Ask a board member what they ask management about AI, and the answers cluster reliably: What is our AI strategy? Are we falling behind? What are competitors doing? How much are we investing?

These are strategy questions, and they made sense in 2023, when AI was a forward-looking agenda item. They make much less sense now, because in most enterprises AI is no longer prospective. It is already operating — in sanctioned systems, in departmental tools procured on credit cards, in the consumer applications employees use daily with company data. The relevant board questions are no longer about ambition. They are about control.

I call the gap the governance deficit: the distance between the AI an organization runs and the AI it can defend — to a regulator, an auditor, an acquirer, a court, or its own board. In most enterprises that distance is wide, growing, and almost entirely unmeasured, for a simple reason: nobody is asking the questions that would measure it.

Here are five that would.

1. "What AI systems do we run — all of them — and what data does each touch?"

This question sounds trivial. It is arguably the single most clarifying question available to a board, because almost no management team can answer it. The sanctioned portfolio is known; the real portfolio — departmental tools, embedded AI inside SaaS products, individual usage of consumer models — is, by every survey of shadow IT in the AI era, a multiple of it, and includes the highest-risk items precisely because nobody approved them.

An organization that cannot produce this inventory does not have an AI risk profile. It has an AI risk rumor. Every subsequent governance question is unanswerable until this one is not.

2. "For our most consequential automated decision, could we reconstruct what the system did and why?"

Somewhere in the enterprise, an AI system is already influencing decisions that matter — credit, pricing, hiring screens, claims, fraud flags, customer treatment. The board question is not whether those systems are accurate. It is whether they are auditable: if challenged, could management produce the inputs, the output, the model version in force, and the human oversight that did or did not occur?

Auditability cannot be retrofitted after a challenge arrives. It is either designed in — versioned changes, decision logging, override records — or it is permanently absent for every decision already made. A board that has not asked this question is implicitly accepting that the answer is no.

3. "What is our position on the decisions we will never fully automate?"

Every organization has decision classes where full automation is inappropriate — because failure is irreversible, because the law requires human judgment, or because the brand cannot survive the headline. Remarkably few organizations have written that list down.

The absence matters more than it appears. Without an explicit position, the boundary is being set implicitly, system by system, by whoever deploys fastest. A one-page statement of reserved decisions — reviewed annually, signed at executive level — is among the cheapest governance artifacts an enterprise can produce, and one of the most protective. It is also, not incidentally, the artifact regulators and courts will ask for first.

4. "If a production AI system failed badly on a Friday night, what happens — specifically?"

Incident readiness is where the governance deficit becomes most concrete. The questions decompose mechanically: Are failure modes documented? Is there detection, or would we learn from customers? Is there an escalation path with named humans? Is there a kill-switch, and has anyone confirmed it works? Has any of this been rehearsed?

Most enterprises have mature versions of these answers for their financial systems and their core infrastructure, because decades of incidents forced the discipline. AI systems are joining that category of operational criticality far faster than the discipline is following them. The board's job is to close that lag before an incident does it instead.

5. "What did our AI portfolio return last year — as a number?"

The governance deficit has a financial face. Boards approving expanding AI budgets are entitled to the question every other capital allocation must answer: what did it return? Not usage statistics, not adoption curves, not sentiment — a number, per material system, that a CFO would accept.

The honest answer in most enterprises is that the number does not exist, because measurement was never instrumented. That answer is acceptable exactly once. A board that hears it twice is funding a belief system, not a portfolio.

What these questions have in common

None of them concerns model architecture, vendor selection, or the technology roadmap. All of them concern operating discipline — ownership, visibility, auditability, reserved judgment, readiness, measurement. This is deliberate. The board's comparative advantage has never been technology evaluation; it is institutional accountability, and AI governance is, at root, an accountability system.

There is also a sequencing insight buried here. The conventional enterprise instinct is to treat governance as the constraint applied after AI proves its value — the brake fitted once the car is moving. The empirical pattern runs the other way: the enterprises extracting durable value from AI are the ones whose control environment lets systems ship, scale, and survive scrutiny. Governance is not what slows the portfolio down. In an enterprise, governance is the only thing that has ever sped it up.

The five questions above will not make a board popular with management on first asking. They will make the second asking — a year later, after the inventory exists, the logging runs, the reserved list is signed, the rehearsal has happened, and at least one number is real — one of the more valuable hours on the governance calendar.

That is the deficit closing. It only ever closes because someone asked.