While procurement decisions are made below the board level, the decision about if and how an organization will use AI falls within the strategic and governance oversight of the board. Requirements and constraints generally come from five different sources.
First, legal and regulatory requirements — the most obvious source. Companies operating globally face complex compliance challenges. Second, risk management frameworks — sometimes incorporated into law (e.g., NIST publications), but organizations may also adopt them independently. Third, insurance requirements — many professional liability providers now require policyholders to disclose how their organizations use AI.
Fourth, internal policies and economics — driven by external forces or by board and management preferences. Economic considerations may constrain how organizations can realistically procure and deploy AI. Fifth, customer and partner preferences — customers may request specific jurisdictional processing, limiting which models or products an organization can utilize.
Common requirements across these sources include data governance and security (encryption at rest and in transit, data processing rules, retention and deletion policies), access control and monitoring (authentication, authorization, audit trails), and operational resilience (business continuity and disaster recovery planning).
Human resources and third-party management requirements include personnel vetting, training, and third-party vendor management — especially important for AI solutions that integrate open source software and multiple service providers. Risk management requirements include insurance practices and intellectual property rights policies.
By understanding these common requirements, board directors can provide more effective oversight of AI initiatives. These requirements should be viewed not just as compliance hurdles but as areas where boards can add value through strategic guidance and risk management.