Skip to main content
Back to AI Academy
FREENo

AI Governance, Risk & Boards

A ~40-minute brief for board directors, audit committee members, risk officers, CISOs, GCs. Risk classification, register, NIST 4 functions controls, vendor posture, board questions, incident response, governance charter. Grounded in EU AI Act, NIST AI RMF, ISO 42001.

8

Chapters

~40 min

Duration

Intermediate

Level

No

Certification

Who this is for

For board directors, audit committee members, risk officers, CISOs, GCs past basic AI literacy.

How this course works

  • 8 audio-narrated slide chapters · ~40 min of focused content
  • Capstone with interactive Markdown builder you take to your team
  • Trust trip-wires on every play — what not to cross
  • Free verifiable certificate on completion

What you'll walk out with

Specific outcomes from this course — no fluff.

  • A working knowledge of the AI governance regulatory stack — EU AI Act, NIST AI RMF, ISO 42001 + sector overlays
  • The risk classification framework you can defend to regulators, auditors, and litigation
  • A risk register pattern that's real, not a checkbox — with the NIST 4 functions controls embedded
  • The vendor posture — what to demand in writing from every AI vendor before signing
  • 4 board resolutions every regulated company should pass — wording sourced from real precedent
  • The 10 board questions for every AI initiative — the diligence script directors can use today
  • Incident response for AI — the playbook for the day something goes wrong publicly
  • A governance charter template — the document that makes oversight real

Course content

8 chapters · ~40 min

00

Welcome

A 1-minute orientation — what the course covers, how to navigate, and what you walk out with. No audio on this screen.

01

The 2026 governance landscape

EU AI Act Reg. 2024/1689 in tranches through Aug 2 2026 (Annex III, Art. 26, Art. 50, Art. 99 fines). NIST AI RMF as de facto US standard. ISO 42001 audit-able certification. US EO landscape Biden→Trump→AI Action Plan. State patchwork. India DPDPA. OECD principles across 47+ countries.

02

AI risk classification

EU AI Act 4-tier framing (prohibited, high-risk Annex III, limited, minimal). NIST context-based approach. 5-category taxonomy: bias + fairness (Bloomberg resume study), hallucination + accuracy (Stanford 17–34%), security + privacy, IP, operational + concentration.

03

The AI risk register

5-column structure (system + purpose, tier, owner, status, last review). Quarterly council + annual audit-committee cadence + material-change ad-hoc. Deloitte ACP Q4 2025: 62% want disclosure, 31% want sample-testing. 3 escalation triggers (material finding, new high-risk, regulatory change).

04

Controls · NIST AI RMF 4 functions

Govern (policies, accountability, risk culture). Map (Mata v. Avianca failure mode — knowing what you're deploying). Measure (Air Canada Moffatt failure mode — what the chatbot tells customers). Manage (mitigate, document, communicate). All 4 required.

05

Vendor and supply-chain risk

Enterprise terms baseline (training opt-out, tenant isolation, retention) in writing across OpenAI/Anthropic/MS/Google. Anthropic RSP + OpenAI Preparedness Framework as vendor safety landscape. Third-party concentration risk. Open-source trade-offs (Llama, Mistral, Falcon).

06

Board-level AI questions

7 questions every director must answer in 1 minute: inventory + high-risk; named ownership; failure scenarios + response; EU/NIST/state posture; vendor concentration; incident protocol; disclosure. Cross-domain Mata + Park + Charlotin tracker (100+ AI-fabricated court filings mid-2025) as governance signal.

07

Incident response and disclosure

5 incident categories (material output failure, security, vendor outage, regulatory action, peer signal). 4-24-72 hour escalation timeline. EU AI Act Art. 27 FRIA re-assessment on material finding. WEF Global Risks 2025: AI-driven misinformation = #1 short-term risk for 2 years running.

08

Making it stick: your AI governance charter

4 pieces · 1 page: framework spine (EU + NIST + ISO 42001) · classification posture · AI council · disclosure baseline. 4 trust trip-wires: no untested model in regulated decisions, no vendor without enterprise terms, no unverified AI in material disclosure, no "set and forget". Interactive charter builder.

Want this delivered inside your organisation?

The course is the starting point. The same content powers a 4-week pilot, an org-wide rollout, or a continuous build engagement — set up on your data, with your team, by Gennoor Tech.