Sometime in the next two quarters, someone on your board is going to ask a version of this question: what's our exposure on AI?
It won't be hostile. It'll be routine — the same way they ask about cyber, liquidity, or regulatory posture. And in most regulated mid-market firms I work with, the honest answer the security function can give in that moment is some blend of "we're looking into it" and a slide listing the tools the company already owns.
That answer used to be fine. In 2026, it isn't — and the reason has nothing to do with how good your security team is.
What actually changed
Two forces moved the AI question from an IT topic to a board obligation.
First, regulators stopped treating AI as something separate from the duties firms already carry. New York's Department of Financial Services made this explicit in its October 2024 guidance: existing cybersecurity expectations already extend to AI-related risks, and a covered entity's senior governing body is expected to have visibility into them. Its earlier circular letter on the use of AI in underwriting and pricing put oversight responsibility squarely at the board level. The NAIC model bulletin on AI has now been adopted, in some form, by more than half the states. If you're a carrier, you should assume an examiner will eventually arrive with a standardized way of asking how you govern AI — not whether you do.
Second, your customers got there ahead of your regulator. Enterprise procurement teams are now sending AI-specific security questionnaires alongside the SOC 2 request. A "we don't formally govern AI yet" answer doesn't just create regulatory exposure anymore. It loses deals, or stalls them for a quarter while you scramble to assemble evidence you don't have.
The net effect: AI governance is no longer something your firm will get around to. It's something your board now owns — whether or not anyone has briefed them on it.
Why your existing reporting doesn't answer the question
Most security reporting is built around a different question. It tells the board how well the company is defending its systems: patch cadence, incidents, phishing click rates, audit findings. Useful. But the AI question is different in kind, not degree.
The board isn't asking are we secure. It's asking do we know where AI is being used, what could go wrong, who is accountable, and can we show that to a regulator or a customer. You cannot answer that with a vulnerability dashboard. You answer it with governance evidence — and governance evidence is something most firms have never been asked to produce, so they haven't built the machinery to produce it.
That's the gap. It isn't a competence gap. It's a tooling-versus-governance gap, and almost every mid-market firm I assess is sitting in it right now.
What a board-ready AI posture report actually contains
This is the part worth keeping. When I build one of these for a client, six things go in it:
- An AI inventory. Every model, every vendor feature with AI baked in, every tool an employee signed up for without telling anyone. This is always longer than leadership expects.
- A model risk register. Each use case scored for what it touches, what it decides, and what happens if it's wrong.
- Framework alignment. Where the program stands against NIST AI RMF and ISO 42001 — the two frameworks regulators and auditors now treat as the reference points.
- The regulatory map. The specific obligations that apply to this firm — NYDFS, the relevant NAIC-bulletin state, sector rules — mapped to what the firm is actually doing about them.
- A plain-language summary the board can act on. One page. No jargon. The three things that need a decision and the three that need money.
- A 90-day roadmap with named owners. Because a report that doesn't end in accountability is just a longer version of "we're looking into it."
That's the artifact. If your security function can produce all six on request, you're in good shape. If it can produce two, you have a board-reporting problem that a regulator or a customer will eventually find for you.
What we find when we go looking
A pattern shows up almost every time. The firm believes it has three or four AI use cases. The inventory turns up fourteen. Most of the surprises aren't the flagship project leadership knows about — they're the marketing tool that quietly added an AI feature, the support team running customer messages through a model nobody approved, the vendor whose roadmap now routes your data through inference you never reviewed.
None of that is a scandal. It's just unmanaged, and "unmanaged" is the exact word a board doesn't want to hear when it finally asks the question.
The takeaway
Your board doesn't need a longer security deck. It needs a short, honest answer to a question it's about to ask — and the evidence behind it. That's what a board-ready AI posture report is: the inventory, the risk register, the framework and regulatory map, the one-page read, and the roadmap that ends in names and dates.
If you want the sanitized board memo I build from — the five-page template, structured the way a regulated firm can hand it to its audit committee — message me and I'll send it over, no pitch attached. And if you'd rather see how the full posture report comes together, that's what RedOps does for regulated mid-market firms: redops.ai.