Boards are being asked a question many cannot yet answer with confidence: how does this business use AI, who is accountable for it, and can we prove it is under control? In most companies the finance function is one of the earliest and heaviest adopters of AI, which means the CFO is frequently the person the board turns to first. This guide sets out what boards and audit committees need on AI oversight, and how a finance leader provides it in a way that is defensible rather than decorative.
It covers why AI oversight is now a board obligation rather than an IT matter; the three-lines-of-defence model applied to AI; what the board specifically needs from the CFO; how the audit committee’s role is expanding; what auditors now expect to see; the regulated-firm escalation; and what all of this asks of the finance leader who has to supply the assurance. The through-line is a single word the regulator keeps returning to: evidence.
Why AI oversight is a board matter, not an IT one
AI in finance is not merely operational. It touches the integrity of the numbers the board relies on, the fairness of outcomes for customers, the security of sensitive data, and — in regulated firms — the personal accountability of named senior managers. That combination makes it a governance question, and governance questions belong to the board. A board that cannot describe how AI is used and controlled in its finance function has a gap that an auditor, an investor or a regulator will eventually find.
The scale is not trivial. The FCA and Bank of England have found that around three-quarters of UK financial services firms already use AI, and adoption is accelerating with generative and agentic tools. Institutional investors increasingly look for evidence not just that a committee holds AI oversight responsibility on paper, but that the board as a whole is demonstrating coordinated, real engagement with it. AI oversight has become, in the words of one governance body, a present-tense obligation rather than a future one.
The three-lines-of-defence model, applied to AI
Boards already understand risk through the three-lines-of-defence model, and it maps cleanly onto AI. Using the familiar structure helps a board govern AI without inventing a parallel apparatus.
- First line — the business. The finance team using AI owns the day-to-day controls: the human review, the checks before an AI-assisted output is relied upon, adherence to the usage policy.
- Second line — risk and compliance. Independent oversight of how AI is used, whether the controls are adequate, and whether use stays within the firm’s risk appetite. In a regulated firm this is where model risk, bias risk and data-quality risk are monitored.
- Third line — internal audit. Independent assurance to the board and audit committee that the first two lines are working — that the AI governance framework is not just designed but operating.
A board’s job is to satisfy itself that all three lines exist and function for AI, not only for traditional risks. Where a finance function has adopted AI but no second- or third-line assurance has caught up, that is precisely the gap the board should press on.
What the board actually needs from the CFO
Boards do not need technical detail about models. They need assurance in a form they can interrogate and minute. The finance leader’s task is to supply it, concisely:
- An AI inventory. A single, current list of where AI is used in the finance function, what data each tool touches, who owns it, and whether it supports an important business service. This register is the foundation of everything else — a board cannot oversee what it cannot see.
- Named accountability. Who owns AI use in finance, and to whom they answer. In a regulated firm, how this maps to senior management functions.
- The control framework. Where human review is mandatory, how AI-assisted outputs are signed off, and what happens when something is wrong.
- The risk position. Data security, accuracy, bias where relevant, and third-party dependency — and where each sits against the firm’s risk appetite.
- Evidence it works. Not a policy document, but proof the policy operates — because that is what a regulator or auditor will ask for.
Turning oversight into a standing agenda item
Ad hoc reassurance is not oversight. A finance leader should give the board a recurring, structured view — a short standing item reporting what AI is used for, any incidents, and any new use cases before they go live. Good audit committees are moving away from static annual plans toward continuous, agile oversight with more frequent calibration, precisely because emerging risks like AI do not wait for the annual cycle. A standing AI item mirrors how boards already handle other material risk domains and is far more defensible than an occasional mention.
The audit committee’s expanding role
Where a business has an audit committee, AI oversight naturally sits partly with it, because AI-assisted work touches the reliability of financial reporting and the control environment — the committee’s core concern. The audit committee remit has widened in recent years to take in technology governance including AI, and generative and agentic AI are increasingly woven into the financial processes the committee oversees. The CFO should be ready to explain to the committee how AI use affects the numbers, what controls surround it, and how the external auditors view it.
One caution governance bodies raise: an audit committee should not assume that because AI appears on its agenda, the board as a whole is adequately governing it. Coordination matters — a shared AI risk framework, cross-committee communication, and periodic full-board reviews that consolidate the picture. The finance leader is often the person best placed to keep that picture coherent.
