AI + Crisis Communications
What should boards ask management about AI?
Quick Answer
Boards should ask five questions: Where is AI making decisions on our behalf? Who reviews those decisions? How would we know if a model misbehaved publicly? What is our disclosure posture? And who owns the reputational consequence?
Move from policy to posture
Most AI policies describe intent. Few describe behavior under stress.
Boards should request not the policy, but a walkthrough of how it would perform in three realistic incident scenarios.
A policy that cannot be enacted in under an hour by a named individual is not a control. It is documentation.
Five governance questions
Where is AI making decisions on our behalf, and at what financial or human consequence?
Who reviews those decisions on a defined cadence, and what authority do they hold to halt a model?
If a customer-facing model misbehaved publicly, how would we know — and how quickly?
What is our disclosure posture: proactive, reactive, or undefined?
Who, by name, owns the reputational consequence of AI behavior?
“Policy describes intent. Posture describes behavior under stress.”
The vendor question
Boards often treat third-party AI as third-party risk. The public does not. When a vendor's model produces a harmful output under the organization's name, the reputational consequence is fully internal.
Directors should ask the same five questions of every consequential AI vendor, and require contractual answers — not assurances — before approving deployment.
Key Takeaways
What to remember.
- 01
Read policy by reading scenarios, not paragraphs.
- 02
Decision rights and halt authority must be named individuals.
- 03
Detection speed is itself a governance metric.
- 04
Reputational ownership should be assigned, not shared.
Related Questions
Continue reading.
AI Risk
What is AI reputation risk?
AI reputation risk is the new category of reputational exposure created when synthetic content, automated decisions, and algorithmic systems interact with stakeholders. It differs from traditional risk in speed, surface area, and authorship — and most existing crisis frameworks were not designed for it.
AI Risk
How should organizations respond to deepfakes?
Effective deepfake response separates two questions: is the content authentic, and does it carry authority? Organizations should acknowledge the incident within minutes, deny without ambiguity if false, and invest in signal-trust infrastructure — verified channels, signed statements, and source-of-truth registries — long before an incident occurs.
Take the next step
Turn insight into readiness.
Assess your organization's exposure or book a confidential session with Nichole.