Issue #9 - Board, Are You Ready for AI Unknowns?

:Hey High Stakers,:

Good morning and welcome to the 9th issue of High Stakes!

1‑Minute Briefing 🍳

Just over the last month, three fresh signals are driving Boards to rethink how they are dealing with AI governance. They are Data, Legal pressure, and Regulation. 

These signals explain why your Board now wants a “live” AI scorecard every quarter. 

The rest of this brief shows what belongs on it, who owns it, and how to keep experiments alive without lighting the budget on fire.

Why this landed on the board agenda this month

Three developments, essentially. 

6 May 2025 (ModelOp Governance Benchmark): 86 % of enterprises still juggle AI KPIs in spreadsheets, while 36 % have already ring‑fenced >£800k a year for proper governance tooling.

13 May 2025 (Bloomberg Law alert): Directors were told that shuffling AI risk to the audit committee is no longer defensible; full‑board ownership is fast becoming table stakes.

22 Apr 2025 (EU AI Office draft guidance): Early language spells out board‑level obligations ahead of the AI Act’s August 2025 milestone, raising the compliance bar for anyone selling into Europe.

Those three signals, fresh data, legal commentary, and looming regulation, explain why boards now demand an AI progress scorecard every quarter.

Why this has escalated to board level

• Run‑rate spend ≠ realised value. Token and GPU invoices are compounding 40–60 % QoQ while P&L impact lags.
  

• Diffused ownership. CIOs, COOs, and CDOs each own slices of the stack; none own the outcome.
  

• Incoming regulation. EU AI Act, UK DSIT white paper, SEC disclosure rules are just some incoming fire. Passive oversight is no longer defensible.

Boards must now balance rigour (for material spend) with optionality (for moonshots that may reset the business model).

So, then, how should Boards balance this rigour with flexibility? Rather, to be specific, what 5 KPIs will be appropriate AND survive an audit? 

The 5 KPI families that survive an audit

To stand the test of the rigour vs. flex trade-off, I have provided the KPI interpretations for mature workloads (more supervision makes sense in these) vs. for frontier experiments (be more ‘open’ to experiments here).

1. Adoption
   • Mature workloads: percentage of core roles using copilots at least three times a week.
   • Frontier experiments: number of pilot users / agents active in a sandbox.
   

2. Impact
   • Mature: change in cost‑per‑decision against the pre‑AI baseline.
   • Frontier: leading indicator, say, revenue generated per 1 k agent API calls.
   

3. Risk
   • Mature: ratio of red‑team exceptions closed vs raised.
   • Frontier: catalogue of identified failure modes plus containment tests executed.
   

4. Governance
   • Mature: percentage of models clearing a policy‑as‑code gate.
   • Frontier: evidence that an end‑to‑end audit trail can be captured, even in prototype form.
   

5. Financials
   • Mature: token spend per £ of gross margin created.
   • Frontier: keep discovery burn below 1 % of digital capex.
   

While you read these, note that no single function can own all five. 

A cross‑functional RACI (meaning who is Responsible, Accountable, Consulted and Informed), preferably anchored by the COO, is table stakes.

Accountability & Cadence

Among the C-suite, the interplay of who owns what needs to be broadly clear. 

I’d go with:

• COO: workforce adoption & productivity

• CFO: ROI arithmetic & pay‑back governance

• CISO / General Counsel: risk, compliance & incident trend

• CTO / CDO : model quality, tooling health, drift watch
  

Cadence?

Live dashboards daily >> should lead to exec committee monthly meetings >> taken to Board quarterly. 

Budget gating in practice

How does this kind of governance look like in reality? 

I know of one £9 bn revenue global services firm that now refuses funding for any AI proposal that lacks:

1. A baseline KPI set and target trajectory.

2. A pay‑back period < 12 months, signed by the CFO, or a learning metric for discovery‑stage bets.

3. A named P&L owner.

4. A risk‑clearance ticket from the CISO.
   

This has resulted in 47 % reduction in zombie pilots and £30M-odd re‑deployed to high‑velocity use cases. 

But then, what if you want to “try out” a moonshot that you have heard your competitor is in stealth with? 

How not to be bogged down by AI governance for its own sake? 

Let’s take a scenario to kick the tyres. 

Moonshot: "B2A" (Business‑to‑Agents) lands on the agenda

Scenario:  Your Head of Tech comes into the Board all hot and bothered and says that B2B, B2C are all fine, but B2A is going to be big. 

She explains B2A: In the not so distant future, agents will do more browsing and transactions, than humans. We have to get our front-facing infra ready for them, she says. She wants some urgent funding to treat autonomous software agents as a genuine customer segment. With her deep experience on the tech and customer side, the last thing that the Board wants to do is to give this idea a short shrift.   

She proposes the below concrete structure for the Board’ scrutiny. 

Aim: The project will expose catalogues and APIs so that agents can buy, sell, and orchestrate on the platform with minimal human touch, with the below goal posts:

• Adoption: at least 25 verified third‑party agents transacting in a sandbox, to be interpreted as proof of real demand.
  

• Impact: gross margin per 1 k agent API calls must rise faster than token cost.
  

• Risk: block ≥ 95 % of malicious‑agent incidents (spoofing, denial, spam, etc.).
  

• Governance: log and attribute 100 % of agent interactions so every handshake is auditable.
  

• Financials: keep discovery spend < £2 m and under 1 % of digital capex.

The Board deliberates and comes up with this recommended stance:

1. (timed sprint with pre-agreed KPIs to avoid being gamed) Approve a 6‑month, capped discovery sprint tied to the proxy KPIs above, but not an open‑ended build.
   

2. (cross-functional) Make it cross‑functional from Day 1 (COO + CFO + CISO + CTO) so IT isn’t left carrying strategic risk alone.
   

3. (production level risk mitigation) Launch in a low‑stakes business unit (e.g., aftermarket parts) to avoid PII and systemic revenue streams while experiments run.
   

4. (go/no-go in the calendar) Schedule a formal go / no‑go at the next quarterly AI review. If ≥80 % of proxy KPIs are met, green‑light Phase 2; otherwise sunset.

This preserves optionality for breakthrough upside while keeping spend, risk, and organisational shock inside board‑approved guardrails.

This said, I do want to close on the note of 5 additional insights for Boards to ponder about when they meet next. 

Five board questions for the next quarterly agenda

1. Which AI use cases will self‑fund within 12 months, and how will we track that?
   

2. Where do frontier bets (like the B2A one we mentioned above) sit on our scorecard, and what’s the discovery cap?
   

3. How many models or agents failed the policy‑as‑code gate last quarter, and why?
   

4. What is our cost‑per‑decision trend against GPU & token inflation?
   

5. Who loses bonus if these numbers stall?

🔓 Free takeaway pack

For our consulting practice at Stack, we have built the below three artefacts. Ask me nicely, and I will send them over. 

• 15 KPIs that boards currently understand, and migrating them to “AI” KPIs

• Case story: the scorecard that saved £2 m

• Red‑flag checklist: What can help spot failure early
  

What metrics are you showing your board? 

Drop one KPI in the comments or DM for the template pack.

Best,
Srini

P.S. If this sparked ideas on how to make AI governance real (not just theatre), share it with your CFO, COO, or General Counsel. It might just change how your next AI pilot gets funded or killed.