AI Compliance and Corporate Governance: Who Owns the Call When a Model Votes on the Board?

Two scenarios. Read them as trolley problems for your next board meeting.

One: your board has seated an AI system as an "independent director" with an advisory vote. On a proposed acquisition, the model votes no. The human directors vote yes. The deal closes. A year later the target company collapses, and in retrospect, the model was right. Who is on the hook for ignoring the no-vote? And had the board followed the model instead, who would have been on the hook for that?

Two: your legal team runs a $10M vendor contract through an AI review tool. The model returns a clean summary. The lawyer skims the document afterward, doesn't catch a non-standard indemnity clause, and signs. Damages follow. Where does liability sit:" with the lawyer who signed, with the firm that deployed the tool, with the vendor of the AI, or with the partner who set the workflow?

These are not edge cases anymore. They are the actual decisions corporate boards and general counsels are walking into in 2026. And the question they force is not whether AI should be in regulated decision-making, that ship sailed a year ago. The question is AI compliance as an architecture problem: who owns the call when the model is part of the chain, and how do you prove it after the fact?

This is a walkthrough of the two scenarios, the compliance frameworks already on the table, and what every AI compliance program needs to be able to answer before the regulator (or your own auditor) asks.

Key Takeaways

• AI compliance is a question of decision ownership, not tool selection. The model being good or bad is a secondary question. The primary question is who owns the call.
• The two failure modes are symmetric. Following the model when you shouldn't, and ignoring the model when you shouldn't. Both produce liability. Both need to be explainable in your audit trail.
• Fiduciary duty does not transfer to a model. A board cannot delegate the duty of care to an advisory AI any more than it can delegate it to an external consultant. The duty stays with the directors.
• "The AI reviewed it" is not a defense. Tool use does not discharge professional responsibility. It is treated as the use of a tool, with all the diligence obligations that implies.
• Four frameworks set the floor. EU AI Act, NIST AI RMF, ISO 42001, and SOC 2 (extended to AI workflows) are the current reference points for any AI compliance program of scale.
• Audit trail comes first. Before provenance, before human-in-the-loop boundaries, before vendor governance, you need a record of what the model saw, what it said, and what you did about it.

Scenario 1: AI on the board. When an advisory model overrules human directors.

Treat this one as a hypothetical, not a reported event. A board has seated an AI system as an advisory director — model with read access to the data room, a defined scope, and a non-binding vote. The model votes against an acquisition. The directors proceed. The acquisition fails. In hindsight, the model was right.

The temptation is to read this as a vindication of AI judgment. That's the wrong read. What the scenario actually surfaces is a much older question: when a board votes against advice, from a consultant, from outside counsel, from a fairness opinion, from an AI system, who owns the outcome?

Whose fiduciary duty is it

The fiduciary duty of care belongs to the human directors. It does not split with the model. A director who votes in favor of an acquisition that fails is not absolved because an advisory tool flagged the deal. A director who votes against an acquisition that succeeds is not credited because the model agreed.

What changes is the evidentiary record. If the model produced a documented dissent and the board chose to override, the duty of care now includes a documented decision to override. That documentation cuts both ways. It can show diligence. It can also show willful disregard of available analysis.

How a board minute needs to read after AI

The format of board minutes was not designed for this. Minutes typically record vote tallies and material discussion points. They were never designed to record the dissent of a non-human advisory member.

A board minute that captures the AI's role honestly probably needs to record three things: what inputs the model had access to, what its output said, and what the board's reasoning was for incorporating or overriding that output. Anything less leaves a hole in the record that a plaintiff's lawyer (or a successor board) will find later.

What advisory really means

"Advisory" is doing more work in these conversations than it can carry. An advisory consultant is a person with reputational skin in the game. An advisory AI is a stateless model run by a vendor whose terms of service almost certainly disclaim consequential damages. Those are not equivalent constructs, and the governance treatment cannot be equivalent either.

If you are putting AI on the board, the harder question is not what vote weight to give it. The harder question is what to do with its output when you disagree, and how to make that decision reviewable later.

Scenario 2: AI in legal review. The lawyer trusted the model. The non-standard clause shipped.

A $10M contract. An AI review pass that summarizes the obligations cleanly. A lawyer who reads the summary, skims the document, and signs off. A non-standard clause that the model classified as boilerplate and the lawyer didn't double-check. Damages follow.

This is where the most expensive AI compliance failures will live for the next 36 months. Not at the board level, where everything is high-attention. In the legal review workflow, where the cost of going slower than the model feels marginally higher every week.

Where does professional negligence sit

The lawyer signed. Under existing professional responsibility frameworks, that signature is the locus of liability. Tool use does not transfer duty. AI contract review, like any other tool, whether redlining software, a junior associate's first pass, or a contract management system, is treated as a tool the supervising lawyer is responsible for using competently.

The wrinkle is that the failure mode of AI contract review is different from the failure mode of a junior associate. A junior misses what they don't know to look for. A model misses what falls outside the patterns in its training distribution. The lawyer's diligence obligation now includes understanding both failure modes well enough to decide what the model is allowed to be authoritative on and what it isn't.

