Across two adjacent industries, two boards made opposite calls on AI adoption in 2024. Two years later, the governance implications of both choices are becoming clear — and neither board got it entirely right.
The pattern is more common than most governance professionals want to admit. Boards tend to be binary about novel risk: either they embrace it wholesale because the opportunity narrative is compelling, or they defer it indefinitely because the risk narrative is alarming. AI has exposed this pattern with unusual clarity, because the opportunity and risk narratives are both credible — and both incomplete without a governance framework to mediate between them.
The Board That Said Yes to Everything
A regional healthcare system in the mid-Atlantic entered 2024 with a board that was, by most measures, sophisticated. Experienced executives. Engaged audit committee. Strong financial performance. And a genuine conviction — shared by management and the board alike — that AI represented the most significant efficiency opportunity the organization had seen in a generation.
So when AI vendors came calling, the board cleared the path. Revenue cycle management AI — approved. Clinical documentation AI — approved. Predictive staffing AI — approved. Supply chain optimization AI — approved. Each approval came with a vendor ROI projection, a management endorsement, and a line item in the capital budget. Each approval also came without a governance framework: no standard for what AI deployment decisions required board versus CEO approval, no consistent monitoring requirement, no audit mechanism, no defined accountability when something went wrong.
The reckoning came in early 2026. A billing optimization AI system — one of the first approved — had been silently miscategorizing a subset of procedures for 14 months. By the time the error was caught through a routine external audit, approximately 3,000 patients had received incorrect billing statements, some of which had been sent to collections. The financial exposure was significant. But the governance exposure was worse.
When the board convened an emergency session, no member could answer basic questions: Who had responsibility for monitoring this system's outputs? What was the audit trail showing? Had any alerts been triggered? Who had authority to pause the system pending investigation? The answer to all four questions was, effectively, nobody had established that. The system had been deployed; governance of it had not.
The Board That Said No to Everything
Fifty miles away, a large healthcare nonprofit serving a similar patient population took the opposite stance. After reviewing headlines about AI errors in clinical settings, their board chair convened a special committee in mid-2024 to develop a comprehensive AI governance policy before authorizing any AI adoption. The committee was thorough. They engaged outside counsel, consulted with peer institutions, and reviewed emerging regulatory guidance.
They also took eighteen months to finish the work — and the policy still was not final when the for-profit system across town had already deployed, failed, and begun remediation.
The nonprofit's AI policy committee is still meeting. Their competitors have deployed, iterated, and built institutional knowledge. The nonprofit's clinical staff have begun using personal AI tools — unsanctioned, unmonitored, and ungoverned — because the official path to adoption remains closed. The board that wanted to protect its organization from AI risk created a different, less visible risk: shadow adoption with no governance at all.
Reflexive yes creates accountability diffusion. Reflexive no creates accountability vacuum. Neither posture serves the people the organization exists to serve — and neither constitutes a governance framework.
What Neither Board Did
Both boards failed the same governance test, from opposite directions. Neither had a framework for evaluating AI adoption decisions systematically. One approved everything that came to a vote; the other blocked everything until a policy arrived that never did. Neither had answered the foundational governance questions that would have made either path workable.
Those questions are not complicated, but they require deliberate board action to answer:
- What categories of AI adoption decisions require board approval versus CEO delegation? A payroll processing AI is different from a clinical decision support AI. A content generation tool is different from a hiring screening tool. Boards need a tiering framework — not a case-by-case scramble for every vendor pitch.
- What monitoring requirements apply to any AI system in deployment? Who receives the monitoring report? At what frequency? What thresholds trigger escalation to the board?
- What is the pause-and-remediation protocol? Who has authority to suspend a system? Under what conditions? What does the board need to know, and when?
What Good Governance Looks Like
The boards navigating this well are not the ones with the most sophisticated AI understanding. They are the ones that built a framework before the adoption decisions arrived — so that when a vendor pitch comes to the table, there is a process for evaluating it rather than a binary board mood.
That framework has three components. First, a delegation matrix: explicit thresholds for what the CEO can approve unilaterally, what requires audit committee review, and what requires a full board vote. Second, standard monitoring requirements attached to any approved AI deployment — not optional, not delegated entirely to management's discretion. Third, a clear escalation trigger: the specific conditions under which management must notify the board of a problem, not wait for the next scheduled report.
Neither the yes-to-everything board nor the no-to-everything board had built that framework. The result, in both cases, was governance theater — the appearance of oversight without the substance of it. The beneficiaries of both organizations paid the price.