Questions every board should be asking about AI, data and cyber security in 2026

Author: Joanne Vengadesan

As artificial intelligence tools become increasingly accessible, employees are adopting them – often informally – to boost productivity, spark creativity, or streamline repetitive tasks. This quiet, decentralised use of unapproved AI tools is commonly referred to as ‘shadow AI’.

The challenge for many organisations is not just identifying who is using AI, but understanding how, why, and where these tools are being embedded into everyday workflows. Surveys across industries consistently show that a large proportion of employees use generative AI without approval, often believing they are acting helpfully or harmlessly. Some 38% of employees acknowledge sharing sensitive work information (including code and strategy) with AI tools without the employers’ permission. While it can be well intentioned, beneath the surface, this behaviour may be creating risks and liabilities that leadership cannot see or manage, such as:

• Data leakage and confidentiality breaches: employees may inadvertently input sensitive, client, or proprietary information into public AI systems, risking exposure, reputational damage, loss of privilege, or regulatory breaches. Customers and clients are increasingly worried about their data reaching unsanctioned AI systems and unapproved leakage of customer data could lead to legal action;
• Compliance and legal exposure: unapproved tools may fail to meet data protection standards or contractual obligations. The outputs generated may also raise IP ownership issues, which is especially important if shadow AI is used to develop code or other products and services;
• Security vulnerabilities: externally hosted AI systems may introduce new threat vectors, including poorly secured APIs or third party data processing practices outside organisational control;
• Quality and reliability risks: shadow AI use may lead to inconsistent work quality, unreviewed AI-generated content, or decisions made on the basis of inaccurate outputs.

Actions organisations should take:

• Establish clear policies and guidance: define which AI tools are permitted, how they may be used, and what data employees must never share. Guidance must be practical, accessible, and non technical;
• Provide approved, secure AI alternatives: offering sanctioned AI platforms reduces the temptation to experiment with risky and unauthorised tools;
• Educate and upskill staff: regular training helps employees understand risks, safe usage practices, and when to involve oversight. It is key for employees to appreciate that using shadow AI could lead to reputational damage and possibly legal action from third parties and regulators;
• Implement monitoring and governance: AI registers, risk assessments, and transparent reporting channels help organisations identify shadow AI usage and transition it into safe, managed practice;
• Foster a culture of openness: encourage employees to experiment with AI – but safely – and remove the stigma associated with asking for approval.

Author: Joanne Vengadesan and Dan Lovett

As businesses integrate AI into their products, services, processes and internal decision-making, boards of directors and other senior executives must ensure they have the appropriate level of AI knowledge and skills to provide effective oversight. Directors need to understand the technology as well as the governance issues associated with it. AI literacy is becoming essential to fulfilling directors’ legal duties and ensuring that AI-driven opportunities are taken forward responsibly.

Without an understanding of AI, directors may struggle to interrogate assumptions, evaluate commercial decisions, and ensure that AI projects are legally compliant and ethical. Key risk areas to upskill on include:

• Data privacy and security;
• Contractual issues;
• Intellectual property infringement;
• Compliance with the EU AI Act and/or sector specific regulations as well as voluntary codes of practice and other guiding principles;
• Ethics and reputational risk.

The Companies Act 2006 requires directors to exercise reasonable care, skill and diligence. As AI becomes mainstream, what is considered ‘reasonable’ is shifting. A lack of AI literacy will inevitably make it harder for directors to demonstrate that they exercised informed judgment in areas such as data governance, fairness and transparency, cybersecurity, intellectual property and the use of automated decision making.

Boards of directors need to consider whether they have the right mix of skills and expertise to oversee AI’s strategic and operational impact. Do they have sufficient collective understanding of AI to challenge management effectively and are they confident they know enough to be able to assess AI-related risks?

