Quarterly AI governance board reporting: the 2026 template

The most common reason an AI governance program loses board confidence is not the absence of work; it is the absence of a consistent, scannable, four-page quarterly artefact that lets the board see progress, risk, and decisions in the same shape every quarter. This template is the four-page board paper Areebi recommends to CISOs and AI Governance Leads, drawing on the tone of the NACD AI Director's Handbook 2024, the metric expectations implied by the ISS Sustainability Quality Score, the engagement positions in the Glass Lewis 2024-2025 proxy voting guidelines, and the UK Financial Reporting Council's 2024 board guidance on AI. Updated 2026-05-20.

Boards are not the audience for a thirty-page operational deck. Directors read papers in the small windows between other obligations, and good papers are designed to be readable in fifteen minutes and re-referenceable in fifteen seconds. The four-page format is a discipline; the discipline produces the focus.

The four pages are: page one - executive summary plus quarter KPIs; page two - AI risk heatmap plus regulatory readiness scorecard; page three - vendor risk matrix plus incident summary; page four - decisions requested plus forward calendar. Boards that see the same four pages in the same shape every quarter develop an intuition for the shape of the program, and the deltas quarter-on-quarter become legible without re-reading the underlying narrative.

The NACD AI Director's Handbook 2024 is explicit that directors need a recurring, comparable view of AI risk and capability; the FRC 2024 guidance to UK boards uses similar language. The ISS and Glass Lewis frameworks signal that AI governance now factors into proxy voting and engagement recommendations on certain ballots, which means external investors are also tracking the same artefacts. This template is engineered for both audiences.

Areebi research POV. The boards that consistently approve AI governance budgets at renewal time are the boards that have received a clean, four-page quarterly artefact in the same shape for at least three quarters running. Pattern recognition compounds.

Page one is the only page some directors will read in detail before the board meeting. It must answer four questions on its own: what changed since last quarter, where does the program sit overall, what is the headline risk, and what is the board being asked to do.

Structure:

• One-paragraph executive summary (5-7 sentences). Plain English. No jargon. Names the most important development of the quarter (a regulator letter, a vendor outage, a new use case launching, an audit closure) and links it to the program's overall trajectory.
• Quarter KPI table (8-10 metrics). Reported in the same shape every quarter so directors can read the deltas. Recommended core set: AI workloads in inventory, percentage with completed risk assessment, policy-acknowledgement completion rate, training completion by role cohort, count of incidents by severity tier, mean time to remediate findings, AI vendor count with concentration index, percentage of high-risk data classes covered by DLP, percentage of board-approved use cases live in production, percentage of regulatory-readiness scorecard items at "green".
• Trend indicator per KPI. Up, down, or flat versus last quarter, plus a colour rating (green, amber, red).

The KPI set is the contract between the CISO and the board. Once defined, it should change only at the annual retrospective, not quarter-to-quarter. The 1-year AI governance retrospective is the natural moment to revisit the KPI list.

Page two is the page that supports the most board questions, because it is the page where strategy meets specificity.

AI risk heatmap. A 5x5 grid (likelihood by impact) populated with the program's named risks. Each risk gets a single dot positioned by the AI Governance Committee's current assessment, with a movement arrow showing the change since last quarter. Recommended named risks for the heatmap: prompt injection on customer-facing surfaces; output toxicity or hallucination in regulated communications; data leakage to a public model via shadow AI; agentic system overreach (the agent governance primer covers the underlying risk surface); foundation model vendor concentration risk; regulatory drift outpacing controls; AI red team capability gap; insider misuse of generative tools. Each risk should have a named owner and a mitigation status.

Regulatory readiness scorecard. A table with one row per applicable regulation (EU AI Act, DORA, GDPR, UK regime, US state laws, sectoral regimes, ISO/IEC 42001) and one column per readiness dimension (policy mapped, controls implemented, training delivered, vendor clauses negotiated, evidence library populated). Each cell is green, amber, or red. The AI compliance landscape 2026 cross-jurisdiction view is a useful input; the Areebi compliance hub indexes the per-regulation pages.

Boards typically spend 60-70% of their time on AI governance papers on this page. The heatmap drives the strategic conversation; the scorecard drives the operational follow-up.

Page three is where the program's external dependencies and operational track record become legible.

Vendor risk matrix. A table of the top 10-15 AI vendors by criticality, with columns for risk tier, contract status (Article 30 / DORA terms in place yes/no, ISO 42001 status, SOC 2 status), data classes processed, concentration exposure, and the last review date. The AI vendor risk score tool produces the per-vendor scorecard that feeds this matrix; the AI vendor risk primer covers the underlying methodology; the CFO AI vendor list is the cost-and-renewal counterpart for the CFO conversation.

Incident summary. A short table of every notable AI incident in the quarter with severity, root cause, detection mechanism, time-to-resolve, regulatory notification (if any), and remediation status. The categorisation should match the categories used in the AI incident response runbook. For quarters with no major incidents, the table still appears, with a single line confirming the absence and noting the near-miss count if any.

The board's most common question on page three: "is the program detecting incidents or just not having them?" The honest answer is documented in the runbook coverage and the discovery telemetry, not in the absence of entries on this page.

Page four is the page that converts the previous three pages into board action.

Decisions requested. An itemised list of any decisions the board is being asked to approve at this meeting. Common categories: budget approval for a year-2 capability (new control plane, dedicated AI red team), risk appetite statement revisions, approval of a new high-risk use case launching in the coming quarter, sign-off on a third-party assurance scope (the ISO 42001 certification roadmap covers the assurance posture), authorisation of an exception to the AI Acceptable Use Policy. Each decision needs a one-paragraph background, an explicit recommended position, the named accountable executive, and a sunset or review date if applicable.

