Technology Governance Is Now Core Board Business
Reflections from the AICD Technology Governance Forum, Brisbane
Download the summary report here: Technology Governance.pdf (307 KB)
I came away from the AICD Technology Governance Forum in Brisbane with one clear conviction: boards are still treating technology as a topic that appears on the agenda, rather than the lens through which the entire agenda should be read.
That might be a big claim. Based on what I heard, I don’t think it’s an unreasonable one. Technology now shapes how organisations deliver services, manage cost, interact with customers, protect data, redesign work and compete for talent. If you are not governing technology well, you are not governing well.
As I spoke with other directors in the room, my impression was that many directors in the room already sensed this but I suspected that many were not quite sure what to do about it. There was no shortage of awareness. The gap was in confidence and practical tools.
The board’s role is changing — but let’s be precise about how
There’s a line I keep coming back to: the board’s job is not to manage technology. That’s management’s role. The board’s job is to test whether technology is being governed in a way that supports strategy, protects value and enables the organisation to adapt.
That distinction matters because I see boards fall into two failure modes. The first is abdication — “that’s a technical question, we’ll leave it to management.” The second is micro-management — directors with technology backgrounds who want to get into the architecture. Neither of these two approaches is good governance.
Good governance means asking better questions. Not “tell us about the project status” but “how does this investment connect to our strategy, and how will we know it’s working?” Not “what are our cyber controls?” but “are we genuinely prepared to respond when something goes wrong?”
Historically, technology appeared at the board as a project update, a capital request or a risk report. As a former CIO, I was quite used to being wheeled into the room to provide my fifteen minute update which was squeezed into an already overcrowded Audit and Risk Committee agenda. That approach may have been appropriate in the days when technology was a support function and treated as an expense item on the income statement. It isn’t adequate now. Technology is the business model for many organisations. Boards need to govern it accordingly.
AI has made the governance gap impossible to ignore
This AICD forum spent a lot of time on AI, and rightly so. However, I want to push back slightly on how this conversation sometimes goes. AI governance is not a separate discipline sitting alongside “normal” governance. It is governance, applied to a technology that moves faster and has more unpredictable second-order effects than most.
The honest picture in most organisations right now: staff are already using AI, often informally. Vendors are embedding it into products. Executives are under pressure to show productivity gains. And boards are being asked to govern all of this with frameworks and controls that were built for a slower world.
What I find missing in a lot of board-level AI conversation is a clear connection between the enthusiasm and any actual accountability. Innovation theatre is great but who owns the AI strategy? Who is responsible when an automated decision causes harm? Who is measuring whether these tools are actually improving performance, or just adding noise?
AI does not remove the need for judgement. It increases the need for it. A board that rubber-stamps an “AI strategy” without asking those ownership and accountability questions isn’t governing — it’s spectating.
To improve the focus on accountability, there are four things every board-level AI conversation should cover:
Literacy. Does the board understand enough about AI to ask useful questions? Not deep technical literacy, but just enough to know what questions to ask and how to evaluate the answers they get back.
Use cases. Where is AI being used now, including informally? Where could it create genuine value? Where are the material risks? (These are often not the same places.)
Guardrails. What principles, data standards, procurement disciplines and assurance processes exist? Who approved them? Who monitors compliance?
Value. How will the organisation measure whether AI is actually improving performance — productivity, service quality, cost, risk, customer experience? If there’s no answer to this, the investment isn’t governed, it’s hoped for.
Technology governance is change governance — and that’s the harder problem
One of the key points made at the forum by Steve Vamos, former CEO of Xero, is that the hardest part of most technology programs isn’t the technology. It’s everything around it: adoption, capability, decision rights, operating model change, benefits realisation, cultural shift.
A system can go live and the organisation barely changes. I’ve seen it more times than I can count. The project is delivered on time, the vendor is paid, the implementation team moves on — and eighteen months later, half the staff are using workarounds and the expected productivity benefits haven’t materialised.
The root cause is almost always the same: the investment was approved as transformation but governed as a project. Boards focused on budget, timeline and risk. Nobody was accountable for whether behaviour actually changed.
Boards need to be more demanding here. “On time and on budget” is not a success measure for a transformation investment. The real questions are: Have we changed how work is done? Are customers experiencing a better outcome? Are staff using the new capability effectively? Have legacy processes been removed, or have we just added technology on top of a broken process? Are benefits being measured and owned by the business, not the IT team?
This matters for productivity conversations too. Technology is constantly justified through productivity gains, but those gains are frequently assumed rather than proven. If an organisation can’t tell you clearly where the productivity improvement will come from — reduced manual work, faster cycle times, lower rework, better workforce allocation — it shouldn’t be confident it will arrive.