Article 4 of the EU AI Act imposes a specific obligation on providers and deployers of AI systems to ensure that staff possess sufficient AI literacy. However, the Digital Omnibus on AI (which contains targeted simplification measures) proposes to transform the obligation on providers and deployers of AI systems to ensure AI literacy into an obligation on the Commission and member states to foster AI literacy. Boards should monitor the Digital Omnibus on AI developments closely.

Actions organisations should take:

• Review board composition to determine whether specialist AI expertise is sufficient;
• Consider appointing a director to lead AI projects or appointing a non executive director with AI expertise. Alternatively the board may consider creating an advisory panel of external AI experts or a committee to lead AI projects;
• Engage external legal or technical advisers or consultants to brief the board on emerging regulation, risk management and best practice;
• Ensure regular training throughout the organisation from the top down on AI fundamentals with regulatory updates relevant to the particular sector;
• Embed AI oversight within existing governance structures, such as risk, audit or technology committees. Ensure that AI forms part of the organisation’s strategy and that policies and procedures are in place to maintain a consistent approach across all AI projects.

Author: Dan Lovett

As artificial intelligence becomes increasingly embedded in business processes, the question of what data these systems learn from has taken centre stage. Yet many organisations still underestimate the privacy and regulatory implications tied to AI training data, particularly when that data includes personal or sensitive information.

Even when this information appears low risk, training models on personal data can have unintended consequences. Anonymised datasets can be re identified, confidential information may inadvertently surface in model outputs, and organisations may find themselves processing far more personal data than intended. Models can often reproduce or infer sensitive details embedded in training datasets. Malicious actors may also attempt to recover training data from deployed models. This could lead to personal data breaches which could attract fines from data regulators and legal action from individuals.

When using AI to scrape data in the public domain, there are even greater data protection issues to consider. The UK data protection regulator, the Information Commissioner’s Office (ICO), is increasingly examining whether organisations can rely on legitimate interests as a lawful basis when scraping personal data for AI training. If organisations fail to demonstrate a lawful basis, the ICO can issue Enforcement Notices requiring destruction of AI models and may impose fines.

Actions organisations should take:

• Map the ‘data lineage’ of all AI models, confirming whether the AI uses your data for training and documenting how both your organisation and any third parties may use that data. For any AI training, ensure there is a clear and documented legal basis for every data point ingested;
• Use privacy preserving techniques, such as data sets which are not personal data to train AI models. Synthetic data can be particularly useful, as it is artificially generated data that mimics the statistical patterns, structure, and characteristics of real world data without containing any actual personal or sensitive information about real individuals;
• Demand transparency from AI vendors about training sources, model governance and how data provided to the AI will be used;
• Implement clear internal AI policies that set boundaries for staff usage and data inputs.

Author: Tom Perkins

From 2 August 2026, the remaining operative provisions of the EU AI Act (other than Article 6(1)) come into force. This marks the end of the transitional period and the beginning of active enforcement for a wide range of AI systems. For developers, providers, and deployers of AI, this date represents a hard regulatory line: any system falling within scope must meet the relevant EU AI Act compliance obligations or face significant legal and commercial consequences.

The most substantial impact falls on high risk AI systems, which include tools used in biometric identification, employment, essential private services, education and critical infrastructure. At the same time, the obligations for general purpose AI and general purpose AI models also become fully operational.

To comply, organisations must implement a comprehensive set of controls, including:

• Robust risk management frameworks, covering identification, analysis, mitigation, and continuous evaluation of risks throughout the system lifecycle;
• Accuracy, robustness, and cybersecurity safeguards, ensuring the system performs reliably under expected conditions and is resilient to adversarial attacks or data integrity threats;
• Human oversight mechanisms, designed to prevent or minimise risks to safety and fundamental rights, and to ensure human intervention remains possible;
• High quality, relevant, and representative training, validation, and testing data, with documented data governance processes;
• Post market monitoring systems, enabling ongoing assessment of system performance, incident reporting, and rapid remediation of emerging risks.

The EU AI Act also imposes extensive record keeping and documentation obligations on providers, deployers, importers, and distributors. This includes maintaining technical documentation, activity logs, conformity assessment records, and evidence of compliance processes.

