The five principles published by KPMG International and INSEAD in April 2026 show that artificial intelligence governance is now part of boards’ ordinary mandate.

By Pascale Caron

For several years, artificial intelligence was presented to boards of directors as primarily a technological subject. IT departments, innovation teams, and business units conducted experiments. The board monitored investments, occasionally examined risks, and left implementation to operational managers.

This era is ending.

A decision related to AI can now simultaneously affect strategy, productivity, intellectual property, cybersecurity, human resources, customer relations, and regulatory compliance. It can also create lasting vendor dependency, shift responsibilities, or change how major decisions are made.

Artificial intelligence is therefore no longer just a tool. It is becoming a strategic capability of the enterprise. Consequently, its oversight also falls under the board of directors.

On April 14, 2026, KPMG International and the INSEAD Corporate Governance Centre published AI Governance Principles for Boards. The document proposes five principles designed to help directors oversee AI without replacing executives or technical teams. The message is clear: board members do not need to become engineers. They must be able to understand structural choices, assess trade-offs, and ask the questions upon which the company’s sustainability depends.

This publication comes as board maturity remains insufficient. According to KPMG’s Global AI Pulse cited at the report’s launch, nearly three-quarters of boards are perceived as having only moderate or limited AI expertise. The problem therefore no longer concerns only the pace of tool adoption. It relates to governance bodies’ ability to exercise informed judgment.

Why this evolution is becoming urgent

The European AI Act makes this evolution particularly visible. The regulation entered into force on August 1, 2024. Prohibitions targeting certain practices and obligations relating to AI culture have applied since February 2, 2025. Provisions on general-purpose AI models and several governance rules became applicable on August 2, 2025. A large portion of the regulation must apply from August 2, 2026, with a specific timeline for certain categories of high-risk systems.

The board is not meant to manage every compliance action. However, it must verify that the company knows its uses, has identified its roles, assigned responsibilities, and integrated regulatory constraints into its investment decisions.

Pressure does not come only from regulators. Investors question AI strategies. Customers want to know how their data is used. Partners examine technological dependencies. Employees expect greater transparency about the transformation of their work. Insurers and auditors seek evidence of control.

AI thus becomes a permanent governance topic, on par with cybersecurity, financial risks, or business continuity.

A change in nature for corporate governance

Boards of directors have always had the mission to oversee strategy, risks, senior management, and long-term value creation. Artificial intelligence does not question this mission. It changes the conditions for exercising it.

Is a company truly developing a competitive advantage or accumulating incoherent experiments? Do its choices create excessive vendor dependency? Does it have the data, skills, and infrastructure necessary to scale? How does it measure value created? Who intervenes when a system makes a mistake or produces a questionable recommendation?

These questions are not technical in the narrow sense. They concern the business model, risk, human capital, reputation, and accountability.

The KPMG-INSEAD report emphasizes a clear separation between oversight and management. The board should not select models, design architectures, or manage projects. However, it must understand the economic, human, and legal consequences of choices made.

Good governance does not necessarily slow innovation. It helps avoid scattered investments, poorly controlled dependencies, and deployments that fail due to lack of adoption or proof of value.

First principle: overseeing long-term value creation

The first principle focuses on strategy. It invites boards to move beyond a vision of AI reduced to immediate productivity gains.

Many companies started with writing assistants, customer service automation, code generation, or document analysis. These uses can be helpful. They do not, by themselves, constitute a strategy.

The board must ask what objective the company is pursuing. Is it merely seeking to reduce costs? Does it want to improve quality, shorten timelines, strengthen personalization, or create new services? Does AI support the existing business model or prepare a deeper transformation?

KPMG’s Global AI Pulse Q1 2026 describes a shift from fragmented use cases toward AI orchestration at enterprise scale. This orchestration requires coordinating investments, governance, infrastructure, data, skills, and security. Deploying more tools is not enough.

The board must also ask how value will be measured. The number of licenses, users, or generated content remains insufficient. Indicators must cover financial effects, operational quality, timelines, errors, customer satisfaction, incidents, actual adoption, and consequences on work.

A credible AI strategy combines ambition, execution capabilities, and proof of value. Without this coherence, the company risks funding demonstrators that never become lasting assets.

Second principle: exercising active technology and security oversight

The second principle does not ask the board to become an architecture committee. It asks it to understand technological decisions likely to commit the company long-term.

The choice of a cloud provider, foundation model, or agent platform influences future costs, data location, reversibility, auditability, and the company’s bargaining power. A solution quick to deploy can become difficult to replace.

Directors must therefore examine the dependencies created. Can the organization change vendors without rebuilding its entire system? Do contracts specify data use conditions? Can the results produced be audited? Does the company know which tools are used outside official channels?

Security also takes on a new dimension. Risks are no longer limited to traditional intrusions. They include data manipulation, attacks against models, leaks of confidential information, hallucinations, deceptive synthetic content, and unanticipated actions by autonomous systems.

The essential question is no longer just: is the system performing well? It becomes: what happens when it makes a mistake, when it is manipulated, or when it acts beyond the intended scope?

The board must require alert mechanisms, suspension procedures, traceability, and crisis management. A system’s resilience is not measured only when it operates normally. It is revealed when its behavior becomes unpredictable.

Third principle: supporting workforce transformation and preserving human accountability

The third principle combines workforce transformation and human accountability.

