Artificial intelligence is reshaping cyber risk faster than traditional governance models can adapt. Threat actors are already exploiting AI at scale, while regulation struggles to keep pace. For boards, the question is no longer what AI might mean, but how to govern cyber and operational risk in an environment where AI is already embedded in everyday systems and adversarial tools.

Here are five steps for boards to take.

1. Quantify your AI risk exposure before someone else does

Every meaningful board discussion on AI risk starts with measurement, so ask: What AI systems are in use across the organisation, and what exposure do they create?

A recent Aon poll of 75 EMEA organisations found that nearly two thirds describe themselves as only “somewhat prepared” for AI linked cyber exposures. Just 18.5% had assessed risks inclusive of AI, and more than a quarter had not conducted recent risk quantification at all. Aon’s 2025 Global Risk Management Survey reached similar conclusions: cyber is the top global risk, yet only 13% of respondents had quantified their exposure.

If organisations cannot quantify AI driven risk, they are almost certainly underprepared and increasingly vulnerable to a regulatory challenge.

What to do:

• Commission a formal AI risk quantification exercise, including an AI asset register. If your cyber assessment predates AI deployment, it is outdated.
• Present results to the board in actionable terms: financial exposure ranges, operational resilience scenarios, and control gaps.
• Review cyber insurance and AI vendor terms to understand where liability sits.
• Repeat as a recurring exercise. AI risk is not static. As deployment expands, so does the exposure.

2. Update your internal and external threat model

The threat landscape has shifted materially. Organisations that view AI risk primarily through the lens of external attack are already behind.

The World Economic Forum’s Global Cybersecurity Outlook 2026 found cyber enabled fraud had overtaken ransomware as CEOs’ top concern, with 73% reporting direct impact in 2025.

But the most significant shift is internal. Concerns about data leaks related to generative AI (34%) now outweigh fears about adversarial AI (29%), reversing the trend from 2025. The risk has moved in house: from what attackers do with AI, to what your own systems, employees and vendors do with it.

What to do:

• Update your threat model to explicitly include AI enabled social engineering, AI assisted attacker movement, and internal data exposure from generative AI tools.
• Audit employee and vendor AI usage. “Shadow AI”—unapproved tools—is now one of the largest unmanaged risks.
• Provide targeted training for finance, HR, and executive support teams on vishing, deepfakes, and fraud.
• Introduce an incident classification protocol that includes AI related misuse.
• Conduct a refreshed tabletop exercise based on AI centred scenarios and your new risk quantification.

3. Learn from Grok—map your regulatory obligations before you are forced to

The 2026 Grok incident, in which X’s AI tool was shown capable of generating non consensual intimate images of real people, including minors, triggered simultaneous regulatory investigation, parliamentary scrutiny, and urgent legislative amendment.

This shows that technology moves faster than any legislative cycle, and that the gap between capability and legal framework creates real and immediate liability exposure for every organisation operating in this space.

Organisations must map their obligations now, not mid incident.

What to do:

• Map AI related obligations across all applicable instruments: in the UK, the Online Safety Act, Data (Use and Access) Act, UK GDPR, the proposed Cyber Security and Resilience Bill, and sector rules. In the EU, add the AI Act, NIS2, DORA, GDPR, and the Cyber Resilience Act.
• Avoid treating these as separate workstreams—the frameworks overlap and sometimes conflict.
• Obtain legal advice on whether your AI systems fall within current regulatory scope.
• Establish regulatory horizon scanning to track emerging provisions.

4. Adopt the emerging standards, which will become regulatory benchmarks

The governance standards that are currently voluntary will not remain so forever. Organisations that wait for them to become mandatory before adopting them will find themselves in a reactive position when enforcement begins or insurance premiums increase.

The NIST’s Cyber AI Profile (drafted December 2025) overlays AI specific priorities onto the Cybersecurity Framework 2.0, covering securing AI systems, using AI defensively, and countering AI enabled attacks. It is likely to become a de facto regulatory reference point across multiple jurisdictions.

What to do:

• Conduct a gap analysis against the NIST Cyber AI Profile and build a remediation roadmap.
• Prioritise adoption at board level—the question is not whether you adopt, but how quickly.

5. The practical imperative: build the governance architecture now

Grok, the UK ransomware wave, and the widespread failure to quantify AI risk, all point to one issue: existing governance frameworks were built for yesterday’s technology. Rapid digital transformation means organisations cannot rely on regulation alone to define acceptable risk.

The takeaway for boards is that AI risk demands clarity, governance and action. Organisations that understand their exposure, map their obligations, and embed strong oversight will be better equipped to adopt the standards and controls needed to stay ahead. Those who move early will be the ones that emerge stronger when pressure comes.

Emma Wright is global co-chair of the privacy and cybersecurity practice at law firm Crowell & Moring.