Why Indian boards need a practical AI evidence pack before AI scales

Indian boards are increasingly told that AI has become a boardroom issue. The harder question is what directors are supposed to examine once pilots turn into products, vendor features, and employee habits. 

A board may hear that management is using generative AI for productivity, analytics, software development, customer service or fraud detection. It may hear that the risks are being reviewed. It may even receive a polished strategy slide. But if a director asks which AI systems are already in use, who owns them, what data they touch, which vendors sit behind them and what incident would bring the matter back to the board, the answers are often less mature. 

That gap is where AI governance becomes real. Directors are not expected to evaluate models or inspect prompt logs. Those duties belong to management. But boards that approve or oversee AI adoption need a record they can inspect. They need a practical AI evidence pack. 

An AI evidence pack is not another policy binder. It is a concise management record that tells the board what AI is being used for, who is accountable, what exposure exists and what evidence remains if the deployment goes wrong. It should be readable enough for directors and specific enough for technology, risk, legal, compliance and business teams to act on. 

The first item is an inventory of material AI uses. It should cover systems that affect customers, employees, regulated processes, software development, security operations, financial decisions, legal work, human resources, sensitive data or commitments to third parties. For each use, the board should be able to see the business purpose, operating unit, stage of deployment and whether the system is internal, used with customers or supplied by a vendor. 

The second item is named ownership. AI oversight weakens when ownership is spread across enthusiasm instead of accountability. Each material use needs a business owner, a technology owner, a data owner, a risk or compliance owner and a clear escalation route. A board does not need every operational detail, but it should not accept vague answers such as IT is handling it or the vendor manages it. 

The third item is data exposure. Before AI scales, management should be able to say what categories of data enter the system, whether personal data is involved, whether sensitive business information is used, where the data is stored, whether it is retained, and whether vendor terms allow the data to be used for model training or service improvement. When AI deployments process personal data, the board question is not whether the privacy law is an AI law. It is whether management can explain what personal data enters the system, why it is being used, who processes it, how long it is retained, and what restrictions apply if a vendor or model provider is involved. 

The fourth item is vendor and model dependency. Most companies will adopt AI through software platforms, cloud services, analytics tools, security tools, human resources systems, marketing systems and productivity suites. That creates a visibility problem. A company may not fully understand which model, subcontractor, cloud location, logging regime or support process sits behind a feature used in a critical business process. The evidence pack should record the primary vendor, known model dependency, material subcontractors, audit rights, incident notice terms, restrictions on data use and exit options. 

The fifth item is human oversight. Boards should ask where human review sits in the workflow. Is a person reviewing the output before a customer is affected? Is the reviewer trained to challenge the AI result, or only to approve it? Can the system take action automatically? For agentic AI systems, the question is sharper. If a tool can call other tools, update records, trigger messages, change tickets or alter code, the board should know where automation stops and accountable human judgment begins. 

The sixth item is cyber and resilience evidence. AI can widen the attack surface through plugins, application programming interfaces, identity permissions, software supply chains, data flows and tools supplied by vendors. Sebi’s May 2026 advisory on advanced AI tools for vulnerability detection was directed at regulated entities, but it illustrates a wider point for boards: AI can compress the time available to find, exploit and respond to software weaknesses. CERT-In directions for covered entities also show why incident records and logs matter, including reporting listed cyber incidents within six hours and maintaining information and communications technology logs for 180 days in India. 

The seventh item is a decision and exception log. AI governance cannot depend only on approval at the start. Systems change. Vendors change model behaviour. Employees find new uses. A tool that starts as an internal helper may begin to affect customers. The evidence pack should record material approvals, rejected uses, exceptions granted, risk acceptance decisions and review dates. If the board later asks why a deployment was allowed, the answer should not depend on memory. 

The eighth item is board reporting cadence. Not every AI tool deserves board attention. The right model is tiered oversight. Uses with lower risk may remain with management. Material uses involving customers, personal data, automated decisions, cyber controls, financial reporting, legal processes, safety, employment or brand impact should have a path into a board committee or full board discussion. The board paper should answer three questions: what has changed, what has nearly failed and what decision is required from directors. 

Board minutes matter, but minutes are not a substitute for evidence. Minutes can record that the board discussed AI risk, asked questions and noted management responses. They cannot compensate for the absence of an inventory, owner list, vendor evidence, data map or escalation record. The evidence pack sits beneath the board paper. It gives management a way to prepare and directors a way to probe. 

This is why the evidence pack should be built before AI scales, not after a failure. Once a tool is embedded into customer service, software development, finance operations or sales workflows, it becomes harder to unwind. Vendor contracts may already be signed. Data may already have moved. Employees may already depend on the tool. At that stage, the board is no longer asking whether AI should scale. It is asking why control did not scale with it. 

For CEOs, the evidence pack is not bureaucracy. It is management discipline. It helps separate useful AI adoption from uncontrolled AI spread. It gives company secretaries, risk leaders, chief information security officers, legal teams and technology owners a common record. It also helps independent directors ask sharper questions without pretending to become AI engineers. 

The boards that handle AI well will not be the ones with the longest AI policy. They will be the ones that can see the operating evidence: what is being used, who owns it, what it touches, what could go wrong, when the board is informed and what record remains if the answer has to be defended later. 

AI will keep moving into Indian companies through vendors, employees, products and infrastructure. The board question is no longer whether AI is coming. It is whether AI adoption is leaving behind enough evidence for directors to govern it. 

(The author is Founder and CTO, Move78 International and EU AI Compass, and works across cybersecurity, cloud risk, technology risk and AI governance. Views are personal.)