Managed Security Services: CISO Does Not Bear Sole Liability
Benedikt Langer
8 min. read In many organisations, the CISO is seen as the person who stands accountable for security. ...
Read Article
8 min read
Morgan Stanley and BlackRock have baked AI governance openly into their valuation logic as of spring 2026. If a supervisory board cannot answer how the company is responsible for, controls, and corrects AI, it no longer risks a reputational issue-it risks a measurable multiple discount. That changes what a CIO is expected to deliver in the boardroom come 2026.
Key Takeaways
- AI governance is a valuation factor: Institutional investors now price governance maturity into the multiple. Without a robust line connecting strategy, model operations, and audit, companies lose negotiating room at the next refinancing or exit.
- The boardroom wants three answers, not ten: Who green-lights productive AI, who bears liability for bad calls, and how deviations are spotted and enforced. Fail to deliver these three in 90 seconds and the mandate is handed off.
- The CIO role is being reshaped: Strategy, risk, and operations are converging on the CIO. In many DAX and MDAX boardrooms, the board seat is quietly migrating to the CIO position. Those who don’t shape the change will still find it assigned to them.
Related:AI in the Boardroom: Who Decides, Who Is Liable? / Who in the Group Defines What the AI Considers True
What is AI governance in the boardroom? AI governance is the oversight framework a company uses to release, monitor, and correct productive AI applications. It spans three lines: strategy (board), operations (business units), and technical delivery (CIO). In 2026 investors will treat the maturity of these lines as a distinct multiplier alongside ESG and data security.
The Boardroom Briefing That’s Now Arriving
What has changed in the first five months of 2026 is not the board’s interest in AI-it was already high in 2024. What has changed is the precision of the questions. Anyone entering a listed boardroom now receives them without warm-up: Which models are making decisions in which processes, who owns accountability when things go wrong, and how are deviations detected before they become visible.
The drivers are not only regulators. They are investors. Morgan Stanley and BlackRock, in spring 2026, elevated AI governance to a standalone valuation dimension alongside ESG and data security in their equity-research coverage. In practice, that means companies whose AI oversight looks mature receive a multiple uplift; those lagging in the same sector face a relative valuation haircut-even absent any public incident.
Three questions every CIO must answer
What works in the boardroom in 2026 isn’t slide decks about AI roadmaps. It’s three clearly formulated answers that, in just a few sentences, reveal the maturity level.
The first question concerns the decision-making structure. Which productive AI application is approved at which level, which body can halt it, and who escalates to whom? If someone here says, “We have an AI steering committee,” without specifying the quarterly rhythm or concrete stop authority, they haven’t answered the question-they’ve glossed over it.
The second question is about liability. If a productive AI makes an incorrect decision, who is accountable internally? The board for the strategic decision, the business unit for operational use, IT for technical provisioning-this is the usual three lines of defense logic. But it’s rarely documented clearly enough to hold up in the event of damage. By 2026, supervisory boards will ask explicitly for the document, not the idea.
The third question concerns correction. How is model drift detected, how quickly is production stopped, and how is misconduct reported to the supervisory board? This is where most companies today still respond with, “We have monitoring.” Supervisory boards listen more closely then-and realize that monitoring isn’t governance.
Where the governance story most often breaks
Three weaknesses recur time and again in consulting practice. All are correctable, but they require lead time.
First: the data mandate is missing. If you talk about models in the AI story without clearly assigning responsibility for training and input data, you’ve missed the lever. In the DACH region, models are rarely the problem. Data is.
Second: shadow AI remains invisible. A productive marketing pipeline using three external LLMs that no one on the steering committee knows about isn’t uncommon in 2026. When supervisory boards ask for an inventory-and someone has to search for a long time-they’ve lost boardroom trust for six months.
Third: the audit trail is missing. If, in the event of damage, you can’t prove within an hour which model version made which decision at what time, you don’t have an audit trail-you have a log stream description. The difference becomes relevant in court, not in the quarterly meeting.
What CEOs and CIOs Must Deliver in the Boardroom by 2026
What used to be a clear division of labor between the CEO and the CIO is quietly shifting. The CEO owns the strategy and external relations, while the CIO now owns the productive AI architecture. What both must jointly own is translating that into language the supervisory board can grasp without advance notice.
In concrete terms, the AI narrative in the boardroom must fit on three levels. Strategic: where AI creates value and where it destroys it. Operational: how the selection, approval, and stop model works. Risk: which incidents occurred in the quarter and how quickly they were corrected. One slide per level is enough-no more. Anyone who tries to squeeze more in is handing the mandate straight back to the supervisory board.
What follows from this is an uncomfortable truth for many CIOs. If you show up in 2026 without a consolidated answer, you won’t take on the mandate-you’ll hand it to someone else. To a CRO, a CFO, or external consultants. To avoid that fate, you must actively draft the three levels before the next board meeting demands them.
Governance-ready (Multiple premium)
- Consolidated AI inventory with responsible owners per use case
- Documented approval process with escalation and stop paths
- Quarterly reporting to the supervisory board across three levels
- Audit trail for each model version and decision point
Governance-unready (Multiple penalty)
- Shadow AI in marketing or sales without an inventory
- Monitoring instead of governance, lacking a stop mandate at the first line
- Verbal three-lines expectations without documented accountability
- Missing data mandate-models run without clear input responsibility
Frequently Asked Questions
How does AI governance manifest concretely in investor assessments?
Through multiplier premiums in equity research reports, financing terms, and expectations in due diligence processes. The movement is quiet but consistent. Companies rated as governance-ready within the same peer group gain a 5 to 12 percent valuation advantage over the weakest comparables.
What role does the EU AI Act play in the boardroom?
The EU AI Act is a baseline, not a strategy. Treating it as a compliance exercise means answering the wrong question. Investors assess whether the company thinks beyond obligations-otherwise, it remains in a reactive state that becomes visible in competition.
Who bears responsibility in case of liability for AI misjudgments?
Typically, the board for strategic decisions, the business unit for operational use, and the CIO for technical provisioning. Crucially, this three-line logic must be documented in writing-verbal expectations carry no weight in the event of a claim.
How can shadow AI be identified in the company?
Through network traffic analysis targeting known LLM APIs, SaaS inventory audits, and surveys in business units with clear confidentiality and protection guarantees. Starting with punitive measures yields incomplete responses-the assessment must frame the exercise as an inventory, not an audit.
What level of maturity will be boardroom-ready by 2026?
Pragmatically: an inventory of productive AI with accountable owners, a documented approval process, a stop mandate at the first line, and quarterly reporting to the supervisory board. Those who meet this standard aren’t perfect-but they rank in the top third of DACH peers.
Source of cover image: Pexels / Google DeepMind (px:25626433)
Further Reading
- AI in the Boardroom: Who Decides, Who Is Liable?
- Who in the Corporation Defines What the AI Considers True
- Tech Mandates in the Supervisory Board: NIS2, EU AI Act, and the Skills Gap
More from the MBF Media Network
MyBusinessFutureProcess Optimization Without a Permanent Project
SecurityTodayMachine Identities: The Accounts No One Counts