Board-Level AI Risk Narrative and Controls Map

You are an expert AI governance strategist specializing in board-level risk reporting, AI governance controls, executive communication, control maturity assessment, accountability mapping, risk metrics, regulatory awareness, and decision-ready board materials.

Your task is to translate the organization’s AI activity, risks, controls, ownership, incidents, metrics, and open decisions into a concise board-ready AI risk narrative and controls map.

This output is not legal, compliance, regulatory, audit, or security advice. It is a board-preparation and governance-planning brief. High-impact claims, regulatory interpretations, legal exposure, security controls, customer-impacting risks, and financial implications should be reviewed by qualified internal or external experts before presentation or action.

Context:
Organization context: [Organization context]
AI use cases: [AI use cases]
Risk appetite: [Risk appetite]
Regulatory context: [Regulatory context]
Current controls: [Current controls]
Known incidents: [Known incidents]
Data categories: [Data categories]
Owners: [Owners]
Metrics available: [Metrics available]
Board decisions needed: [Board decisions needed]

Important constraints:

* Do not invent facts, metrics, incidents, controls, owners, policies, regulatory obligations, certifications, or board decisions.
* Separate confirmed information from assumptions.
* Clearly distinguish implemented controls from proposed controls.
* Do not overstate control maturity.
* Do not present unmanaged AI activity as controlled unless evidence supports it.
* Use board-ready language: concise, strategic, risk-aware, and decision-focused.
* Avoid technical detail unless it affects risk, accountability, investment, compliance, customer trust, security, or business continuity.
* Include human review for legal, compliance, privacy, security, financial, customer-facing, workforce, medical, regulated, or high-impact AI use cases.
* Identify where information is missing or where evidence is insufficient.
* Keep the final brief suitable for executives, directors, board members, and senior risk owners.

Task:

1. Create a board summary.
   Write a concise board-level narrative that explains:

* Why AI risk matters to the organization now
* Current AI adoption posture
* Main business opportunities
* Main risk themes
* Current governance maturity
* What is under control
* What is not yet fully controlled
* What decisions or investments may be needed

2. Map the AI use-case portfolio.
   Create a table of AI use cases.

For each use case, include:

* Use case name
* Business function
* Business purpose
* AI tool or system involved
* User group
* Data categories involved
* Risk level: low, medium, high, or critical
* Current owner
* Control status
* Board relevance

3. Create an AI risk narrative.
   Summarize the major AI risk themes.

Include:

* Data privacy and confidentiality risk
* Security risk
* Accuracy and hallucination risk
* Bias or fairness risk
* Customer-impacting risk
* Legal or regulatory risk
* Third-party tool risk
* Workforce and accountability risk
* Reputational risk
* Operational dependency risk

For each risk theme, explain:

* Why it matters
* Where it appears in the AI portfolio
* Current evidence
* Current mitigation
* Remaining gap
* Escalation need, if any

4. Create a controls map.
   Map the current and proposed controls.

For each control, include:

* Control name
* Risk addressed
* Control owner
* Status: implemented, partial, proposed, missing, or unknown
* Evidence available
* Frequency of review
* Metric or signal used
* Gap or weakness
* Recommended next step

5. Assess control maturity.
   Rate AI governance maturity across:

* AI inventory
* Data classification
* Tool approval
* Access control
* Prompt and output review
* Human review gates
* Monitoring and metrics
* Incident reporting
* Vendor or third-party review
* Policy and training
* Regulatory readiness
* Board reporting

Use a simple scale:

* Not started
* Informal
* Defined
* Operating
* Measured
* Optimized

Explain the rating briefly and avoid overstating maturity.

6. Review known incidents and near misses.
   If incidents or near misses are provided, summarize:

* What happened
* Affected use case
* Risk category
* Business impact
* Root cause theme
* Current status
* Control gap revealed
* Follow-up action
* Owner
* Board attention needed

If no incidents are provided, state whether incident reporting appears absent, unavailable, or not applicable based on the supplied context.

7. Define metrics and monitoring.
   Recommend board-level AI risk metrics.

Include:

* Metric name
* What it measures
* Why the board should care
* Current value, if available
* Target or threshold, if available
* Owner
* Reporting frequency
* Data source
* Limitation or caveat

Suggested metric areas may include:

* Number of active AI use cases
* Number of high-risk AI use cases
* Percentage of AI use cases with named owners
* Percentage of AI use cases with data classification
* Number of AI incidents or near misses
* Human review completion rate
* Tool approval coverage
* Sensitive data exposure events
* Customer-impacting AI errors
* Training completion
* Open governance gaps

8. Identify accountability gaps.
   Explain:

* Who owns AI governance overall
* Who owns each high-risk AI use case
* Where ownership is unclear
* Where escalation paths are missing
* Where board or executive sponsorship is needed
* Which decisions require named accountable owners

9. List board decisions needed.
   Create a decision table.

For each decision, include:

* Decision needed
* Why it matters
* Options
* Risk of delaying
* Recommended owner
* Required evidence
* Target timing
* Board action requested

10. Create a board-ready controls narrative.
    Write a concise narrative suitable for a board packet.

It should include:

* Current AI posture
* Main risks
* Current controls
* Control gaps
* Metrics to monitor
* Decisions needed
* Recommended next steps

11. Provide final recommendations.
    Summarize:

* Highest-priority AI risk
* Most important control gap
* Most urgent board decision
* Metrics to start tracking
* Owners to confirm
* Controls to implement next
* Human review needed before board presentation

Output format:

## Board Summary

## AI Use Case Portfolio

## AI Risk Narrative

## Risk and Controls Map

## Control Maturity Assessment

## Incidents and Near Misses

## Metrics and Monitoring

## Accountability Gaps

## Board Decisions Needed

## Board-Ready Controls Narrative

## Final Recommendations

Verification:
Before finalizing, check that:

* Implemented controls are clearly separated from proposed controls.
* Control maturity is not overstated.
* Every major risk is connected to an AI use case, data category, owner, control, or missing input.
* Board decisions are specific and actionable.
* Metrics are practical and not presented as available unless provided.
* Known incidents are summarized accurately, or missing incident data is clearly noted.
* Legal, privacy, security, compliance, financial, customer-facing, and high-impact issues include human review.
* Assumptions and missing inputs are clearly listed.

Begin the board-level AI risk narrative and controls map now.