Last week's edition of the Roche-Review established the governance illusion: the board that believes it is governed because it has a policy, a committee, and an approved framework, but cannot produce a forensically reconstructible record of any specific AI-assisted decision, is in a more dangerous position than a board that knows it is exposed. The former has the confidence of compliance without the substance of control.
That argument was aimed at boards generally. This edition narrows the question to one specific role: the Non-Executive Director.
A NED who has approved an AI governance framework has fulfilled a procedural obligation. A NED who has verified that the framework produces a reconstructible decision record has fulfilled a governance requirement. On 2 August 2026, the EU AI Act begins to enforce the distinction between the two. Sixty days remain.
The Verification Obligation
The Companies Act 2006 section 174 duty of care requires that a director act with reasonable care, skill, and diligence, having regard to the knowledge and experience that may reasonably be expected of a person in that position. For a NED with technology oversight responsibilities, that standard has a specific implication under the EU AI Act: a NED cannot discharge the duty by mere approval. The duty requires verification.
The FCA SM&CR Senior Manager accountability provisions impose the same logic on regulated firms. A Senior Manager who has approved a governance arrangement is not automatically accountable for its failure, provided they took reasonable steps to satisfy themselves that the arrangement was adequate. Taking reasonable steps to satisfy yourself that an AI governance framework is adequate means testing whether it meets the regulatory requirements, not reading a summary that says it does.
Those two pieces of legislation together define the NED's specific governance obligation before 2 August: to verify, from the evidence, that the AI systems the board has authorised are operated in a way that would withstand regulatory examination.
That is not a technology question. It is a governance question, and the NED is the right person to ask it.
Where Most Boards Currently Stand
Last week's article described the four questions that determine a board's actual exposure under the Act. To summarise: has every high-risk AI system been identified; does a continuous, complete log exist for each; is that log forensically reconstructible from the record alone; and has the board reviewed it as a live output rather than a governance summary?
Most boards, when asked those questions honestly, find they can answer the first with reasonable confidence and the remaining three with significant uncertainty.
The uncertainty is not a function of negligence. It is a function of the gap between governance intent and governance infrastructure. A board can approve an AI ethics policy that is genuinely intended to govern how AI systems operate and still have no log that meets the Article 12 post-hoc reconstruction standard. The policy is real. The intent is real. The infrastructure that would make both defensible may not exist.
That gap is where the NED's verification obligation sits.
Five Dimensions of Governance Maturity
Verifying your organisation's actual position requires a structured assessment rather than a single audit question. The following five dimensions map the full scope of the EU AI Act's requirements and provide a framework for the NED to identify gaps.
Accountability. Is there a named individual at the board level who is accountable for the governance and performance of each high-risk AI system? Accountability is not the same as responsibility for the technology. It is the responsibility of the record to ensure that the system's operation is documented in a way that can be examined.
Exposure. Have all AI systems the organisation operates that fall within the Act's high-risk categories been identified and classified? The categories are specific: credit scoring, employment screening, benefits determination, access to essential services, critical infrastructure control, and educational assessment. If classification is incomplete, exposure is unmeasured.
Control. Does the technical and procedural infrastructure exist to produce a continuous, time-stamped log of inputs, transformations, model outputs, and human oversight actions for each identified system? Control is not present until the log exists and has been tested.
Regulation. Has the organisation determined precisely which Articles apply, by jurisdiction, entity type, and system classification? The Act imposes different obligations on providers and deployers, on EU-established and non-EU entities, and on different risk classifications. Regulatory clarity is a precondition for compliance.
Maturity. At what level is governance currently operating? Procedural governance means policies exist and have been approved. Operational governance means logs are captured. Reconstructive governance means logs are forensically auditable. Strategic governance means the board reviews live decision records, not summaries. The Act requires at least the third level for high-risk systems after 2 August.
A NED's verification task before the summer recess is to establish, for each of these five dimensions, the organisation's current position and the gap between that position and the Article 12 standard.
Operationalising the Assessment
The Otopoetic Compliance Clock provides a structured diagnostic tool for this assessment. Select your jurisdiction, entity type, and the risk classification of your systems. The Clock maps the applicable Articles, shows the time remaining to each deadline, and provides a governance readiness baseline against the five dimensions above.
Once you have mapped your organisation's exposure using the Clock, the four-question audit from last week's edition becomes a verification checklist rather than an open inquiry. The questions are the same. The purpose is different: you are not asking them to discover your position, you are asking them to confirm or challenge the position the Clock has identified.
If the answers to the four questions align with the Clock's assessment, the NED has a consistent picture. If they diverge — if the technology team believes logs are complete but the board has never reviewed them as a live output — the divergence is itself a governance finding that belongs in the board record.
The Contemporaneous Record
A NED who completes this assessment before the summer recess and documents the findings in writing has created something that did not exist before: a contemporaneous record that the board understood its obligations and acted on them within the available window.
That record should specify which systems have been identified and classified, the current position on each of the five dimensions, the gaps between the current position and the Article 12 standard, the actions commissioned to close those gaps, and the timelines established.
This record does not solve the underlying problem. If logging infrastructure is absent, the record does not serve as a substitute for it. But it demonstrates, in any subsequent regulatory examination, that the NED discharged the verification obligation — that they did not simply approve and assume. Under section 174, that distinction is where personal liability is assessed.
A board that knew and acted is in a different position from a board that knew and did not. For many boards, the summer recess is the last window in which the former position is still achievable.
The Next Step
If the five-dimensional assessment reveals gaps, the sequencing of remediation matters. Not every gap carries equal regulatory risk, and not every gap can be closed before 2 August.
An organisation that has not identified its high-risk systems faces greater immediate exposure than one with incomplete logs. An organisation with no board-level review of decision records carries greater exposure than one whose logs are not yet fully reconstructible. Prioritisation requires knowing which dimension is most deficient.
The Otopoetic Governance Classification assessment structures that prioritisation across the five dimensions and produces a governance address — a specific position on each axis — rather than a single maturity score. It identifies which gaps carry the highest regulatory risk, which can be closed before the deadline, and which require a documented remediation plan extending into Q3 and Q4.
For board appointments, governance advisory, or to discuss your organisation's position under the EU AI Act, the appropriate starting point is a conversation rather than a document: otopoetic.com.
Closing
The EU AI Act does not examine governance intent. It examines governance evidence.
Sixty days remain before that standard applies. The summer recess begins in approximately four weeks. A NED who uses those four weeks to verify, rather than assume, will be in a categorically different position after 2 August than a NED who did not.
That is the obligation. It belongs to the role.
Dr. Ivan Roche FRSS FRSA MInstP Founder and Principal Advisor · Otopoetic Limited · Belfast
