u/RiskGovResilience23

▲ 2 r/grc

(How) are you communicating AI risk posture to your board?

Our board... unsurprisingly...started asking about AI risk last quarter and I'm struggling with how to present it. The cyber risk conversation took years to get right, and even that still sometimes falls flat. AI risk feels like starting from zero. The challenge is that most of what I can show them right now is qualitative. They nod or whatever but I can tell it's not landing. Nobody challenges. There's no conversation.

With cyber we eventually got traction when we started presenting risk in financial terms. The board understood exposure in dollars and could make real decisions about control investments. I'm wondering if the same approach works for AI risk. Translating governance gaps and shadow AI exposure into financial figures rather than compliance status updates.

For those of you who've been in front of a board on AI risk and have found any type of success.... What's worked?

reddit.com
u/RiskGovResilience23 — 7 hours ago

Are people using tools to collect and manage evidence for EU AI Act compliance? Or doing it manually.

We're starting to scope our compliance program for the high-risk system requirements (updated December 2027 deadline). The framework obligations are clear enough. Then there's the evidence.

How are peoples collecting evidence from across the org in a way that maps to specific Articles without it becoming a massive manual exercise? And THEN how do make sure that it's current for every audit?

We've looked at a few GRC platforms but most of them bolt AI governance onto an existing framework and the AI-specific capabilities feel thin. The ones built specifically for AI governance seem more promising but....meh

So....What's working? Is anyone actually generating audit-ready evidence automatically or is everyone still doing it manually?

reddit.com
u/RiskGovResilience23 — 7 hours ago