Who Owns AI Risk? A UK Board Accountability Framework for AI Governance

Ask five executives in a UK boardroom who owns AI risk and you will get five different answers. The CIO points to the CISO. The CISO points to the DPO. The DPO points to legal. Legal points back to the business.

Meanwhile, AI systems are making decisions about customers, employees and clinical outcomes, and no one has signed the paperwork that states they are accountable when those decisions go wrong.

This is the ownership gap. It is the single most consequential governance failure we see in UK organisations adopting AI, and it is a board-level problem that cannot be solved by IT alone.

Under the Companies Act, directors carry statutory duties that, in our view, extend to risks introduced by AI systems the board has authorised. As UK and EU AI regulation moves through phased implementation, boards that have not assigned ownership will be the ones caught short.

This article is general commentary and does not constitute legal advice. Organisations should seek independent legal counsel on their specific accountability obligations under the Companies Act and applicable AI regulation.

Why AI risk ownership cannot sit with IT

AI risk ownership belongs at board level because the decisions AI systems make are business decisions, not technical ones. When a triage model deprioritises a patient, when a creditworthiness algorithm declines a mortgage applicant, or when a generative tool drafts client correspondence that misrepresents a regulated position, the consequences land on the organisation, not on the IT function that deployed the tool. Clinical AI carries additional regulatory weight, with MHRA and CQC regimes applying beyond the general accountability framework described here.

UK directors hold statutory duties under sections 172 and 174 of the Companies Act to promote the success of the company and to exercise reasonable care, skill and diligence. Our strongly held legal position, consistent with the direction of directors’ duties case law, is that these duties extend to risks introduced by AI systems the board has authorised, whether it knew about them or not. Delegating operational responsibility is appropriate. Delegating accountability is not.

The practical consequence is that IT-owned AI governance produces predictable failures. Models are approved without business sign-off. Data sourcing decisions are made by engineers who cannot weigh reputational risk. Incident response sits with a team that has no mandate to halt a commercially important system. The board only learns about the AI estate when something has gone wrong, by which point its options are limited to damage control.

The accountability framework: CEO accountable, executives responsible

A workable UK board AI accountability framework starts by separating accountability from responsibility and then assigning both explicitly. The CEO is the accountable owner. This is non-negotiable and should be recorded in the board minutes that establish the framework. Operational responsibility is then distributed across four executive roles, each owning a defined slice of the AI risk surface.

The CISO is responsible for technical risk: model security, adversarial robustness, access controls, and the integrity of training and inference infrastructure. The DPO is responsible for data risk: lawful basis, data minimisation, transfer mechanisms and the rights of data subjects whose information feeds AI systems.

The General Counsel is responsible for legal and contractual risk: vendor terms, indemnity exposure, intellectual property in model outputs and compliance with sector-specific regulation. The Compliance Lead is responsible for assurance and reporting: evidence collection, audit readiness and the mapping of AI controls to recognised standards.

The board itself is consulted and informed on every high-impact system and signs off on the deployment of any AI tool that materially affects customers, employees or regulated services. Quarterly review is the minimum cadence. For high-risk systems, monthly attestation is appropriate until the system is established and its behaviour well-characterised.

Decision gates: where ownership becomes operational

Of course, A RACI matrix is only as useful as the decisions it governs. We anchor AI risk ownership to five decision gates that every AI system passes through, and we assign roles to each gate explicitly.

Model approval is the first gate. The business owner proposes the system, the CISO and DPO assess it, the General Counsel reviews contractual exposure, and the CEO signs off. No model enters development without this sign-off recorded.

Data sourcing is the second gate. The DPO leads, the CISO assesses technical risk in the data pipeline and the General Counsel confirms lawful basis and contractual permission. Training data provenance is documented at this stage.

Deployment is the third gate. The CISO confirms technical readiness, the Compliance Lead confirms control evidence is in place and the CEO authorises go-live. Pre-deployment testing results are tabled at this gate.

Monitoring is the fourth gate. Ongoing performance, drift, bias indicators and security events are reviewed monthly by the CISO and DPO, with quarterly board reporting. The Compliance Lead maintains the evidence trail.

Incident response is the fifth gate. The CISO leads technical containment, the DPO leads data subject notification where required, the General Counsel manages regulatory disclosure and the CEO informs the board within agreed thresholds.

Why this matters now: ISO 42001, the EU AI Act and UK assurance

UK boards that adopt a formal AI accountability framework in 2026 will be materially better positioned for the regulatory pressures arriving in parallel. ISO 42001, the AI management system standard, calls for documented top management commitment and clearly defined roles. The framework above is designed to support its clauses, and organisations seeking certification will need this structure in place well before audit and not assembled in response to one.

The EU AI Act is in phased implementation, with provider and deployer obligations coming into force on a staggered timetable. Its territorial scope reaches UK organisations whose AI systems affect EU data subjects or are placed on the EU market. The obligations that are in force, and those that will follow, assume an organisational accountability structure that can sign attestations and respond to regulator queries. UK organisations without that structure will find compliance significantly more expensive and slower to achieve as each phase activates.

UK AI assurance arrangements remain under development following the previous government’s AI regulation white paper, and the eventual shape is not yet settled in statute. Our view is that boards able to demonstrate existing AI risk ownership will face a lighter compliance burden whichever direction the regime takes, while boards retrofitting governance under regulatory pressure will incur the most expensive form of governance there is…

Key questions on AI risk ownership

Who is accountable for AI risk in a UK company?

Under UK company law, the board of directors holds ultimate accountability for AI risk, with the CEO as the named accountable owner. Operational responsibility is distributed across the CISO, DPO, General Counsel and Compliance Lead, but in our strongly held view accountability cannot be delegated below board level. This structure aligns with what ISO 42001 and the EU AI Act expect to find in place.

How should a UK board assign ownership of AI governance?

A UK board should assign AI governance ownership using a formal RACI matrix anchored to specific decision gates: model approval, data sourcing, deployment, monitoring and incident response. The CEO is accountable, the CISO and DPO are responsible for technical and data risk, and the board itself signs off high-impact AI systems quarterly. Document the framework in board minutes so the assignment is auditable.

Can AI risk ownership be delegated to a Chief AI Officer?

A Chief AI Officer can hold consolidated operational responsibility, but accountability still rests with the CEO and the board. Appointing a CAIO without a board-level accountability framework will not stand up under close scrutiny. The CAIO role works when it sits inside a documented framework, not when it replaces one.

What is the minimum board reporting cadence for AI risk?

Quarterly board reporting is the minimum for established AI systems. High-impact or recently deployed systems should be reviewed monthly until their behaviour is well-characterised. Incident-driven reporting is in addition to scheduled review, not a substitute for it.

Does AI risk ownership apply if we only use third-party AI tools?

Yes. Deployer obligations under emerging regulation - and director duties under the Companies Act - apply regardless of whether the AI system is built in-house or procured. Vendor selection, configuration and use are all board-accountable decisions.

Establishing the framework in your organisation

The organisations we work with are not starting from zero. Most have fragments of an AI governance structure already, usually within their security or data protection functions. The work is to consolidate those fragments into a board-level framework, assign roles explicitly and record the assignments in a way that will satisfy a future regulator or certification auditor.

If your board has not yet formally assigned AI risk ownership, or if the assignment exists on paper but has not been tested against the decision gates above, the next step is a structured readiness review. Book a board-level AI governance readiness review with QL Security to map your current accountability structure against the framework above and identify the gaps that need closing before regulation arrives.