AI does not always replace a complete job. It often modifies part of the work, the expected level of autonomy, and the relationship between human expertise and algorithmic recommendation. It can eliminate certain tasks, accelerate others, and create new control obligations.

The board must verify that social strategy accompanies technological strategy. Training a few employees to use a tool is not enough. The company must identify exposed occupations, critical skills, and risks related to work intensification, surveillance, or loss of meaning.

Human accountability must also be clarified. Some decisions can be largely automated when they are reversible and have few consequences. Others require reinforced validation, particularly when they concern employment, credit, health, or access to an essential service.

However, the presence of a person in the loop is not a sufficient guarantee. They must still have the time, information, skills, and authority necessary to challenge the result.

Purely formal human control can become an organizational fiction. The board must therefore ensure that oversight remains genuinely effective.

Fourth principle: building trustworthy artificial intelligence

The fourth principle addresses reliability, ethics, and trust.

Trust does not rest on a general charter or statement of intent. It must be integrated into the design, deployment, and monitoring of systems. This requires identified responsibilities, testing, documentation, escalation procedures, and structured incident handling.

Governance must be proportionate to risk. An internal assistant that summarizes documents does not have the same consequences as a system used to select candidates, detect fraud, or recommend a medical decision.

The greater the potential effects, the higher the requirements for robustness, traceability, explainability, and oversight must be.

Trust also concerns third parties. Outsourcing technology does not mean outsourcing accountability. The board must therefore ensure that contractual conditions, audit rights, security commitments, and procedures applicable in case of incident are known.

KPMG frames these principles within its Trusted AI approach. The central idea is important for executives: trust is not the enemy of speed. It often constitutes the condition enabling AI deployment at greater scale.

Fifth principle: transforming how the board itself operates

The fifth principle directly concerns the board’s work.

The first transformation relates to skills. Not all directors need the same level of mastery, but the board must collectively possess the knowledge necessary to understand strategic, technological, human, and regulatory issues.

This competence can be strengthened through training, recruiting complementary profiles, regular expert interventions, or creating a specialized committee. The choice depends on the company’s size, sector, level of exposure, and project maturity.

The second transformation concerns information transmitted to the board. Directors need a readable dashboard: systems in production, experimental projects, incidents, expenses, measured benefits, major risks, unauthorized uses, and critical dependencies.

The frequency of exchanges must also evolve. An annual presentation is no longer sufficient when models, uses, and risks change within months.

The board itself can use AI tools to prepare meetings, synthesize files, or simulate scenarios. This use must remain controlled. Board documents are among the company’s most sensitive information. Their processing by external services can create confidentiality, data retention, and trade secret risks.

AI can augment analytical capacity. It does not replace judgment, fiduciary responsibility, or contradictory debate.

What executives can do now

1 Map actual uses
Identify official systems, experiments, individual uses, and associated data processing.
2 Clearly assign responsibilities
Define who decides, who validates, who monitors, who manages incidents, and who reports to the board.
3 Measure value and risks
Associate projects with financial, operational, human, and control indicators, rather than tracking only adoption.
4 Train the board
Give directors sufficient understanding to challenge choices without intervening in operational management.
5 Establish regular reporting
Integrate AI into ordinary strategic oversight mechanisms, with a rhythm adapted to the company’s level of exposure.

From technological competence to judgment capacity

The main contribution of the KPMG-INSEAD framework perhaps lies in its implicit definition of AI competence within a board.

Being competent does not mean mastering the details of a neural model. It means understanding the consequences of a technological choice, identifying missing information, challenging a commercial promise, and recognizing an indicator’s limitations.

An effective board must distinguish a convincing demonstration from a reliable system. It must understand that a productivity gain does not automatically constitute lasting value creation. It must also know that the absence of declared incidents does not prove the absence of risk.

Artificial intelligence thus requires more continuous, better-informed, and more interdisciplinary governance. Technical issues must be connected to economic realities. Innovation ambitions must be confronted with the organization’s capabilities. Compliance requirements must support trust without becoming mere documentary formality.

A company that neglects this evolution may deploy much AI without truly mastering it. Conversely, a board capable of asking the right questions can become an acceleration factor. It helps management prioritize investments, anticipate dependencies, and build conditions for responsible scaling.

Governing AI means governing tomorrow’s enterprise

The KPMG-INSEAD report recalls a simple idea: governance has never consisted of mastering every technology. It consists of understanding how technological evolutions permanently transform the enterprise.

Yesterday, boards had to learn to oversee digital transformation and cybersecurity. Today, they must integrate artificial intelligence into their understanding of strategy, risk, skills, and value creation.

The companies that succeed will probably not be those that deployed the greatest number of models or agents. They will be those that knew how to choose relevant uses, organize responsibilities, measure results, and maintain judgment capacity.

Maturity will not be measured by the number of tools used. It will be measured by the organization’s ability to transform AI into lasting competitive advantage, without losing control of the risks it introduces.

AI governance therefore does not begin with adopting a charter. It begins when the board accepts to consider this technology as an ordinary component of its mandate.

Directors do not need to become engineers. They must learn to ask the right questions before wrong answers become irreversible decisions.

Main references

  • KPMG International and INSEAD Corporate Governance Centre. AI Governance Principles for Boards. Publication of April 14, 2026.
  • KPMG International. Global AI Pulse Q1 2026. March-April 2026.
  • KPMG International. KPMG and INSEAD launch global AI Board Governance Principles as AI reshapes board oversight. Press release of April 14, 2026.
  • European Union. Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence, progressive application timeline