Stop Managing AI Risk for Your Board. Start Allocating Capital Instead.

Is your board funding AI governance, or just tolerating it?

Boards don't throttle AI budgets because they don't believe in AI. They throttle them because no one has shown them where the money goes and what it buys.

The Situation

Most compliance and risk functions present AI to the board as a liability management exercise: here's what could go wrong, and here's what we're doing to prevent it. That framing positions governance as a risk minimization center driving cost, and cost gets cut. The board question that actually unlocks governance funding isn't "how are we managing AI risk?", it's "which AI investments are worth protecting and which ones aren't?" Until you can answer that, you're asking for budget without a business case.

The Exposure

When governance is framed as internal overhead, boards apply the same logic they apply to any overhead line: minimize it. The consequence isn't just a smaller governance budget. It's that high-risk AI pilots continue running without adequate controls because no one has made the case to fund the oversight they require. Zombie projects, initiatives that have never proven ROI but also haven't been formally killed, quietly accumulate regulatory exposure while consuming resources that could be better directed to implementations generating real business value.

The Judgment Call

The positioning that boards respond to is a shift from risk mitigation to capital allocation. Plotting every live AI initiative against two dimensions, its governance maturity and demonstrated or anticipated ROI, with a 90-day remediation plan for the projects worth recovering, gives the board a prioritization framework rather than an anxiety briefing. High governance maturity and high ROI? Protect and accelerate. Low governance maturity and high ROI? Fund the controls. Any pilot that can't demonstrate progress against defined ROI metrics within a time-bound window gets a sunset date. That revised framing makes the CCO and CRO the architects of AI capital efficiency, not the people asking for more money to manage problems the board isn't well-versed in.

• Risk: Highlighting zombie projects forces uncomfortable conversations with business unit owners who have organizational identity tied to their AI initiatives. Expect resistance when governance becomes the mechanism that de-funds a project.

• Benefit: Boards that see AI through a risk-adjusted ROI lens allocate capital more deliberately, which means that defensible, well-governed AI gets funded instead of speculative pilots that were never going to scale.

This Week’s Action

• What to do: Build a one-page inventory of your firm's live AI initiatives and score each one on two dimensions: governance readiness (can it survive a regulatory inquiry today?) and demonstrated or anticipated ROI (is it generating measurable returns, or does it have a credible, time-bound path to doing so?) Color-code initiatives ready to accelerate, and initiatives to eliminate/reallocate resources from.

• Who to involve: Your Chief Data Officer or AI Model Owner for the initiative inventory; your CFO or financial analyst to validate ROI assessments and ROI hurdles.

• What outcome to achieve: A two-by-two matrix suitable for a board

  pre-read, categorizing each initiative as accelerate, remediate, or retire.

• Time required: 60 minutes to draft; 30 minutes to review with your CFO before it goes to the board.

Artifact

Plot each live AI initiative on a two-by-two grid: Governance Readiness on the X axis, Demonstrated/Anticipated ROI on the Y axis.

Governance Readiness Can this initiative produce a decision log, model version record, and evidence of human oversight on critical decisions within 48 hours?

→ YES: Right half (governance-ready)

→ NO: Left half (remediation required before scaling)

Demonstrated/Anticipated ROI Is this initiative either in production with documented business value, or in a time-bound pilot with defined ROI metrics and a credible path to production?

→ YES: Top half (value-confirmed or credibly in progress)

→ NO: Bottom half (proof of concept, vanity project, or stalled pilot)

Quadrant Outcomes

Top Right: Accelerate. Protect budget and consider expanding scope.

Top Left: Fund additional controls. Governance investment is justified by business returns; remediate shortfalls within 90 days.

Bottom Right: Set a time-bound window to hit ROI metrics. Miss it and the project gets retired.

Bottom Left: Retire. Reallocate budget to other initiatives.

One objection to anticipate: business unit owners with recently launched pilots will argue their project belongs in the top quadrants given enough time. The response is straightforward: every initiative is either delivering ROI, or else gets one time-bound window to demonstrate success. The matrix reflects where a project stands today, not where its sponsor hopes it will stand. A project that can't be plotted because the data doesn't exist is itself a governance gap and your first remediation priority.

When the stakes exceed your internal capacity:

• AI Exposure Diagnostic: A 2-hour strategic evaluation for risk, compliance, and legal leaders to identify your highest-priority governance gaps and deliver a 90-day remediation roadmap.

• 12-Week Governance Sprint: Translate regulatory requirements into audit-ready policies, control frameworks, and accountability structures.

• Ongoing Advisory Retainer: Embedded judgment for policy updates, vendor assessments, and board prep as regulations and technology evolve.

Reply with "Diagnostic" or “Sprint” to schedule a conversation for next month.

Chris Cook writes Judgment Call weekly for compliance and risk officers navigating AI governance.

Former IBM Vice President and Deputy Chief Auditor. Published in the AI Journal, speaker at Yale.

Chris Cook

Managing Partner & Founder

Blackbox Zero

Forwarded this by a colleague? Subscribe to Judgment Call