AI & Cyber compliance: turn your board’s biggest blind spot into a competitive edge

Essentially, ignoring a formal AI governance strategy for AI and cybersecurity governance it’s a choice that locks your organisation into a path of escalating risk that is difficult and costly to reverse.

The evidence of this inaction is already clear. A recent Institute of Directors (IoD) in Ireland survey reveals a shocking reality:

• 41% of directors are unaware of their personal liability under new cybersecurity rules.
• A staggering 68% of their organisations lack a board-approved AI policy.

This isn’t just a knowledge gap; it’s a critical governance chasm. The convergence of advanced AI with the NIS2 Directive and the EU AI Act has created a new frontier of director-level responsibility, and stepping through the one-way door of inaction is no longer a viable option.

A Tale of Two Boards: The Laggard vs. The Leader

Imagine two companies launching a “high-risk” AI recruitment platform.

Company 1: The Laggard. The board sees compliance as a tick-box exercise delegated to IT and legal. They rush into the AI project, driven by the vague goal of “improving efficiency” and the misguided belief that “governance kills innovation.”

The result? The AI amplifies existing data biases, leading to discriminatory hiring. The project wastes tens of thousands, delivers zero value, and creates a clear violation of the EU AI Act. The company now faces reputational ruin, litigation, and crippling fines. The board failed.

Company 2: The Leader This board uses NIS2 and the EU AI Act as a strategic framework—a railroad straight to success. They mandate a cross-functional AI governance committee that embeds risk management, security, and ethics from Day 1.

The result? They identify and mitigate data bias, define clear KPIs, and solve real business problems. Their compliant, transparent AI platform delivers a 25% reduction in time-to-hire. They didn’t just avoid failure; they created a durable competitive advantage.

Which board are you on?

The Anatomy of a Blind Spot

Why do so many boards end up as laggards?

Filtered Reality: Boards rely on executives to escalate material issues. But complex problems like AI vulnerabilities and data bias are often sanitised or lost in high-level summaries, leaving the board unaware of smouldering risks until it’s too late.

The Expertise Chasm: AI and cyber are complex fields. According to a recent Forbes article, ‘two-thirds of board members and executives still have limited-to-no knowledge or experience with AI.’ This gap leads to ineffective oversight and an inability to challenge critical technology decisions with the necessary rigour.

Governance as an Afterthought: The flawed belief that governance stifles innovation leads to inaction. The opposite is true: a robust framework is the only thing that de-risks technology investments enough to guarantee a return.

The Liability Multiplier: “Shadow AI”

This governance gap has a powerful and immediate accelerant: Shadow AI.

Imagine an overworked HR manager, facing pressure to fill a critical engineering role, decides to use an unvetted, publicly available GenAI tool to accelerate candidate screening. They upload the CVs of all 50 applicants along with a highly sensitive internal document: the company’s proprietary “Engineering Competency and Performance Scoring Matrix.” They prompt the AI: “Analyse these CVs against our proprietary scoring matrix and shortlist the top five candidates for interview, and in that moment, they trigger a cascade of regulatory failures that land directly at the board’s feet.

This isn’t just one problem; it’s a multi-front compliance disaster:

1. The GDPR Breach (The Data Failure): This remains a clear-cut breach, but it’s now even more severe. The data is sensitive employment information from dozens of individuals. Critically, by using AI to rank candidates, the company is engaging in automated individual decision-making (under GDPR Article 22) without any legal basis, transparency, or safeguards for the data subjects.

2. The NIS2 Incident (The Security Failure): The company’s proprietary scoring matrix—a piece of valuable intellectual property that defines its competitive edge in hiring—has been exfiltrated to an uncontrolled, unvetted third-party system. This constitutes a significant cybersecurity incident under NIS2 due to the compromise of confidential business information.

3. The AI Act Violation (The Governance Failure): The AI Act explicitly classifies AI systems used for “recruitment or selection of persons, in screening or filtering applications, and evaluating candidates” as high-risk. By using the GenAI tool for this purpose, the company has, in effect, become a “deployer” of a high-risk AI system.

While this represents a worst-case scenario, the underlying risk is clear. What was once a simple IT policy issue can now trigger interlocking regulatory failures across data protection, cybersecurity, and AI governance. This convergence of GDPR, NIS2, and the EU AI Act means a single operational choice by one employee has the potential to create a legal and financial crisis. It establishes a clear pathway to personal liability, holding the boardroom accountable for a failure to manage this risk.

Too Hyped to Fail? Think Again.

Despite the massive investment and hype, the Project Management Institute estimates 70-85% of AI projects fail to deliver on their objectives.

Why? Not because the tech is bad, but because fundamentals are ignored: poor data readiness, no clear KPIs, weak sponsorship, and a failure to embed governance from the start. The allure of AI is causing us to forget the first principles of good business.

In this new era, hope is not a strategy. It’s time to let governance drive your strategic success, not leave it to chance.