Most AI transformation programmes run into trouble for the same reason. The organisation approved a strategy without first answering some prior questions about who they are. Six months in, they find themselves looking at an AI system that technically works but creates obligations, risks, or decisions they’re not comfortable owning. By then, unwinding it is expensive.

Regulators won’t ask you these questions. The EU AI Act, the UK’s emerging AI oversight regime, and the various US federal guidance documents are built around what your AI systems do, not who you are as an organisation. What your AI systems should do, and where they shouldn’t operate at all, depends almost entirely on the answers you need to find before anyone writes a line of code or signs a vendor contract.

The questions below aren’t a workshop exercise. They’re what a board or leadership team needs to have on the record before signing off on anything significant.

Why identity questions are governance questions

Amazon spent three years building an AI hiring tool, from 2014 onwards, designed to score job applicants and surface the best candidates automatically. By 2015, the company’s own engineers had discovered the system was penalising CVs that included the word “women’s” and downgrading graduates of all-women’s colleges. The tool had been trained on a decade of historical CVs submitted to Amazon, the majority from men, and had learned to treat male candidates as the default standard for a good hire. Amazon scrapped the project by early 2017.

Amazon had public commitments to diversity and workplace equality. Nobody had asked, before the tool was built and tested internally, whether training a hiring algorithm on historical data from a male-dominated industry was consistent with those commitments. The system was working exactly as designed. The design was the problem. A governance process that asked the right identity questions upfront would have caught this before three years of engineering time went into it.

Under the EU AI Act, AI systems used in recruitment and employment decisions are classified as high-risk (Annex III). That classification triggers obligations around human oversight, data governance, and transparency. Those obligations assume your organisation has already decided it wants to operate in this space and has thought through what that means. If your values or public commitments say something different from what the system is actually doing, technical compliance doesn’t fix it.

The same applies in financial services, healthcare, legal services, and media. The rules tell you what you must do if you deploy. Whether you should deploy is a question only you can answer, and most organisations leave it implicit until something goes wrong.

The questions

What decisions are we comfortable letting AI make without a human reviewing the outcome?

Many leadership teams skip this entirely. They approve an AI programme at a high level and leave the question of human oversight to the technical teams, who reasonably interpret silence as permission to automate as much as possible. That’s not negligence on their part. It’s a predictable response to an absent instruction.

You need a position on this before any deployment decision gets made. In financial services, automated decisions about credit, insurance pricing, or fraud flags have direct regulatory consequences under GDPR Article 22 (right not to be subject to solely automated decisions) and under the EU AI Act’s high-risk framework. In HR, the same automated decision-making rules apply to hiring and performance management tools. Your position on human-in-the-loop requirements shapes every downstream design choice, and if you don’t set it, someone else will.

“We will always have a human review any decision that affects a customer’s access to our core product or service” is a position. “We believe in responsible AI” is not.

What do we stand for publicly, and does our AI strategy match it?

Your ESG commitments, your D&I statements, your published customer values. Do they constrain anything you’re planning to do with AI? If you’ve publicly committed to fair and explainable decisions, deploying a black-box model for customer triage is a problem regardless of whether it’s technically legal. The gap between stated values and actual system behaviour is exactly what investigative journalists and regulators look for first.

The EU AI Act’s transparency obligations under Article 50 now create a legal floor for certain disclosures. The reputational exposure starts well below that floor. A journalist doesn’t need to cite Article 50 to write a damaging story.

Who are our customers, and what power do we have over them?

This question makes some leadership teams uncomfortable, which is usually a sign it needs asking. Some organisations have genuine choice relationships with their customers. Others operate in contexts where the customer has limited or no alternatives, where decisions carry serious consequences, or where the population served is vulnerable in ways that matter legally and ethically.