Cyber resilience: the board conversation has to mature
Cyber got substantial airtime at the forum, and there’s a shift in framing that I think boards need to internalise. The question is no longer “are we preventing cyber incidents?” The question is “are we prepared to respond, recover and continue operating when something goes wrong?”
That’s a meaningful shift. Prevention is still important. But any board that believes prevention alone is the answer hasn’t been paying attention. Every organisation of consequence is a target. Incidents will happen. What separates organisations is how quickly and competently they respond.
Boards should be asking: What are our most critical systems and data? What would genuinely disrupt services or operations? Have we rehearsed a serious incident — not just reviewed a plan, but actually run a simulation with the people who would be in the room? Who makes decisions in the first 24 hours? How would we communicate with customers, regulators and staff? What does recovery look like, and how long does it actually take?
A written plan is useful. A rehearsed plan is categorically better. Most organisations have the former and fewer than you’d hope have the latter.
Third-party risk deserves particular attention here. Many organisations are far more exposed through their cloud providers, SaaS vendors and supply-chain partners than through direct attack. Boards should understand those dependencies.
Structure matters less than discipline — but structure still matters
There was a useful discussion at the forum about governance architecture: should technology, cyber and AI sit in audit and risk, in a dedicated committee, or somewhere else? I don’t think there’s a universal right answer. The point was made, and its one I agree with, that many boards are adding technology as another line item to an already overstretched audit and risk committee, and that approach is starting to strain.
The risk is what I’d call governance spaghetti: multiple committees, unclear ownership, duplicated or inconsistent reporting, and no clear line of sight from investment to value or from risk to accountability. I’ve seen organisations with three committees all nominally responsible for technology governance and none of them with a complete picture.
Whatever structure you choose, the discipline requirements are the same: clear accountabilities, defined decision rights, reporting that is genuinely decision-useful rather than just comprehensive, access to external expertise where the board needs it, and enough time to engage with material issues properly.
Board composition is also worth naming directly. Skills matrices have evolved, but “digital awareness” as a criterion is too vague to be meaningful. The better question is whether the board as a whole can govern technology-enabled change — strategy, risk, investment, workforce, ethics, resilience. That’s a more demanding test, and it’s the right one.
Responsible technology is not a compliance exercise
There was a thread running through the forum that I want to give more weight to than a final-section mention: responsible technology. AI, automation and data platforms can affect privacy, fairness, transparency, safety and public trust in ways that are hard to reverse.
In public-purpose sectors — health, human services, education, government, not-for-profit — this is especially acute. Algorithmic decisions that affect access to services, housing, health or welfare aren’t just risk management problems. They’re ethical ones. And the board has a responsibility for both.
What concerns me is when “responsible AI” becomes a policy document that satisfies a governance checkbox but doesn’t actually connect to how investment decisions are made or how automated systems are designed and monitored. The questions should be live ones: Are our technology decisions consistent with our purpose? How are we testing for bias and unintended consequences? Who is accountable when an automated decision harms someone? How transparent are we with the people our systems affect?
Trust is hard to build and easy to lose. Responsible technology governance should sit at the intersection of ethics, risk, performance and stakeholder accountability — not in a document disconnected from the decisions being made every day.
Where to start: five questions worth asking now
I’m conscious this is a long article so it might be helpful to leave readers with a clear next step. Here are five questions I’d encourage boards to put on the table in the next planning cycle. Not because they’re comprehensive, but because their questions that will prompt rich discussion and elicit some value to take forward.
How does technology enable or threaten our strategy? Not “what technology projects are underway” — how does technology connect to our competitive position, business model and strategic priorities?
Where is AI already being used, including informally? This question alone often reveals that the real picture is very different from the formal one. Unmanaged AI use is a material risk.
Are we measuring value and adoption, or just tracking delivery? If the board can’t answer whether technology investments are changing performance, the reporting isn’t fit for purpose.
Are we prepared to respond to a serious cyber incident, not just prevent one? This shifts the conversation from controls to resilience — and often surfaces uncomfortable gaps.
Does the board have the capability, structure and information it needs to govern technology well? Honest self-assessment here is underrated. Most governance failures have a precursor in which the board wasn’t getting the right information or asking the right questions.
The real issue is adaptation
Technology governance isn’t about chasing every new tool or trend. It isn’t about building the most sophisticated AI policy or having the most technically credentialed board.
It’s about helping organisations adapt with discipline. Governing the connection between technology and strategy, technology and risk, technology and people, technology and trust.
The forum reinforced for me that the capability gap isn’t primarily technical. Most directors are intelligent, experienced people who are capable of asking good questions. The gap is in having the right frameworks, the right information, and the confidence to push back when the answers don’t hold up.
The board doesn’t need to become technical. It needs to become more deliberate, more curious and more willing to treat technology as the governance issue it has already become.