This website uses cookies

Read our Privacy policy and Terms of use for more information.

Something notable happened in AI governance this month that had nothing to do with this newsletter. The National Association of Corporate Directors told US boards, in a formal published guide, to integrate AI risk into enterprise risk management, assess directors' own AI competence, and update committee charters so that accountability sits at the governance structure level rather than in informal practice. An independent analysis in Tech Policy Press argued that most governance frameworks are looking in the wrong place entirely, watching for a human to override a system at runtime rather than examining the design and authorisation decisions that determined whether the system should have been deployed at all. And the UN's own scientific panel on AI used the word accountability sixteen times in a single report delivered at its Geneva dialogue this month.

None of that is this newsletter's argument being borrowed. It is three separate institutions, working independently, arriving at the same place this newsletter has been arguing since March: that AI governance fails or succeeds on whether a specific person can be shown to have made a specific decision, not on whether a policy document describes who should have.

What none of the guidance addresses

Read the NACD guidance closely and it stops exactly where the hard question starts. Update the committee charter. Assign the owner. Run the competence assessment. All of that produces a governance structure. None of it produces evidence that the structure was operating on the day a specific decision was made. A charter that names an accountable executive for AI risk, updated in July 2026, tells a regulator who should have reviewed a March deployment decision. It does not tell them whether that review happened, what was decided, or when.

This is precisely the distinction the Tech Policy Press analysis reaches from a different direction. Runtime overrides get logged because the system generates the log automatically. Design and authorisation decisions, the ones that actually determine whether deployment should have happened, are rarely logged with the same rigour, because nobody built an automatic system to timestamp a human being's judgement call. The accountability gap is not a failure to name an owner. It is a failure to capture, at the moment it happened, evidence that the owner did the job the charter says they are responsible for.

Where this lands with two weeks to go

The Article 50 deployer obligations, disclosing AI interaction to a natural person, labelling deepfakes, flagging AI-generated public interest content, come due on 2 August. Every board that has spent this month updating a charter in response to guidance like NACD's now has a genuinely useful test available to it. Not "have we named an owner," which almost every board reading this newsletter can now answer yes to. The test is narrower and harder: for an Article 50 deployer obligation that already applies, is there a dated record showing the named owner reviewed that specific compliance question before 2 August, not a policy statement asserting that they generally would.

Most organisations will be able to produce the charter. Far fewer will be able to produce the record.

There is a further distinction inside that record worth naming, because it is the one that decides contested cases. A date the organisation asserts about itself and a date anchored to something outside the organisation's control are different evidentiary categories. Board minutes, internal decision logs and document management systems all carry dates the organisation itself generated and could, in principle, have generated later. That is a claim about when the review happened, and a claim is what a regulator or a claimant's counsel is instructed to test rather than accept. A record whose date is fixed by something the organisation does not administer, a regulatory filing, an external attestation, a cryptographic timestamp held by a third party, is not making the same kind of claim. Most governance documentation programmes currently underway are optimised for completeness. Very few are optimised for who could vouch for the date if it were challenged.

The wider pattern worth naming

Global accountability language is having a moment. It appeared sixteen times in a single UN report this month, and it is the organising word in the NACD's new guidance. Language converging on a concept is not the same as infrastructure converging on a practice. The gap between the two is where the next round of enforcement findings will land, in the UK under Companies Act 2006 section 174 as much as anywhere else, because a director's duty of reasonable care and skill is tested against what they actually did, evidenced and dated, not against what a charter says they were responsible for.

Regulatory references: EU AI Act Article 50(1), 50(3), 50(4), 65; Companies Act 2006 section 174; NACD Director Essentials: Implementing AI Governance (2 July 2026), cited for comparative governance context.

The Roche-Review is the weekly publication1 of Dr Ivan Roche FRSSy FRSA MInstP, Founder of Otopoetic Limited. Subscribe at roche-review.com.

1  

Keep Reading