What "review" means post-AI

If the lawyer's review is a meaningful second pass, an actual read with the model's output as one input among several, the original liability allocation holds. The lawyer is the supervising professional. The tool is a tool.

If the lawyer's "review" is a fast scan that defers to the model on substance, that's a different posture. It looks less like supervised tool use and more like delegation to an unlicensed reviewer. That posture is harder to defend on professional responsibility grounds, and harder still to defend in front of a malpractice insurer.

Firms that are getting this right are redefining "review" in writing. They specify what the human is checking that the model is not, what the model is checking that the human is not, and which conflicts between the two require a third pass. That definition is itself a compliance artifact.

How discoverable is the AI's prompt and output trail

Very. The prompt sent to the model, the inputs the model had access to, the output it returned, the version of the model used, and the system instructions in place at the time are all reasonably foreseeable as discoverable in a dispute over the underlying contract. Firms that don't retain those artifacts are gambling that they won't be subpoenaed. That's a thin bet on a $10M contract.

This applies to in-house legal teams as well. AI legal review tools that delete prompts and outputs after a session are not solving a privacy problem — they are creating a discovery problem the next time something goes wrong.

The compliance frameworks already in motion

You don't need to invent a framework. Four are already in play. None of them solves your problem in isolation. Together they define the floor.

EU AI Act

The EU AI Act is the most concrete of the four: a binding regulation with a risk-tier structure. High-risk uses (and many enterprise governance and HR uses fall into this bucket) carry obligations around data quality, documentation, human oversight, transparency, and post-market monitoring. If you operate in or sell into the EU, the AI Act is the reference your legal team will be reading first. Treat its risk-tier classification exercise as a forcing function for the rest of your AI compliance program.

NIST AI Risk Management Framework

The NIST AI RMF is voluntary in the US, but it is the framework most often invoked by US enterprises as the operational structure of their AI program. Its four-function shape (Govern, Map, Measure, Manage) is useful primarily because it forces the question of who governs each piece: which is the question you actually need to answer for the scenarios above. It is the closest thing to a default operating model for AI compliance in the US.

ISO/IEC 42001

ISO 42001 is the international management-system standard for AI: the AI equivalent of what ISO 27001 is for information security. A 42001-aligned AI management system is the most defensible answer if a regulator or board asks "how do you govern AI across the organization?" Certification is still relatively rare, but expectations are moving fast.

SOC 2, extended to AI workflows

SOC 2 is not an AI standard. It is a controls standard for service organizations, focused on security, availability, processing integrity, confidentiality, and privacy. Increasingly, customers and auditors are asking how your existing SOC 2 controls extend to AI workflows, to model inputs, model outputs, prompt logging, vendor model use, and access to model-generated artifacts. If you have SOC 2, your auditor will start asking. If you sell to enterprises that have SOC 2, your customer's procurement team will ask first.

What every AI compliance program needs to answer

Five questions. If you can't answer them today, that's your roadmap.

Audit trail at the decision level

Can you reconstruct, after the fact, what the model said and what the decision was? Not just at the model level, at the decision level. For each material call that the AI was part of, you need a record of what the model output was, what the human did with it, and what the reasoning was. This is the foundation. Without it, every other answer is hypothetical.

Provenance: which inputs the model actually used

What data did the model see when it made the call? In contract review, that's the version of the contract, the playbook, the precedent set. In a board scenario, that's the data room, the financial model, the prior board materials. Provenance is what lets you distinguish a model that was given the right inputs and got it wrong from a model that was given incomplete inputs and got it right by accident.

Reproducibility: can you replay the decision two months later

A model version, a prompt, an input, a configuration, together, can you reproduce the output two months later? If the answer is no, you don't have a reviewable system. You have a black box that occasionally agrees with you. Reproducibility is what makes the audit trail actually defensible.

Human-in-the-loop boundaries: which decisions can't be model-only

Which decisions are explicitly excluded from model-only execution? This list should be written down. It should be reviewed by your general counsel. It should be revisited quarterly. The act of writing it down is half the value: most organizations have implicit boundaries that nobody has actually surfaced.

Vendor governance: what your AI tooling vendors are certifying

What is your AI vendor's actual position on data handling, model versioning, prompt retention, training on customer inputs, and liability? Most enterprise AI tooling agreements have aggressive disclaimers. That's not necessarily a deal-breaker. It's an input to your own compliance posture. You can't outsource what your vendor won't take on.

AI contract review specifically: what changes when models read the contract before the lawyer does

AI contract review is not a faster junior associate. It is a different kind of reader.

A junior associate misses things they haven't seen before. They flag everything that looks unusual because they don't yet know what's standard. Their false positive rate is high. Their false negative rate, on novel clauses, is also high, but the failure mode is "I didn't know to look for this."

A model misses things that fall outside its training distribution. It can miss a non-standard clause precisely because it has been trained on so many contracts that the clause looks superficially familiar. The failure mode is not "I didn't know to look". Iit's "I categorized this as standard." That's a different kind of miss, and it's harder for a supervising lawyer to catch by spot-checking.

Three implications.

