Navigating AI Adoption and Cybersecurity Oversight
Navigating AI Adoption and Cybersecurity Oversight
Publish Date: 2026-02-16 09:26:00
Source Domain: www.directorsandboards.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
As boards prepare for 2026, AI has moved from a peripheral technology discussion to a central strategic imperative. According to the National Association of Corporate Directors’ (NACD’s) “2026 Governance Outlook,” AI ranks among the top trends directors foresee having the greatest impact on organizational performance, alongside shifting economic conditions and competition for talent. Yet this accelerated adoption of AI brings with it an inextricable companion: heightened cybersecurity risk.
The convergence of these two forces creates both unprecedented opportunity and significant exposure. NACD survey data revealed that more than 62% of director respondents now set aside agenda time for full-board AI discussions, a dramatic increase from prior years. Simultaneously, 77% of boards have discussed the material and financial implications of cybersecurity incidents — a 25-percentage-point jump from 2022. These parallel trends underscore a fundamental truth: AI and cybersecurity governance can no longer be treated as separate oversight domains.
As Peter Gleason, president and CEO of the NACD, observed, “Today’s boardroom is at a strategic inflection point. The rapid convergence of cyber risk, AI disruption and economic volatility demands a new level of board fluency and foresight.”
The Dual Nature of AI
Understanding AI’s dual role in cybersecurity is essential for effective board oversight. The NACD-ISA AI in Cybersecurity Supplement characterizes AI as both a “force multiplier” that enhances defensive capabilities and a “risk multiplier” that empowers adversaries. On the defensive side, AI can reduce false positives in threat detection, identify anomalies faster than human analysts and automate incident response at machine speed. Research indicates that organizations extensively using AI in security operations have achieved an average $1.9 million reduction in cost per data breach.
However, cybercriminals have equal access to these powerful tools. As Jen Easterly, former director of the Cybersecurity and Infrastructure Security Agency, warned, AI “will exacerbate the threat of cyberattacks … [by making] people who are less sophisticated actually better at doing some of the things they want to do.” Generative AI has enhanced social engineering attacks, enabling threat actors to create highly realistic phishing emails and deepfakes. World Economic Forum’s “Global Cybersecurity Outlook 2026” reports that deepfakes have become the second most common type of cybersecurity incident, behind only malware. While some figures may be overstated, the overall trend is clear: AI will increasingly be used by both sophisticated and inexperienced attackers in the future.
A December 2025 McKinsey report underscores the governance gap: While more than 88% of organizations report using AI in at least one business function, only 39% of Fortune 100 companies disclosed any form of board oversight of AI. Even more telling, 66% of directors report having “limited to no knowledge or experience” with AI, and nearly one in three say AI does not even appear on their board agendas.
The Business Case for Integrated Governance
The financial implications of getting this right are substantial. A 2025 MIT study found that organizations with digital- and AI-savvy boards outperform their peers by 10.9 percentage points in return on equity, while those without such expertise fall 3.8% below their industry average. This performance differential reflects the board’s ability to guide strategic technology investments while maintaining appropriate risk guardrails.
The regulatory landscape further reinforces the need for integrated oversight. The SEC’s 2026 examination priorities have elevated cybersecurity and AI concerns above cryptocurrency, which dominated regulatory attention for the previous five years. In Europe, the Digital Operational Resilience Act (DORA) has been in force since January 2025, establishing mandatory technical controls and governance requirements. The EU AI Act continues its phased implementation, with obligations entering force according to risk categories. Meanwhile, the National Institute of Standards and Technology (NIST) released a preliminary draft of its Cybersecurity Framework Profile for Artificial Intelligence in December 2025, providing organizations with a roadmap to manage AI-specific risks by mapping the core functions of the NIST Cybersecurity Framework 2.0 to AI environments.
These developments signal that regulators view AI and cybersecurity as inherently linked governance responsibilities. Boards that fail to establish structured oversight mechanisms risk both regulatory exposure and competitive disadvantage.
Key Actions for Board Oversight
Drawing on guidance from NACD, McKinsey and the Harvard Law School Forum on Corporate Governance, directors should consider the following governance actions:
Establish clear committee responsibilities. Boards must explicitly define which AI and cybersecurity topics belong to the full board, which belong to specific committees and which are operational matters for management. NACD data shows around 40% of companies now charge at least one board-level committee with AI oversight responsibilities, almost four times the 11% that did so in 2024. The audit committee remains the primary location for cybersecurity oversight at 78% of companies. However, as AI adoption accelerates, boards may benefit from establishing dedicated technology committees or revising existing committee charters to address the convergence of AI and cyber risk. While large financial services companies often have dedicated risk committees, in most companies, the audit committee bears the brunt of compliance, legal, cybersecurity and now AI risk. Boards should consider how to distribute the workload so that these topics receive the attention they deserve.
Adopt a board-approved AI governance framework. Fewer than 25% of companies have board-approved, structured AI policies, according to NACD survey data. A credible framework should specify risk thresholds requiring human sign-off, vendor and data guardrails, and escalation triggers that determine what incidents reach the board and how quickly. The framework should integrate AI-specific risks into the organization’s formal risk appetite and tolerance statements, as recommended by the new NIST Cybersecurity AI Profile.