Non compliance carries severe penalties. The most serious non-compliance, such as engaging in prohibited AI practices, can result in fines of up to €35 million or 7% of global annual turnover, whichever is higher. Breaches of high risk AI obligations can trigger fines of up to €15 million or 3% of global annual turnover. Importantly, once the August 2026 deadline passes, systems classified as high risk are immediately subject to enforcement, with no further grace period.

Actions organisations should take:

• Catalogue all AI systems currently in use, under development, or procured from third parties;
• Determine your role under the Act, whether that is of a provider, deployer, importer, or distributor in respect of each AI system as obligations differ significantly;
• Conduct a high risk classification assessment to identify whether any system falls within high risk categories;
• Conduct a full EU AI Act compliance audit and implement remediation measures well ahead of the deadline.

Author: Charlotte Hill

The introduction of the Failure to Prevent fraud offence under the Economic Crime and Corporate Transparency Act 2023 (ECCTA) marks a fundamental shift in how organisations must think about fraud risk – particularly in an era where artificial intelligence is becoming deeply embedded in everyday business processes.

Under ECCTA, an organisation can be held criminally liable if an employee, agent, subsidiary or other ‘associated person’ commits a fraud intending to benefit the organisation, and the organisation does not have reasonable fraud prevention procedures in place. Crucially, liability attaches even where senior leaders are unaware of the misconduct.

This represents a significant compliance challenge at a time when AI tools – often deployed rapidly and with limited oversight – create new vectors for misconduct. For example, an employee might use generative AI systems to fabricate financial or performance data, manipulate reports, or automate sophisticated forms of deception that are harder to detect through conventional controls. If that AI enabled fraud benefits the organisation, the organisation may find itself exposed to criminal prosecution unless it can demonstrate the existence of ‘reasonable procedures’ to prevent such conduct.

Government guidance updated in October 2025 makes clear that the offence is broad in scope, capturing employees, agents and subsidiaries acting for or on behalf of the organisation. The guidance emphasises that while advisory, it is not a safe harbour: even strict compliance does not automatically amount to a defence. Organisations must design fraud prevention procedures tailored to their own structure, risks and activities.

The offence came into force on 1 September 2025 and applies to large organisations – those meeting at least two of the following thresholds: more than £36 million turnover, more than £18 million total assets, or more than 250 employees. But importantly, the principles set out in the guidance are considered good practice for organisations of all sizes, especially those adopting AI into critical decision making, operations or client delivery.

AI and fraud risk: why this matters now

AI systems offer speed, efficiency and insight – but they also magnify the potential for fraud. ECCTA was designed to make it easier to hold organisations to account precisely because modern fraud is often perpetrated internally by individuals with intimate knowledge of systems and controls. AI intensifies this: tools that automate data analysis can just as easily automate data manipulation.

The question boards and executives must ask is not simply ‘Do we have fraud controls?’ but ‘Are our controls fit for a world where AI can accelerate and conceal misconduct?’

The guidance highlights six principles for reasonable prevention procedures – top level commitment, risk assessment, proportionate controls, due diligence, communication and training, and ongoing monitoring and review. These principles must now be viewed through an AI risk lens. Without clear governance, human oversight, auditability and guardrails around AI use, organisations risk falling short of the ‘reasonable procedures’ standard.

Actions organisations should take:

With ECCTA in full force, forward thinking organisations should act decisively. Below is a practical starting point:

• Map where AI is used across the organisation, including informal or ‘shadow AI’ adoption;
• Update fraud risk assessments to reflect AI enabled misconduct scenarios;
• Implement clear policies governing AI use, including prohibitions, approval pathways and monitoring rules;
• Strengthen data governance and audit trails, ensuring AI generated outputs are reviewable and verifiable;
• Deliver targeted training on AI risks, fraud indicators and reporting channels;
• Review and test controls regularly, documenting enhancements to demonstrate ongoing monitoring and review.