The AI Act for directors: responsibility, liability and oversight

Short answer: The AI Act is not an IT file but a board responsibility. The board sets the risk appetite, organises oversight and is accountable when things go wrong. The heaviest fines reach 35 million euro or 7% of annual global turnover — a figure only the board level can bear. You may delegate compliance work; you cannot delegate ultimate responsibility.

Why this belongs on the board table

The AI Act places obligations on the organisation, not on a department. Whoever procures, builds or deploys AI must demonstrate that this is done responsibly: risk classification, documentation, human oversight and, in some cases, registration. A board that fails to ensure this carries an unmanaged risk on the balance sheet.

On top of that, AI touches strategy: efficiency, product innovation, reputation and legal risk converge. That makes it pre-eminently a matter for the executive board and the supervisory board.

Three kinds of responsibility

• Regulatory. The organisation can be fined by the supervisor. The penalty regime is tiered: prohibited AI practices form the heaviest category.
• Civil. Alongside the AI Act, the revised Product Liability Directive determines who compensates for harm when AI goes wrong — see AI liability.
• Governance. Mismanagement can result in personal liability where the board structurally ignores a known risk.

What the board must ensure

A board need not understand the technology, but must be able to show it is in control. That requires a governance framework with clear roles, an up-to-date overview of deployed AI systems and their risk class, and an escalation line to the executive board.

Start with an inventory: which AI do we use, in which role (provider or deployer), and what risk class applies? See the high-risk obligations overview for what a high-risk classification means.

Organising oversight

Effective oversight is rhythm, not a one-off check. Have the executive board report periodically on the AI portfolio, incidents and open compliance points. Assign ownership explicitly — often to an AI officer or a steering group — and ensure the board has enough AI literacy to ask the right questions.

What to do

• Assign ownership at board level and set the reporting line.
• Build an AI inventory with role and risk class per system.
• Implement a governance framework with policy, review and escalation.
• Ensure AI literacy among directors and key staff.
• Coordinate with the DPO, CISO and procurement — see the AI Act for DPOs and for procurement.
• Review insurance and contracts for coverage of AI risks.

The AI Act does not require a director who knows everything, but a director who demonstrably steers. That distinction will decide whether a supervisor or court speaks of diligent or negligent governance.