Board AI Governance Check

Does your organisation maintain an inventory of all AI systems in production, including who owns them and what decisions they make?

For AI systems that affect customer outcomes — credit decisions, claims, welfare assessments — can you reconstruct exactly what the system decided and why, for any individual, within 24 hours?

Has your board been briefed on your three highest-risk AI systems in the past 12 months — including their failure modes and the regulatory exposure each represents?

Do you have a documented process for detecting when an AI model's outputs have degraded or shifted — with defined thresholds that automatically trigger human review before the degradation reaches the customer?

When your AI systems make high-stakes decisions — credit approval, fraud flags, claims processing, welfare payments — is there a human checkpoint before the decision takes effect on the customer?

Has your organisation ever tested what happens when an AI system receives adversarial or manipulated inputs — inputs deliberately designed to produce incorrect or harmful outputs?

Do you have a documented AI incident response plan — tested within the last 12 months — with defined escalation paths and notification timelines to the board and regulators?

Can you demonstrate to APRA or the OAIC that AI systems procured from third-party vendors meet your organisation's risk classification, governance, and data handling requirements?

Does your organisation have a defined approval process for new AI use cases — including risk classification, ethics review, and documented sign-off authority before deployment?

In the event of a material AI failure today — incorrect outputs at scale — could your technical team roll back to a previously validated model version within 4 hours without data loss?