top of page

The Six Questions Every Board Is Now Asking CISOs About AI

  • 1 day ago
  • 6 min read

By TBDCyber | CISO & Executive Advisory



Something has shifted in boardrooms over the past 18 months.


It used to be that a CISO could walk into a board meeting, present a security update, field a few questions about ransomware or regulatory compliance, and walk out. The questions were predictable. The conversation was manageable.


That's no longer the case. AI has upended the boardroom dynamic, not because boards have suddenly become cybersecurity experts, but because AI has become a business topic that boards feel they're supposed to have a view on. They're reading the same headlines. They're hearing the same concerns from investors, customers, and regulators. And they're looking at the CISO expecting answers.


The CISOs we work with are observing a consistent set of questions emerging across industries and organization sizes. Not the old questions dressed up in new language, but genuinely new territory that most security programs aren't yet equipped to answer confidently.


Here are the six questions you should be prepared for, and what a good answer looks like.


1. "How are we governing employee use of AI tools?"


This is almost always the first question, and it's the one most organizations are least prepared for. AI adoption within enterprises is outpacing security and procurement. Employees are using ChatGPT, Copilot, Gemini, Claude, and dozens of specialized AI tools, often without any formal approval process, and often with company data flowing through systems that haven't been assessed.


Boards want to know: Is there a policy? Is it being enforced? Does anyone know what tools are in use?


What a good answer looks like: You have a clear AI acceptable use policy. You have a process for evaluating and approving AI tools before adoption, or a mechanism for discovering shadow AI use. You know what categories of data employees are permitted to share with external AI systems and what's off-limits. You can describe how that policy is being communicated and enforced.


If you're not there yet, the honest answer is to describe where you are and what you're building toward, with a timeline. Boards can tolerate a gap. They can't tolerate not knowing one exists.


2. "What sensitive data is at risk from our AI tool usage?"


This question follows naturally from the first, and it's harder to answer. The data leakage risk from generative AI tools is real and largely invisible to traditional data loss prevention technologies. When an employee pastes customer data into a third-party AI tool to draft an email, that data has left the organization, and most data loss prevention (DLP) systems never detect it.


Boards are asking because they understand the regulatory and reputational consequences of data exposure. They want to know the nature of the risk, not just whether a policy exists.


What a good answer looks like: You've assessed what data types are most at risk from AI-era exposure pathways. You've extended your data classification and DLP controls to cover AI-specific exposure points where possible. You know which AI tools have been approved and what data handling commitments those vendors have made contractually. You can speak about the residual risk and what you're doing to reduce it.


3. "How are we protecting ourselves against AI-powered attacks?"


This is where the threat landscape conversation gets genuinely new. AI hasn't just created risks from the inside; it's changed what's coming from the outside. Phishing emails are now nearly indistinguishable from legitimate correspondence. Deepfake audio and video are being used to impersonate executives in social engineering attacks. Adversaries are using AI to discover vulnerabilities and develop exploits at a pace that human-driven attack development can't match.


Boards are asking because they've seen the headlines. The CFO who wired money after a deepfake video call, the credential theft enabled by AI-generated spear phishing, and the new AI model that finds vulnerabilities faster than ever. They want to know whether your defenses are keeping pace.


What a good answer looks like: You can describe how your threat detection and response capabilities are evolving to address AI-enhanced attacks. You've updated your security awareness training to prepare employees for deep-fake social engineering, not just traditional phishing. Your penetration testing program is beginning to use the same AI-assisted techniques attackers are deploying. You have a point of view on where your current controls fall short and what you're prioritizing to close those gaps.


4. "How are we governing the AI systems we're building or deploying?"


Most organizations are developing AI-powered products or deploying AI systems in business-critical processes. Boards want to understand whether the AI systems the company is relying on are secure and appropriately governed.


The concerns here are specific: What data did these models train on? Who has access to them? What happens if the model is manipulated or its outputs are corrupted? How are AI agents (systems that take autonomous actions on behalf of the business) being controlled and monitored?


What a good answer looks like: You have an AI governance framework that establishes security requirements for AI systems across their development and deployment lifecycle. AI systems are subject to the same threat modeling and security architecture review processes as other business systems. AI agents operate with least-privilege access and are visible to your monitoring capabilities. You've established a process for evaluating model integrity and managing AI-specific risks like data poisoning and prompt injection.


If AI development governance is new territory for your program, be honest about where you are. Boards that are asking this question usually also asked it of peer organizations, and they know this is emerging ground. What they're evaluating is whether you're approaching it with rigor.


5. "Are we using AI to improve our own security capabilities?"


Boards have absorbed the message that AI is a competitive capability. They're asking the same question of every function, and security is no exception. This question can feel awkward to answer, particularly if the honest answer is "not much yet." But it's a fair question, and it has a straightforward answer.


AI is genuinely improving security operations in meaningful ways: reducing alert fatigue by prioritizing the signals that matter, accelerating threat detection, automating compliance monitoring, and enabling faster vulnerability triage. These aren't aspirational use cases; they're in production at leading security programs today.


What a good answer looks like: You can identify where AI is already helping your program, even if it's embedded in tools you're already using, like your EDR or SIEM. You have a point of view on where AI could further strengthen your capabilities and what the roadmap looks like. You can articulate the governance guardrails you've put in place for the AI tools your security team uses.


This question is also an opportunity to tell a positive story. Security is often cast in a reactive frame in board conversations. Describing how you're actively using AI to get ahead of threats is one of the more effective ways to shift that narrative.


6. "What's our AI risk posture, and how does it compare to our peers?"


This is the most sophisticated version of the AI question, and it's increasingly common on boards with mature risk oversight practices. They want AI risk characterized in the same terms they use for other enterprise risks: quantified where possible, benchmarked against industry peers, and connected to the organization's stated risk appetite.


Most organizations don't yet have a formal AI risk posture assessment. But the absence of one is itself an answer, and not a comfortable one to give.


What a good answer looks like: You've conducted or are assessing your AI risk posture that covers both the AI tools your organization uses and the AI-powered threats you face. You've incorporated AI risk into your enterprise risk register. You can characterize your posture in relative terms (e.g., where you're strong, where you have gaps, and what you're prioritizing). And if you have access to industry benchmarking data, you can put your posture in context.


If you're building this capability, the board presentation is a good place to share the roadmap. The goal is to demonstrate that AI risk is being treated with the same rigor as other material risks.


Getting Ahead of the Conversation


The CISOs who handle these questions best share a few common traits. They've prepared for the questions before they're asked. They answer in business language, not security jargon. They're honest about gaps and confident about priorities. And they treat the board conversation as a strategic dialogue, not a compliance exercise to get through.


The boards asking these questions aren't trying to catch anyone out. They're trying to understand a rapidly evolving risk landscape, and they're looking to the CISO for credible guidance. Meeting them with a clear, honest, well-structured answer builds the kind of credibility that makes a CISO’s voice matter when it counts.


If your current board reporting doesn't yet address these questions, now is the time to build that capability, before the questions start coming from a place of concern rather than curiosity.


How TBDCyber Can Help


Our CISO and Executive Advisory practice helps security leaders develop board reporting frameworks that address exactly these questions, including AI governance posture assessments, AI risk quantification, and the metrics and narratives that connect security to business outcomes.


Our consultants are former CISOs and Big 4 practitioners who've sat on both sides of this conversation. We know what boards are asking because we've been in the room.


Get in touch to discuss how we can help you prepare for the AI questions your board is already asking or will be soon.

bottom of page