MICKAI
Article · 1 July 2026

The Board and NED Oversight of AI: What Directors Must Be Able to Prove About Every Model Decision

Under operational-resilience duties, a board cannot govern what it cannot evidence, so the real question for directors and NEDs is whether every material AI decision leaves a record they can put in front of a regulator.

The Board and NED Oversight of AI: What Directors Must Be Able to Prove About Every Model Decision
Author
Micky Irons
Published
1 July 2026
Follow Micky Irons
LinkedInX
Sovereign AIMickaiArtificial IntelligenceOpen Audit RecordPatents

By Micky Irons, founder and CEO of Mickai

Boards do not run models. Boards prove that models were run properly. That distinction is now the whole of the governance problem, because the duties landing on directors and non-executive directors are not about whether an institution uses artificial intelligence. They are about whether the board can demonstrate, after the fact and under challenge, that it understood what the AI was doing, that controls were in place, and that a specific decision can be reconstructed exactly as it happened. Oversight without evidence is an assertion, and regulators increasingly expect more than assertions.

The duty has shifted from policy to proof

The Board and NED Oversight of AI: What Directors Must Be Able to Prove About Every Model Decision, illustration 1

For most of the last decade, AI governance at board level meant approving a policy, noting a risk on the register, and receiving a quarterly slide. That posture is now insufficient. Under PRA and FCA operational-resilience expectations, SM&CR individual accountability, and the sharpening supervisory focus reflected in model-risk guidance such as SS1/23, the burden has moved. A director is expected to evidence that a material decision was made within tolerance, by an accountable owner, on a system whose behaviour can be inspected. When a customer is declined credit, an underwriting price is set, a transaction is blocked as suspicious, or a clinical triage recommendation is surfaced, the board-level question is not whether the model performs well on average. It is whether the institution can show precisely why this output occurred, and prove the record has not been altered since.

That is an evidentiary standard, not a modelling standard. And it is exactly where most AI deployments fall short, because they were built to produce answers, not to prove them.

Why cloud AI leaves boards exposed

The Board and NED Oversight of AI: What Directors Must Be Able to Prove About Every Model Decision, illustration 2

Around 850,000 UK businesses, roughly fifteen percent, and close to five million across the EU are legally constrained from putting regulated workloads into public-cloud AI. The barriers are UK GDPR special-category handling, the CLOUD Act, sector rules from the NHS DSP Toolkit to ITAR and EAR, and the operational-resilience and third-party-dependency expectations under DORA and the PRA. For a board, the deeper issue is control and provability. When inference runs inside a hyperscaler that a director cannot inspect, the board is trusting a supplier's attestation in place of its own evidence. If a regulator asks the board to reconstruct a single decision, the honest answer is often that it depends on logs the institution does not fully own, cannot cryptographically verify, and cannot guarantee were left unmodified.

A non-executive director cannot discharge an oversight duty on the strength of a vendor's word. The record has to belong to the institution, and it has to be tamper-evident on its face.

What a tamper-evident record actually gives directors

The Board and NED Oversight of AI: What Directors Must Be Able to Prove About Every Model Decision, illustration 3

Mickai is a sovereign AI operating system: artificial intelligence that a regulated business owns and runs inside its own walls, on-premise and air-gapped, with every action written to a tamper-evident, post-quantum-signed audit record we call the OAR. Built and live. This is the layer that turns an oversight duty into something a board can actually satisfy.

Concretely, every model action is signed at the moment it happens using ML-DSA-65, a post-quantum signature scheme, and bound to a hardware-anchored identity so the origin of each entry is provable rather than asserted. The record captures the inputs, the retrieved context, the responsible brain, the arbiter's decision path, and the outcome. Because signing is cryptographic and chained, any later alteration is detectable. When a NED asks whether a record is exactly what the system produced on the day, unedited, the OAR answers that question mathematically, not managerially.

That is the difference between a log and evidence. A log is a story the institution tells about itself. The OAR is a record the institution can stand behind in front of a regulator, an auditor, or a court, precisely because it was designed to be checked.

