In 2025, documented AI incidents rose to 362 globally, up sharply from 233 in the previous year. The trend is no longer limited to experimental systems or isolated technical failures. AI-related incidents are now emerging in hiring, customer interactions, workforce monitoring, financial services, cybersecurity, and enterprise operations.
Yet one question remains unresolved in many organisations:
Who actually owns AI risk?
This is becoming one of the defining governance challenges of the AI era.
Boards are increasingly treating AI as part of enterprise transformation. That is appropriate. AI is already reshaping productivity, operational scale, workforce design, customer engagement, and competitive advantage. Organisations moving too slowly may struggle to remain competitive.
AI does not just introduce opportunity—it introduces a category of enterprise risk that behaves differently from traditional risks.
Traditional enterprise risks generally have relatively clear ownership structures. Cybersecurity risks typically sit with security leadership. Financial risks align to finance functions. Compliance risks map to legal or regulatory teams. Operational risks usually align with business or operational leadership. AI risk rarely fits neatly into those structures.
An AI-driven decision may involve multiple layers operating simultaneously: a third-party AI model, enterprise data, cloud infrastructure, embedded vendor tools, automated workflows, internal business rules, and human reviewers spread across different teams. When something goes wrong, accountability can quickly become fragmented. Technology teams may own the system, business units may use it, vendors may power it, compliance teams may review it, and executives may approve it; yet no single leader fully owns the outcome end-to-end.
This is the ownership problem. And the implications are broader than many boards currently appreciate.
AI systems evolve over time. Their outputs can change as conditions shift, data evolves, or systems encounter new scenarios. Unlike traditional systems that follow fixed instructions predictably, AI systems operate through patterns and probabilities. This means risks can emerge gradually, indirectly, and sometimes invisibly. Bias may surface through historical data patterns. Inaccurate outputs may appear credible. Automated decisions can quietly scale across thousands or millions of interactions before anyone recognises a problem.
This makes AI risk fundamentally different from many traditional enterprise risks. The challenge is not only technical accuracy. It is organisational control.
Recent examples illustrate this clearly.
The Air Canada chatbot case resulted in the company being held accountable for incorrect information generated by its AI-powered customer support system. The Australian Robodebt scandal demonstrated how automated decision-making at scale, combined with weak oversight and poor escalation mechanisms, can create institutional harm. Regulators globally are now increasing scrutiny around explainability, workforce monitoring, algorithmic accountability, and AI-enabled decision-making.
These incidents reveal an important shift: AI risk is becoming part of enterprise risk itself. This means boards can no longer govern AI through fragmented oversight structures or general innovation discussions. AI risk now intersects with operational resilience, legal exposure, workforce strategy, customer trust, regulatory accountability, and reputation simultaneously. That requires a different governance posture.
Boards should require clear executive accountability for AI systems and their outcomes. Accountability cannot remain implied or distributed informally across teams. Organisations need defined ownership for monitoring, escalation, intervention thresholds, third-party dependencies, and system override authority.
Boards should also require visibility into where AI is operating across the enterprise and what decisions it influences. Many organisations still lack comprehensive inventories of AI-enabled systems tied to material business processes or enterprise risks.
More importantly, boards should demand evidence that governance controls are functioning operationally, not simply existing in policy documents. That includes testing systems under unexpected conditions, validating escalation pathways, monitoring workforce impact, maintaining auditability, and ensuring the organisation can intervene quickly when systems behave unpredictably.
This is particularly important in emerging markets, where organisations may depend heavily on external AI vendors, imported technologies, and third-party infrastructure with limited local accountability mechanisms. In these environments, governance maturity becomes even more critical because operational dependency risks can scale faster than institutional oversight capability.
The organisations that govern AI effectively in the next decade will not necessarily be those deploying the most advanced systems. They will be the ones who establish the clearest accountability structures around them. Because AI risk cannot remain distributed, ambiguous, and operationally ownerless while operating at enterprise scale. And boards that fail to resolve that ambiguity early may eventually discover that the organisation has embedded risks no one fully understands, no one can fully challenge, and no one is ultimately prepared to own.
Amaka Ibeji, Founder of DPO Africa Network, is a Boardroom Qualified Technology Expert and Digital Trust Visionary. She advises boards, regulators, and organisations on privacy, AI governance, and data trust, while coaching and fostering leadership across industries. Connect: LinkedIn amakai | [email protected]
Join BusinessDay whatsapp Channel, to stay up to date
Open In Whatsapp
