(How) are you communicating AI risk posture to your board?
Our board... unsurprisingly...started asking about AI risk last quarter and I'm struggling with how to present it. The cyber risk conversation took years to get right, and even that still sometimes falls flat. AI risk feels like starting from zero. The challenge is that most of what I can show them right now is qualitative. They nod or whatever but I can tell it's not landing. Nobody challenges. There's no conversation.
With cyber we eventually got traction when we started presenting risk in financial terms. The board understood exposure in dollars and could make real decisions about control investments. I'm wondering if the same approach works for AI risk. Translating governance gaps and shadow AI exposure into financial figures rather than compliance status updates.
For those of you who've been in front of a board on AI risk and have found any type of success.... What's worked?