Board Directors and Personal AI Liability: What Your D&O Policy Does Not Cover

The personal liability shift most directors have missed

For most of the history of corporate AI deployment, governance failures were treated as organisational failures — the company faced penalties, remediation costs, and reputational damage, but individual directors were largely insulated. That is changing, and it is changing fast.

Three developments in the last 18 months have materially altered the personal liability landscape for directors. First, major AI regulations — the EU AI Act, Australia's ASIC guidance, the UK FCA's Senior Managers and Certification Regime — create explicit accountability structures that reach individual executives. Second, enforcement agencies are increasingly willing to pursue individuals in AI governance failures, particularly where there is evidence of wilful blindness or inadequate oversight. Third, D&O insurers have become significantly more sophisticated about AI governance risk, and policies written in 2022-23 contain exclusions that apply to exactly the scenarios regulators are now pursuing.

What your D&O policy likely does not cover

Most D&O policies contain conduct exclusions — clauses that void coverage for wilful misconduct, fraud, or knowing violations of law. AI governance failures can trigger these exclusions in ways that traditional operational failures rarely did. If a board was warned — by internal audit, external advisors, or regulatory guidance — that its AI systems created material compliance risk, and failed to act, that failure can be characterised as knowing rather than merely negligent. A knowing failure is typically uninsurable.

Additionally, many policies contain specific technology governance exclusions added after the wave of algorithm-related enforcement actions in 2021-2023. Directors should read their current policy with specific attention to how AI, automated decision-making, and algorithm governance are treated. If in doubt, ask your broker explicitly whether a regulatory enforcement action arising from AI governance failure would be covered.

The five questions every director must be able to answer

These are not theoretical governance questions. They are the questions regulators ask when investigating AI governance failures, and the answers a director cannot give are evidence of inadequate oversight. First: what AI systems does your organisation use in regulated activities or decisions that affect customers or employees? Second: who is specifically accountable for AI governance within the organisation? Third: when did the board last receive a briefing on AI governance risks and what decisions were made? Fourth: what monitoring is in place to detect AI system failures or adverse outcomes? Fifth: what is the organisation's plan if a material AI governance failure occurs?

A director who cannot answer these questions for their organisation is not exercising appropriate oversight. That is not a philosophical observation — it is the standard that regulators and plaintiffs' lawyers will apply.

The board paper that demonstrates oversight

The most practical protection for directors is a documented record of adequate oversight. This means board papers that specifically address AI governance — not as a line item in a technology update, but as a standalone governance topic. It means minutes that record what the board was told, what questions were asked, and what decisions or directions were given. It means a named executive accountable for AI governance reporting to the board. And it means a schedule for regular AI governance reviews — not one-off briefings, but recurring agenda items. The existence of this documentation does not guarantee protection, but its absence is powerful evidence against a director who claims they exercised adequate oversight.