What auditors now expect to see
External and internal auditors have moved quickly on AI, and their expectations are a useful proxy for what good oversight looks like. Standard internal controls do not disappear because AI is involved. Auditors increasingly expect to see a documented AI inventory covering tools used in financial processes; validation evidence showing AI outputs were reconciled to source systems; change logs recording when models were updated; records of human review and override; and confirmation that AI did not bypass existing approval workflows.
For a finance leader, the practical message is to build this evidence trail from day one rather than reconstruct it under audit pressure. An AI-assisted process with no documentation, no validation record and no override log is difficult to defend even if it has never produced a wrong number. The board should expect the CFO to be able to produce this trail on request.
Ten questions a board should ask its CFO about AI
A board does not need technical fluency to govern AI well. It needs the right questions and the confidence to press until the answers are concrete. The following ten are a practical starting point for any board or audit committee, and a CFO who can answer them cleanly is giving real assurance rather than reassurance.
- Where is AI used in our finance function today, and do we have a single current inventory of it?
- Who is the named owner of AI use in finance, and how does that map to accountability in a regulated firm?
- What data are these tools allowed to touch, and how do we stop confidential data reaching unapproved tools?
- Where is human review mandatory before an AI-assisted output is relied upon?
- How would we know if an AI-assisted number that reached this board was wrong?
- What is our exposure if a key AI vendor failed or had to be replaced tomorrow?
- Can we evidence — not just assert — that our controls operate, if an auditor or regulator asks?
- Where does bias risk arise in anything we do, and how is it tested?
- What new AI use cases are planned, and do they come to us before they go live?
- Are our second and third lines of defence engaged with AI, or only the business?
The value of the list is less in any single question than in the pattern: each one asks for evidence rather than comfort. A finance leader who welcomes these questions, and has the inventory and records to answer them, is one a board can trust with the function’s AI adoption.
The regulated-firm escalation
In FCA-regulated businesses, board-level AI oversight is not optional and not generic. The regulator’s expectations flow through existing frameworks — SYSC governance and controls, Consumer Duty outcomes, operational resilience and the Senior Managers and Certification Regime — and the burden of proof sits with the firm to demonstrate its AI is working in customers’ interests. The Treasury Committee’s January 2026 report pressed for practical FCA guidance by the end of 2026 on the accountability and assurance expected under SM&CR for AI-related harm, and guidance on audit trails and human-in-the-loop protocols is anticipated. A regulated firm’s board should treat AI oversight as engaging the firm’s existing conduct and resilience obligations, and its finance leader needs to understand that map precisely. We cover the individual-accountability dimension in our guide on AI, accountability and SM&CR for finance leaders.
What this asks of the finance leader
Providing board-level AI oversight is now part of what a modern CFO or FD does. It calls for a leader who can hold the governance without disappearing into the technology — who can give a board genuine assurance rather than either false comfort or unhelpful detail, and who can produce evidence rather than reassurance. A finance leader who can build the inventory, run the standing agenda item, satisfy the audit committee and hand an auditor a clean evidence trail is demonstrating exactly the capability boards now look for. It is one of the things FD Capital assesses when placing senior finance leaders into businesses adopting AI.
Call 020 3287 9501 or email recruitment@fdcapital.co.uk to discuss a CFO or Finance Director appointment where board-level governance capability is central to the brief.
FD Capital — CFO and Finance Director Recruitment
Fellow of the ICAEW | Placing CFOs and Finance Directors who can give boards genuine assurance on finance, risk and governance since 2018. We recruit permanent, interim and fractional finance leaders across the UK. 4,600+ network. 160+ placements. Shortlists in 3–7 working days.
Related reading and services
Individual accountability for AI under the senior managers regime.
The policy layer that underpins board oversight.
Fractional, interim and permanent CFO appointments.
Place a finance leader who can give the board assurance.
About the author. Adrian Lawrence FCA is the founder of FD Capital Recruitment and a Fellow of the Institute of Chartered Accountants in England and Wales. Adrian holds a BSc from Queen Mary College, University of London and an ICAEW practising certificate in his own name. Before founding FD Capital in 2018 he worked across private, listed, owner-managed and PE-backed businesses, including CFO-level roles. That direct operating experience informs how FD Capital assesses senior finance candidates and briefs clients on what to look for in an appointment. Adrian personally leads every senior finance mandate FD Capital accepts and conducts candidate interviews himself for senior appointments.
Verify ICAEW membership → | FD Capital Recruitment Ltd, Companies House no. 13329383, operated by an ICAEW-registered practice.
This guide is general information for finance leaders and does not constitute legal, regulatory or professional advice. Firms should take their own advice on their specific circumstances. Regulatory positions described are current as at mid-2026 and are developing; readers should check the FCA’s latest publications.