The EU AI Act treats these contexts differently. Systems that manage or assess people in employment, education, essential services, or law enforcement are high-risk by default. The more useful question for your leadership team is sharper than the regulatory classification: if your customers can’t easily go elsewhere, and a wrong decision significantly affects their life or livelihood, your AI programme needs more oversight and caution. That’s true whether or not the regulator has caught up with your specific use case yet. Regulation tends to follow harm. You don’t want to be the case study.

Where does our liability actually sit?

AI systems create legal exposure that many leadership teams haven’t mapped properly. Under GDPR, you remain the data controller regardless of which third-party AI vendor you’re using. Under the EU AI Act, if you deploy a general-purpose AI model in a high-risk context, you take on obligations previously reserved for developers. Product liability law in both the EU and UK is moving toward treating AI outputs as products, which creates exposure most legal teams haven’t fully worked through yet.

If the answer to this question is “our vendor indemnifies us,” check that indemnity carefully before relying on it. Most vendor contracts don’t cover the scenarios where liability is actually likely to arise. I’ve seen organisations sign enterprise AI contracts where the indemnity clause, read carefully, covers almost nothing that matters.

What won’t we do, and have we written it down?

Prohibited practices under Article 5 of the EU AI Act include social scoring by public authorities and manipulation of vulnerable groups. These are absolute bans with no compliance pathway. The more useful question for most commercial organisations is the softer version: what AI applications are you capable of deploying but have decided you won’t?

A media company that decides it won’t use AI to generate synthetic content without disclosure has made a governance decision, not just a product decision. A financial services firm that decides it won’t use AI to price insurance products based on inferred behavioural data (even where that inference is technically legal) has made a governance decision. These decisions need to be written down, owned by someone senior, and revisited when strategy changes.

Without this list, the default answer to every “can we do this?” question is yes, because nobody has formally said no. That’s how organisations end up surprised by their own AI systems.

How will we know when an AI system is doing something we didn’t intend?

This belongs in the governance conversation before it gets delegated to the technology team. AI systems drift. Models trained on historical data start producing different outputs as the world changes. A hiring tool trained on five years of successful employee data starts screening out good candidates the moment the labour market shifts. A fraud detection model trained before a recession starts flagging legitimate behaviour that simply looks different from the pre-recession norm.

Your governance structure needs to specify who is responsible for monitoring each deployed AI system, what they’re watching, what threshold triggers a review, and who has the authority to pause or pull a system if something looks wrong. The EU AI Act requires this for high-risk systems. The standard is worth adopting broadly regardless, because an AI system running unchecked creates reputational and legal consequences that aren’t confined to systems the Act formally classifies as high-risk.

If this decision made the front page, would we be comfortable explaining it?

Old question, new context. The test works because it forces specificity. “Our AI hiring tool screens out candidates who haven’t followed a linear career path, because our training data reflects our existing workforce” is a defensible position if you’ve thought it through, disclosed it, and built human review into the process. It becomes very hard to explain if you haven’t done those things, and you’re explaining it to a journalist rather than a regulator.

Reporters covering AI failures in 2025 and 2026 are specifically looking for the gap between what organisations claim their AI does and what it actually does. Close that gap in the boardroom, not in a press statement.

Getting the answers on the record

These questions don’t need a separate governance workstream or a six-week consulting engagement. They can be addressed in a single board or leadership team session before an AI programme is approved. What matters is that the answers are documented, attributed to the people who gave them, and referenced when specific deployment decisions come up later.

The organisations that get into trouble aren’t usually the ones that made bad decisions. They’re the ones that made no decision at all, left the questions implicit, and then found themselves defending choices nobody formally owned.

If your leadership team can answer these questions with enough specificity to be held to account for the answers, your AI strategy probably reflects who your organisation actually is. If the answers are vague enough that nobody would be embarrassed by them, they’re not answers yet.

NOT ADVICE

The information is intended to be helpful but is in no way a substitute for seeking professional advice for your specific situation or intent. This applies to business, financial, legal, or other matters discussed herein. Please read the full DISCLAIMER