Problem
“AI topics for leaders” lists work because they name the right anxiety: everything seems important at once. Governance, regulation, ROI, agents, cybersecurity, talent, procurement, data, transparency, workforce, shadow AI, customer experience.
The problem is that a list governs nothing.
A board can read twenty or thirty topics and come out worse than it entered: more aware of risk, but without knowing what decision to make on Monday. AI doesn’t need another mental map. It needs an executive agenda that turns each topic into an owner, decision, metric, and cadence.
Thesis
In 2026, the board does not have to become a technical expert. It must master twenty‑five topics enough to do five things well: prioritize, fund, limit, demand evidence, and shut down what doesn’t work.
The question is not “what does the board know about AI”. The useful question is: “what decisions can it make without delegating judgment to vendors, consultants, or loose teams”.
Framework
The BRTHLS framework divides the 25 topics into five blocks. They are not subjects. They are decision zones.
| Block | Topic | Question the board must answer |
|---|---|---|
| Governance | 1. AI governance | Who decides, who is accountable, and who can stop it |
| Governance | 2. Regulation and compliance | What obligations apply by use, sector, and territory |
| Governance | 3. Risk classification | Which systems are prohibited, high risk, transparent, or low risk |
| Governance | 4. Decision rights | Which decisions AI can make and which require a human |
| Governance | 5. Auditable evidence | How we demonstrate the system worked correctly |
| Value | 6. AI ROI | Which benefits are measurable and which are theater |
| Value | 7. Operating model | Where AI lives in the operation, not in the org chart |
| Value | 8. Process redesign | Which workflow changes, disappears, or is automated |
| Value | 9. Workforce redesign | Which tasks gain value and which are absorbed |
| Value | 10. AI literacy | What each role must know to use AI without breaking control |
| Data | 11. Data readiness | Which data are clean, governed, and available |
| Data | 12. Context architecture | Which sources, permissions, and memory feed each system |
| Data | 13. Tool registry | Which tools exist, who uses them, and with what risk |
| Data | 14. AI procurement | Which clauses and evidence we require from vendors |
| Data | 15. Integration | How AI connects with CRM, ERP, support, BI, and operations |
| Risk | 16. Cybersecurity & AI | Which new vectors agents, models, and plugins open |
| Risk | 17. Prompt injection and leakage | Which data can be leaked or manipulated by external prompts |
| Risk | 18. Bias and testing | How we detect bias, regressions, and quality degradation |
| Risk | 19. Transparency and provenance | Which outputs must be labeled, explained, or traced |
| Risk | 20. Incident response | What we do when AI fails in production |
| Market | 21. Agentic workflows | Which processes start to reason, execute, and request tools |
| Market | 22. Human oversight | Which human supervision is real and which is decorative |
| Market | 23. Competitive intelligence | How we monitor rivals already operating with AI |
| Market | 24. Search for agents | How customers find us when an agent decides |
| Market | 25. Continuous improvement | How the system learns without accumulating invisible debt |
The list becomes useful when it stops being a list. Each row needs an owner, a threshold, and an associated decision.
If “AI ROI” does not change the budget, it is reporting. If “AI governance” cannot stop an initiative, it is internal policy. If “human oversight” does not define who can override a decision, it is decoration.
Why it matters now
Because AI is no longer entering through a single channel. It comes via SaaS, copilots, foundation models, automations, agents, creative teams, vendors, and employees who solve problems without waiting for permission.
The NIST AI Risk Management Framework insists on managing AI risks for individuals, organizations, and society, not just buying reliable technology. ISO/IEC 42001 turns that idea into a management system. The European AI Regulation forces a look at use, risk, transparency, and supervision. The OECD has been pushing transparency, robustness, and accountability principles for years. ENISA has long warned that AI opens specific cybersecurity challenges.
Translated for the board: it is not enough to ask “what tool do we use”. We must ask “what system are we building around that tool”.
Anti-example
The anti-example is to run a three‑hour executive session with these 25 topics, finish with a nice document, and change nothing.
It happens a lot. It’s called maturity because there is new vocabulary, but the operation stays the same:
- No inventory of systems.
- No owner per use case.
- No kill criteria.
- No traceability of outputs.
- No recurring evaluation.
- No vendor clauses.
- No incident plan.
- No budget tied to ROI.
That is not AI leadership. It is literacy without control.
Protocol (3 steps)
-
Turn the 25 topics into an executive traffic light. Red means “risk without owner”. Amber means “owner without evidence”. Green means “control, metric, and cadence”.
-
Pick five topics for the quarter. A board cannot govern 25 fronts at once. Choose the five that reduce the most exposure or unlock the most value.
-
Close each topic with a decision. Budget, pause, escalation, vendor, process change, new control, or kill‑switch. If there is no decision, it was not a board topic.
| Horizon | Committee work | Expected outcome |
|---|---|---|
| 7 days | Traffic‑light of 25 topics | Exposure map and owners |
| 30 days | Top 5 priorities | Executive backlog with budget and dates |
| 60 days | Evidence and controls | Logs, metrics, vendors, and limits |
| 90 days | Value review | Continue, correct, escalate, or close |
The advantage is not in knowing more topics. It is in turning them into decisions before the competition does.
Related
- Executive Review Stack for AI: what a CEO should look at each week to govern without theater
- AI Operating Models in 2026: the 5 patterns that do scale
- AI Bill in Spain 2026: the fine is not the issue, the inventory is
- AI Governance Backlog: turning risk into actionable work
- Tool Registry: the risk map enterprise agents need
Sources consulted
- NIST: AI Risk Management Framework
- ISO: ISO/IEC 42001 AI management systems
- OECD.AI: AI Principles overview
- ENISA: Artificial Intelligence Cybersecurity Challenges
- Regulation (EU) 2024/1689 on Artificial Intelligence
Next step
Do the exercise without slides: print the 25 topics, mark red/amber/green, and force a decision for each red. If more than five critical reds appear, you don’t have a knowledge problem. You have an operating‑system problem.
We can turn that agenda into an executive AI diagnosis: inventory, priorities, owners, metrics, and a first 90‑day backlog.
Translated from the Spanish original with AI assistance and reviewed for accuracy. Read the original in Spanish.