and Adjust: Once you’ve rolled out your first version of the policy, revisit it every 60–90 days. This field is moving fast—and so should your governance. This can happen anywhere: in education, real estate, logistics, fintech, or nonprofits. You don’t need a team of AI engineers to start building good governance. You just need visibility, structure, and accountability. Let’s stop thinking of AI risk as something “only tech companies” deal with. Shadow AI is already in your workplace—you just haven’t looked yet.