Insights | 08 July 2026
AI governance: directors’ duties
Directors have a duty to lead and oversee the use of artificial intelligence (AI) in their organisations: in this Insight we outline critical measures for effective AI governance.
Takeaway: To achieve good AI governance, Boards will need to comply with the forthcoming EU AI Act, which includes obligations regarding AI risk management, data governance, transparency, and human oversight. Best governance practice in turn requires close alignment with corporate values, purpose and business strategy, developing internal expertise through training, and establishing specialised oversight responsibility and authority.
Key AI risk categories
- The widespread deployment of AI by organisations is accompanied by tangible risk to privacy, reputation and property – as evidenced by the recent cases involving false AI-generated statements (“hallucinations”).
- High-risk AI categories include AI tools used in recruitment and employment – for example, systems that screen candidates, make decisions on promotions or evaluate employees – since these systems may significantly affect individuals’ livelihoods, perpetuate legacy discrimination patterns, and undermine privacy and data protection. Likewise, any impairment in AI systems operating critical infrastructure (road traffic, water, gas, electricity) may endanger health and safety, damage critical infrastructure and cause disruption to societal and economic activity.
- These risks will intensify with the use of AI agents, which can autonomously plan, co-ordinate and execute complex tasks over extended periods of time – with limited human intervention. AI risk assessment (i.e. identification, analysis and evaluation of AI risk), and AI risk treatment (i.e. risk avoidance or mitigation) are a core oversight responsibility of Board members and senior executive management.
- Specific AI risks include data bias – notably where incomplete, inaccurate, or non-representative training data produces skewed outputs or creates systemic discrimination – or decision-making risks, in particular, overreliance on AI-generated outputs which, if not adequately overseen by humans, can lead to false or flawed decisions.
Regulatory framework:
- EU AI Act – applicable as of 2 August 2026
- The EU AI Act (Regulation (EU) 2024/1689) introduces a harmonised regulatory framework governing the development, marketing and use of AI across the EU. Its scope is broad, extending not only to EU companies but also to providers and deployers established outside the EU (including Switzerland), where AI-generated outputs are used within the EU
- The EU AI Act adopts a risk-based classification of AI systems whose regulatory requirements depend on the level of risk to health, safety, and fundamental rights involved. The framework distinguishes four levels of system risk – unacceptable, high, limited, or minimal.
- AI systems that present an unacceptable level of risk are prohibited as they can seriously undermine fundamental rights. Prohibited systems include manipulation, exploitation of vulnerabilities, social scoring, creation of facial recognition databases through untargeted image scraping, or emotion recognition in workplaces or schools.
- High-risk AI systems are AI applications used in critical infrastructures, in education, as safety components of products, or in employment contexts. Such systems are subject to an extensive set of regulatory obligations, with a view to proper risk management, data governance, documentation, transparency, and human oversight (see below for more detail).
- Most importantly, AI systems must enable human oversight, allowing operators to monitor and control AI outputs, thereby maintaining a layer of human judgement and accountability.
- Providers must establish, document and maintain a continuous and robust risk management process regarding risks to health, safety and fundamental rights.
- Data governance requires that providers must ensure that datasets are relevant, sufficiently representative, free of errors and complete in view of the intended purpose.
- Record keeping entails that AI systems must maintain automated logs throughout their operation to enable traceability, monitoring and effective oversight. In addition, the transparency requirement demands that decision-making processes for AI systems are sufficiently understood by users and that AI-generated outputs lacking human review and responsibility are clearly labelled as such.
- Swiss framework
- Switzerland currently does not have an AI-specific regulatory framework. Article 21 of the Swiss Data Protection Act contains provisions relevant to automated decision-making and is the closest existing Swiss legislation addressing AI-related issues.
- AI governance forms part of Directors’ duties of care under the Swiss Code of Obligations (“CO”). Under Article 716a CO, the Board of Directors has a non-transferable obligation to supervise the persons entrusted with managing the company, specifically with regard to compliance with the law. This includes determining whether the EU AI Act applies to the company’s activities, namely where AI-generated outputs are used in the EU.
- Best practice
- Good AI governance does not require a new governance framework; rather, it builds on established principles of sound corporate governance and adapts them to the specific risks and impacts introduced by AI. Against the background of ISO Standard 37000 – Governance of organizations, all organisations should define the role and purpose of AI and use this as a basis to shape strategy, accountability and oversight.
- ISO/IEC Standard 38507 – Governance implications of the use of artificial intelligence by organizations provides practical guidance on the governance of AI and its integration into existing governance structures. Key areas include ensuring that decision-makers possess a sufficient understanding of AI systems, establishing appropriate oversight of AI-generated outputs, robust data governance and safeguards for sensitive information, and alignment of the behaviour and use of AI systems with the organisation’s values, culture and objectives.
- In addition to general governance principles, specialised standards such as ISO/IEC Standard 42001 – Artificial intelligence management systems offer guidance on the establishment, maintenance and continual improvement of an Artificial Intelligence Management System (AIMS).
- From a data governance perspective, it is also worth noting the recently-updated provisions on automated individual decision-making in Arts. 22A–22D of the UK Data (Use and Access) Act, which require individuals to be informed of automated decisions and provide rights to make representations, obtain human intervention, and contest the automated decision.
Recommendations for governing bodies
AI can create substantial business value and reduce risk, but its use must be well governed and overseen. Boards should address the following areas:
- Strategic integration: define where and how AI may be used within the company’s operations and establish governance and technical guardrails – such as prompt filters – to align AI with business objectives and values.
- Regulatory compliance: assess the applicability of the EU AI Act and other relevant frameworks, identify compliance obligations, and implement policies, controls and further governance measures to address them.
- Governance structure: assign clear responsibilities for the development, deployment and oversight of AI. A dedicated AI steering group can support effective AI governance implementation and performance measurement.
- Risk management: AI-related legal, operational and technical risks should be assessed and treated as part of the overall enterprise risk management (ERM).
- Data governance: map and classify all data the AI model can access. Develop and review robust controls and policies to ensure the quality, reliability, security and lawful use of data used to train, test or operate AI systems.
- Human oversight: identify critical decisions that must not be taken solely by AI and must remain subject to appropriate human review, and ensure that AI-generated outputs are always subject to human challenge and correction.
- Documentation and control: implement adequate documentation, record keeping and audit trails to enable transparency, oversight and accountability.
- Invest in training and awareness: provide role-based training for Boards, senior management and employees, including guidance on risk, regulatory obligations, data handling and output evaluation.
Back to listing
“High-risk AI systems shall be designed and developed in such a way […] that they can be effectively overseen by natural persons during the period in which they are in use. (Regulation (EU) 2024/1689, Art. 14 para. 1) ”