First, the review process needs to be redesigned around the asymmetry, not around speed. If the model is doing the first pass, the human pass is checking the categorization, not re-reading every clause, but verifying that the model's confidence on the boilerplate calls is warranted.

Second, the playbook needs to be explicit about what the model is allowed to be authoritative on. Standard NDAs? Probably. Non-standard indemnification in a $10M contract? Probably not. Writing this down is part of the compliance artifact.

Third, the model's output needs to be retained alongside the contract. Not in a separate system. Attached to the contract record. So that when the dispute happens, the record of what the model said and what the human reviewed is in one place.

A four-question AI compliance diagnostic

Ten minutes. Answer these out loud.

1. Can you, today, retrieve the full prompt-input-output trail for the last material decision in which an AI system was part of the chain? Not in principle — in practice. Find the artifact.
2. Is there a written list of decisions in your organization that cannot be made by a model alone? If yes, who owns it, and when was it last updated? If no, that's the first artifact to produce.
3. For your highest-stakes AI-in-the-loop workflow, board advisory, legal review, financial close, can your team articulate, in writing, what the human is checking that the model is not? That definition is your liability allocation.
4. What does your highest-value AI vendor's contract say about prompt retention, training on customer data, and liability for output? If you don't know, the answer is probably worse than you'd hope.

If you got "no" or "I don't know" on three of these, your AI compliance program is not at the floor yet. That's fine, most aren't. It's just the starting place.

How to start: don't wait for the regulator

You don't need a perfect program. You need a staged one. The order matters more than the speed.

Start with audit trail. Before provenance, before boundaries, before vendor governance. If you can't reconstruct what the model said and what you did about it, nothing else you build is defensible. This is the cheapest and highest-leverage piece, and the one most often skipped.

Then provenance. Tie the audit trail back to the inputs. Which version of the contract, which board materials, which dashboard. Provenance is what lets you defend the call after the fact.

Then human-in-the-loop boundaries. Write down the list of decisions that can't be model-only. Have your general counsel review it. Put it on a quarterly review cycle.

Then vendor governance. Audit your AI tooling contracts. Map their disclaimers against your own compliance obligations. Decide where the gaps are acceptable and where you need to renegotiate or replace.

Doing these out of order, starting with vendor questionnaires, for instance, before you have an audit trail, produces compliance theater. You will have a stack of vendor attestations and no ability to actually reconstruct a single decision. That is the failure mode to avoid.

FAQ

What is AI compliance?

AI compliance is the discipline of governing AI-involved decisions so that they meet legal, regulatory, contractual, and internal-policy obligations: and so that, after the fact, you can prove they did. In practice it covers audit trails, provenance, human-in-the-loop boundaries, model and vendor governance, and conformance with frameworks like the EU AI Act, NIST AI RMF, ISO 42001, and SOC 2.

What is AI corporate governance?

AI corporate governance is the board- and executive-level oversight of how AI is used inside the company, including which decisions AI can participate in, how those decisions are documented, who is accountable for outcomes, and how AI-related risk is reported up to the board. It sits adjacent to AI compliance — compliance is the operational discipline; governance is the oversight layer above it.

How does AI contract review work?

AI contract review tools ingest a contract and a playbook (the standard positions your firm or company will accept), then return a structured analysis of where the contract deviates from the playbook. The lawyer reviews the analysis, decides which deviations are acceptable, and either negotiates or signs. The compliance question is what the human is responsible for catching that the model isn't, and what record is retained of both.

What is the EU AI Act?

The EU AI Act is the European Union's binding regulation on artificial intelligence, structured around risk tiers. High-risk uses carry obligations including data quality controls, documentation, human oversight, transparency, and post-market monitoring. It applies to organizations operating in or selling into the EU and is the most concrete regulatory reference for AI compliance programs today.

How do you build an audit trail for AI decisions?

At minimum: log the model version, the system instructions in place, the full prompt, the inputs the model had access to, the output it returned, and the human action taken in response. Tie that record to the underlying business artifact (the contract, the board minute, the campaign brief) so the trail can be reconstructed from either side. Retain it under the same retention policy as the underlying business record.

Can AI sit on a corporate board?

Not as a fiduciary director under current corporate law in any major jurisdiction. AI can sit on a board in an advisory capacity, with no vote or a non-binding vote, but fiduciary duties of care and loyalty remain with human directors. The harder governance question is not whether AI can sit on the board: it's how the board documents its reasoning when it follows or overrides the AI's input.

AI compliance is, in the end, a decision-architecture problem. Marketing, finance, legal, and the board are all on the same arc. The shape is the same: a model is part of the chain, a human still owns the call, and the record of who decided what (and on the basis of what inputs) is the asset that decides whether the next dispute is survivable.

For the marketing data side of that chain, Improvado's role is straightforward. We run agentic data pipelines for marketing teams: 1000+ connectors, deployed in days not weeks — and we maintain the audit trail and data provenance underneath, so that when an AI agent inside the marketing stack makes a call, you can show what data it actually saw and reconstruct the decision later. That doesn't certify your AI compliance program. It just means the marketing-data layer isn't the part that breaks under scrutiny.