Nine Questions to Ask About AI Risk

As AI becomes integral to business operations, companies must establish clear governance, accountability and oversight mechanisms to mitigate risks like bias and inaccuracies, ensuring responsible deployment and compliance.
May 20, 2026
5 min read

Key Highlights

  • Develop a comprehensive AI policy that clearly states your company's AI philosophy, obligations and accountability structures.
  • Assign responsible leaders, such as a chief risk or privacy officer, to oversee AI outcomes and ensure human oversight in high-impact decisions.
  • Maintain detailed documentation, audit trails and testing results to verify AI accuracy, bias mitigation and security measures, making them accessible for audits or regulatory reviews.
  • Regularly inventory AI applications across the organization, assess their risk levels, and conduct quarterly vendor and partner AI usage reviews.
  • Create protocols for human review and override of AI decisions, especially in high-stakes scenarios, and ensure transparent communication of AI decisions to stakeholders.
ID 23158427 | Audit © Alain Lacroix | Dreamstime.com
6a0e0ffd589d2c3633c27de3 Copy Of Executiveedgesquaremask3

AI is no longer a lab experiment but a true, operating infrastructure. And it’s evolving at heart-palpitating speeds.

Alongside its opportunities, AI carries risks: inaccuracies, biases and security concerns that can harm your company and your customers. Factor in the mysteriousness of how AI decisions are made and a lack of explainability, and you’ll have a hard time describing what went wrong and why.

Despite this, a 2026 Grant Thornton survey of 950 businesses found that most executives lack confidence that they could pass an independent AI audit within 90 days. 

While most boards have approved major AI investments, less than half have set governance expectations, and even fewer have made AI risk a subject of regular oversight, according to the survey.

This begs the question: Are you asking the right questions as your company dives deeper into AI?

As an AI expert, Shannon Woods, the Chief Legal and Chief Compliance Officer at The Mutual Group, a Bain Capital Insurance Solutions portfolio company, suggested the following line of questioning:  

What is the AI philosophy?

Shannon Woods, Chief Legal and Chief Compliance Officer at The Mutual Group

Shannon Woods, Chief Legal and Chief Compliance Officer at The Mutual Group

Every company should have an AI policy in place, if not a full AI program, that identifies the company’s philosophy, obligations and who is accountable to whom.

Companies with a governance gap lack the discipline to identify who owns, validates, monitors and is accountable for the AI model when it impacts customers or final outcomes, Woods said.  

“You can’t just create and stand up a policy. You actually have to live it,” said Woods.

Who is accountable for owning your AI outcomes?

Leadership should be able to name the person or people responsible for AI outcomes. Note: This shouldn’t be a small group within IT, but executives or oher another point person prepared to speak to the board about what they’re seeing.

What human oversight is there to ensure decisions are made correctly?

There should always be a human in the middle of a high-impact decision. This oversight should ensure your AI isn't drifting off course, introducing bias or making decisions that don’t make sense. The human in the middle also verifies that decisions look right.

Oversight roles can vary depending on a company's AI journey. Early on and without a budget for a dedicated role, this could fall to executive leadership, with each leader responsible for AI oversight on their respective teams.

Organizations with more mature AI growth programs might have a dedicated AI role, such as a chief risk officer or a chief privacy officer. This person is also responsible for ensuring that the company’s AI philosophy guides how AI is actually being implemented.

How are you documenting, monitoring and providing oversight for AI use? Do you have audit trails? Ask to see documentation, policies, audit trails and the outcomes.

If a regulator comes into your business or you have to provide proof that AI is working as intended, can you explain it? Can you document it?

Your company should test the models to ensure that potential negative outcomes, such as inaccuracies, bias and security concerns, are corrected and do not seep into actual decisions that affect your business or your customers.

Teams should not only test these models to guard against problems but also provide clear documentation and audit trails of the outcomes of those audits and what actions were taken to correct errors. Woods recommends saving those documents indefinitely for historical reference.

When is human review required, and when do humans have the ability to override a decision?

ID 46020178 © Stocksnapper | Dreamstime.com
Unstable. Hand removing one block of a pyramid made of small granite rock blocks.
May 6, 2026
ID 265525601 | Data Governance © Nesterenkoruslan | Dreamstime.com
edgecirclemask_950x535_2
April 8, 2026
ID 106260429 © Maryvalery | Dreamstime.com
clogged_pipes
Nov. 19, 2025

AI is evolving so quickly that the answer to this question will likely change each time your board meets (if meeting quarterly). The answer you’re looking for is that there’s a person in the middle reviewing high-impact decisions who has the ability to raise a flag anytime they see something that seems a little off.

“If I were a board member and the answer that came back to me was, 'We just trust AI is functioning as intended,’ that would be a signal to me that there’s a problem and a deeper discussion is necessary,” she said.

Are AI usages inventoried and risk-ranked?

Where within your organization is AI being used? In what ways is it being used? This should be inventoried, along with its risk rank.  

Is a particular use of AI a high-risk, medium-risk, or low-risk? Your company should have definitions of what each level entails, so new AI use cases can be easily ranked, inventoried and taken into consideration.

Are you routinely checking with vendors, partners, third parties and internally about using AI?

With the swift evolution of AI, your vendors’ adoption and approaches are likely to grow over time.

Your AI inventory should include your vendors, with quarterly check-ins to ask how they are using AI in what they provide to your company. Even if they didn’t use AI several months ago, they may now.

“We need to understand exactly how it’s being used so that we can perform a risk assessment to identify where it falls in our risk appetite relative to AI,” Woods said.

What protection is there from the vendor?

Protection doesn’t necessarily mean indemnification if something goes wrong (although that would be nice). But if something does go wrong, what contractual protections are the vendor required to provide to ensure their AI is functioning as intended?

How would we explain an AI-driven decision to a customer, regulator or board member?

If your team thinks through a lens of how they would explain an AI-driven decision to a customer, a regulator or a board member, “then we're always going to make the right decision and the right choice, because we are creating the right historical tracking to ensure that we can answer those questions,” she said.

 

About the Author

Andrea Zelinski

Andrea Zelinski

Contributor

Andrea Zelinski is an award-winning freelance journalist with a passion for translating complex issues, trends and strategies into clear, engaging content to help people improve their businesses and their lives. 

She spent 15 years as a political reporter covering state governments in Illinois, Tennessee and Texas, reporting from the halls of state capitols for publications including Texas Monthly, the Houston Chronicle and the San Antonio Express-News. In 2021, she shifted her focus to business journalism, joining Travel Weekly as senior cruise editor, where she covered the travel industry’s recovery from the COVID-19 pandemic. 

When not reporting, Andrea is probably hiking. Known for embracing ambitious challenges, she hiked the entire Appalachian Trail in 2020 and the Pacific Crest Trail in 2025. 

Trending

Resources

March 16, 2026
Oct. 31, 2025
Oct. 29, 2025

Quiz

mktg-icon Your Competitive Edge, Delivered

Make smart decisions faster with ExecutiveEDGE’s weekly newsletter. It delivers leadership insights, economic trends, and forward-thinking strategies. Gain perspectives from today’s top business minds and stay informed on innovations shaping tomorrow’s business landscape.

Sign Me Up
marketing-image