Determinism the board can rely on

The Board and NED Oversight of AI: What Directors Must Be Able to Prove About Every Model Decision, illustration 4

Directors are rightly wary of systems that behave differently each time. Mickai runs fifty specialist brains beneath a deterministic arbiter, so a given input under a given policy resolves through a governed, reconstructable path rather than a probabilistic guess that cannot be reproduced. Retrieval is air-gapped, meaning the model reasons only over the institution's own governed corpus, not the open internet, which removes a whole class of provenance and data-leakage risk that boards otherwise cannot bound. Where an action must be reversed, compensating rollback unwinds it along a recorded path, so the correction is itself evidenced. High-authority actions can require voice-biometric quorum, giving the board a hard, auditable control on who authorised what.

For a non-executive, this is the substance behind the word oversight. You are not being asked to trust that the system is well behaved. You are being handed the instruments to verify it.

Mapping the record to the duties

The Board and NED Oversight of AI: What Directors Must Be Able to Prove About Every Model Decision, illustration 5

The value lands differently for each accountable owner, and the board sees all of it in one place. The Chief Risk Officer gets reconstructable decisions for model-risk and operational-resilience reporting. The Head of Internal Audit gets an evidence base that does not depend on the audited system's goodwill. The General Counsel and the DPO get provable data lineage for GDPR DPIA and EU AI Act high-risk obligations. The MLRO gets a defensible trail for sanctions, OFSI screening, and AML decisions. Under SM&CR, the senior manager who owns the AI function can point to a record that discharges the personal accountability the regime imposes. The board, sitting above all of them, gets a single, signed, tamper-evident source of truth rather than a stack of narratives.

This is delivered through purpose-built Studios, from Nemesis for fraud and AML and Plutus for finance to Nomos for compliance and Aletheia for audit, each writing to the same OAR so the governance picture is unified rather than fragmented across tools.

The strategic reading

The Board and NED Oversight of AI: What Directors Must Be Able to Prove About Every Model Decision, illustration 6

Mickai holds 104 filed UK patent applications, around 2,340 claims, in the name of Mickai LTD, covering the architecture that makes this provability work. Filed rather than granted, they establish priority and a prior-art moat. As a dated third-party momentum signal, Micky Irons was ranked number four on Crunchbase in June 2026, with the company placed in the top one to two percent globally. The sovereign AI market is on a path from roughly forty billion dollars in 2025 toward one hundred and forty-eight billion by 2032. We are a UK company, with Birmingham manufacturing secured, built and live and building to scale. We position Mickai as an ally to the wider AI ecosystem, not a rival to it. Institutions still get frontier capability. They simply keep the evidence.

The institutions that adopt provable AI first will set the governance bar their peers are later measured against. If your board is asking whether it can prove what its models decided, that is the conversation to have now. Reach me directly at micky@mickai.co.uk.

Frequently asked questions

What must a board actually be able to prove about an AI decision?

That a material decision was made within risk tolerance by an accountable owner, and that the exact decision, including inputs, retrieved context, and the path to the outcome, can be reconstructed and shown to be unaltered. Mickai's OAR provides this as a post-quantum-signed, tamper-evident record.

How does this map to SM&CR and operational-resilience duties?

Under SM&CR the senior manager owning the AI function carries personal accountability, and under PRA and FCA operational-resilience expectations the institution must evidence decisions within tolerance. A signed, reconstructable record gives the accountable owner and the board the evidence those regimes require rather than a narrative.

Why can public-cloud AI leave a board exposed?

When inference runs inside infrastructure a director cannot inspect, the board relies on a supplier's attestation instead of its own evidence, and the logs may not be fully owned or cryptographically verifiable. Running on-premise and air-gapped keeps the record inside the institution's walls.

What makes the OAR tamper-evident?

Every action is signed at the moment it happens using ML-DSA-65, a post-quantum signature scheme, bound to a hardware-anchored identity and cryptographically chained, so any later alteration is detectable.

Is Mickai available now?

Yes. Mickai is a sovereign AI operating system that is built and live, running inside a regulated business's own environment, and it is building to scale. Direct enquiries can go to micky@mickai.co.uk.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/the-board-and-ned-oversight-of-ai-what-directors-must-be-able-to-prove. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles