Only 14% of the UK’s largest companies identify a board member or committee responsible for cybersecurity. Fewer still discuss AI at every board meeting. Yet these are not abstract risks — they are active governance blind spots in an economy increasingly driven by digital infrastructure, automation, and data exposure.
AI, in particular, is forcing boards to confront uncomfortable questions. How do you assess risk in technologies most directors have never used? Who owns accountability when machine learning drives strategic decisions? And is “digital” still something boards can safely delegate?
Some organisations are adapting. Tesco has formed a Technology & Data Committee. NatWest recently elevated its Chief Digital & Data Officer to the board. Rolls-Royce has appointed a former Microsoft UK CEO as a non-executive with responsibility for AI and digital transformation. But these moves remain rare.
According to Glen Williams, CEO of Cyberfort, “Too many boards are still structured around models that were built for a different era. AI in particular is not just a technological issue but presents a governance challenge that cuts across every committee — from audit to risk to strategy.”
Sam Thornton, COO at Bridewell, points to a gap in readiness. “Cyber budgets are coming under increased pressure and therefore the discussions around cyber risk are becoming more common place in the boardroom,” he said. “However, there is still a learning curve of how to embed increased maturity in terms of identifying and assessing cyber risk across organisations.”
In our new BQX feature, we explore how UK boards are responding to these pressures — and what effective oversight really looks like in an age of ambient digital risk. Featuring insight from leaders at the Corporate Governance Institute, the International Data Center Authority, TSG Training and more, the piece offers a forward-facing view of what boards must do to keep pace.