Ensure adequate board AI and cyber fluency. Directors must develop sufficient understanding of AI technologies and cybersecurity risks to exercise effective oversight. This may involve AI-related training, regular briefings from the chief information security officer (CISO) and chief data officer or engagement with independent third-party technical advisors. The NACD recommends that boards invest in AI-related training opportunities from trusted sources and consider recruiting directors with relevant technology expertise. Close to half of S&P 500 companies now mention AI in their descriptions of director qualifications, a significant jump from 26% in 2024.
Require quantitative risk reporting. Only about 15% of boards currently receive AI-related metrics, according to NACD data. Boards should require management to quantify both the potential opportunities and risks associated with AI adoption. This includes impact measurements such as return on investment by business unit, percentage of processes that are AI-enabled, resilience indicators, workforce reskilling progress and regulatory alignment. Quantitative metrics should be accompanied by judgment, tradeoff analysis and the investment case for board review. For cybersecurity, 47% of directors indicate that improving the quality of reporting and metrics is very or extremely important for their board’s cyber-risk oversight.
Address third-party and supply chain risks. The proliferation of third-party AI tools introduces new risks not seen in traditional software, including unpredictable performance over time and potential vulnerabilities in the AI supply chain. NACD survey data reveals 47% of directors identify selecting the right AI tools as a current challenge. Boards should ensure that procurement processes adequately evaluate AI vendors for security, privacy and ethical compliance. The new NIST framework specifically addresses cybersecurity supply chain risk management for AI systems.
Strengthen the board-CISO relationship. As McKinsey and NACD emphasized in a recent panel discussion, the relationship between the board and the CISO is now a defining factor in long-term cyber resilience. CISOs bring expertise and operational context that boards typically lack, while boards provide strategic direction and governance oversight. Directors should ensure regular, direct engagement with the CISO.
The Human Dimension
The rapid adoption of AI introduces risks that extend beyond technology and into the workforce itself. Boards should recognize that AI-driven transformation creates human capital challenges that carry significant security implications.
First, reskilling and workforce transition present governance challenges. As AI reshapes job functions across the organization, employees face uncertainty about their roles and future prospects. The “2025 ISC2 2025 Cybersecurity Workforce Study” identifies AI as the most pressing skills need for security teams, cited by 41% of respondents. Boards should oversee management’s plans for retraining employees, ensuring the workforce evolves alongside the technology rather than being displaced by it. Reskilling programs can help retain institutional knowledge while positioning employees as partners in AI-augmented roles.
Second, insider risk escalates during periods of workforce volatility. Economic pressures and job displacement create conditions that heighten insider threats, whether through disgruntled employees, negligent data handling or opportunistic behavior. Recent industry analysis notes that workforce instability erodes loyalty and can lead to behaviors ranging from careless data exposure to deliberate sabotage. Surveys indicate that 60% of organizations express high concern over AI misuse enabling or amplifying insider risks. Boards should ensure HR and security functions coordinate to detect early indicators of workforce stress before they manifest as threats.
Third, executive and board education must keep pace with technological change. Directors cannot provide effective oversight if they lack fundamental understanding of how AI operates within the organization. The Harvard Law School Forum on Corporate Governance has noted that AI deployment is significantly impacting the employer-employee relationship, and boards must reevaluate their oversight obligations for the company’s workforce. New York State’s expansion of its Worker Adjustment and Retraining Notification Act to require disclosure of workforce reductions tied to AI and automation signals growing regulatory interest in this area.
Lastly, boards should recognize that human oversight remains essential,even as AI systems become more capable. The NACD-ISA Handbook emphasizes that AI security should not be “bolted on” at the end of processes but integrated throughout the organization’s operations. Trusted AI frameworks require human oversight to correct deviations and maintain alignment with organizational values. Boards should ensure that management establishes clear accountability structures for AI governance, including defined escalation paths and human decision points for high-stakes AI applications.
Preparing for Emerging Threats
Looking ahead, boards must prepare for the next wave of AI innovation: agentic AI systems that operate with unprecedented autonomy. Unlike traditional AI that follows scripted responses, agentic AI can set goals, make decisions and take actions independently. McKinsey warns that 80% of organizations have already encountered risky behaviors from AI agents, including improper data exposure and unauthorized system access.
These autonomous systems represent what cybersecurity experts term “digital insiders” — entities that operate within corporate systems with varying levels of privilege and authority. Just as human insiders can cause harm intentionally or unintentionally, AI agents introduce novel internal risks that existing cybersecurity frameworks do not fully address. Boards should require management to revise risk taxonomies to explicitly account for agentic AI and ensure that AI governance policies evolve alongside technological capabilities.
From Awareness to Action
The NACD characterizes the current moment as an “inflection point” in board governance, where directors must transition from AI education and awareness to more strategic and integrated AI governance. This transition cannot happen in isolation from cybersecurity oversight. The same AI technologies that promise competitive advantage also expand the attack surface that adversaries can exploit.
Directors who invest in developing their AI and cybersecurity fluency, establish clear governance structures and demand rigorous quantitative reporting will position their organizations to capture AI’s transformative potential while maintaining appropriate risk controls. Those who treat AI and cybersecurity as separate, technical matters delegated entirely to management may find themselves presiding over organizations that are neither innovative nor secure.
As the 2024 NACD Blue Ribbon Commission Report on Technology Leadership in the Boardroom concluded, “Technology is no longer a sector. It’s the substrate of the global economy, the invisible infrastructure shaping every industry, every market, every decision.” In 2026, effective governance at the intersection of AI and cybersecurity is not merely a best practice, it is a fundamental fiduciary responsibility.