Forward calendar. A two-quarter look-ahead of the major AI governance milestones - regulator engagement dates, audit milestones, contract renewals, major use case launches, planned red team or tabletop exercises, training cycles, the next 1-year retrospective if applicable. The 30/60/90 CISO playbook is the natural cadence reference; the Areebi AI Governance Assessment is the recurring scorecard most programs build the look-ahead around.

Footer block. Owner names, paper version, related documents, glossary references (link to the AI governance primer if the board includes new directors).

The KPI set is the section of the paper most likely to be debated at the AI Governance Committee in the first three quarters of the program, so it is worth defining each metric precisely once and treating that definition as the contract for the next year. Each KPI has a recommended definition, a target band, and a typical data source.

The KPI table on page one of the paper carries the current value, the prior-quarter value, the target band, and the trend indicator. Where the value falls outside the target band, the executive summary on the same page must address it - silence on a red KPI signals that the program is reporting metrics rather than acting on them.

Board reporting is not just an internal artefact in 2026. Two shifts in the external landscape have raised the stakes on how the paper reads.

First, ISS and Glass Lewis have both updated their engagement frameworks to include AI governance as a factor in proxy recommendations on certain ballots. The ISS Sustainability Quality Score considers AI ethics and governance as part of its broader rating; Glass Lewis's 2024-2025 proxy voting guidelines name AI governance as an emerging engagement priority. Boards whose AI risk disclosures and governance evidence are clear, comparable, and credible fare better in those engagement conversations.

Second, the FRC's 2024 guidance to UK boards on AI was explicit that directors need to demonstrate independent challenge of management's AI program. The NACD AI Director's Handbook 2024 makes a similar point for U.S. boards. The implication for the quarterly paper is that the heatmap and the regulatory scorecard should be discussable, not just receivable; the board's questions and the executive responses should be reflected in the minutes; and the paper should make the residual risk profile honest enough that the board can credibly assert independent challenge has occurred.

The Areebi audit log and AI audit primer are the substrate for the evidence the paper draws on - the per-interaction record that turns "the program is operating" into a reproducible artefact, rather than an asserted claim.

Failure mode 1: a different paper every quarter. If the structure shifts each time, directors cannot build pattern recognition, and the board's intuition for the trajectory of the program never matures. Stick to the four-page structure even when the quarter feels like it warrants more.

Failure mode 2: green-everything KPIs. A scorecard that never shows amber or red signals that the metrics are not stretching the program. The 1-year retrospective is the appropriate forum for recalibrating the KPI thresholds upward if the program has matured.

Failure mode 3: incident transparency that softens over time. Programs that start strong on incident transparency often quietly soften it after the first uncomfortable disclosure. This is the wrong direction. Boards reward honesty over time, and a softened incident page becomes evidence in a future regulator engagement that the program lost candour.

Failure mode 4: a paper that arrives the day before. A four-page paper circulated five business days in advance gives directors the time to read it and prepare questions. A paper that arrives the day before is read in the meeting, which means the discussion is shallow and the decisions are deferred. The Areebi build an AI governance program guide covers the cadence that makes this routine.

The board paper is only as easy to produce as the underlying telemetry makes it. Three platform capabilities map directly to the four-page template.

Per-interaction audit log for the KPI table and incident summary. Page one KPIs and page three incident counts both draw from the same audit substrate. The Areebi audit log captures model identifier, policy version, user identity, data classes touched, and tool calls invoked per interaction, so KPI extraction is a query rather than a reconciliation exercise.

Policy engine and DLP for the regulatory scorecard. The policy engine versions the AI Acceptable Use Policy as machine-enforceable rules tagged to specific regulatory clauses; the DLP layer reports the same coverage in operational terms. The page-two scorecard becomes a query against tagged rule coverage.

Vendor inventory and risk score for the vendor matrix. The Areebi vendor inventory feeds the vendor risk score tool with concentration metrics, contract status, and last-review timestamps. The page-three vendor matrix becomes a saved report rather than a quarterly compilation. The DORA + AI guide is the regulatory grounding for why the contract-clause status row matters.

For boards that prefer to anchor the paper around an external maturity scoring rubric, the Areebi AI Governance Assessment produces the same four-page artefact shape and is repeatable each quarter as a structured input.

The references below are the primary sources cited throughout this post. All URLs were verified at the time of publication.

• NACD AI Director's Handbook 2024 - the U.S. board-facing reference behind page one, two, and four expectations.
• ISS Sustainability Quality Score - the proxy-advisor frame that now considers AI ethics and governance in the rating methodology.
• Glass Lewis 2024-2025 proxy voting guidelines - including the AI engagement positions that apply to certain ballots.
• UK Financial Reporting Council guidance on AI for boards 2024 - the UK board-level expectation underlying the tone of page two and page four.
• ISO/IEC 42001:2023 - the management-system standard whose clause 9.3 reporting cadence aligns with this quarterly artefact.
• NIST AI 600-1, Generative AI Profile (July 2024) - the underlying framework whose Govern function the heatmap and scorecard pages operationalise.

From board paper to operating cadence, this cluster is the natural path.

• 1-year AI governance retrospective template - the annual rhythm that re-bases the quarterly KPI set.
• CISO AI governance playbook 30/60/90 - the cadence that underlies the forward calendar.
• How to build an AI governance program - the program shape this paper reports against.
• AI governance ROI business case - the economic framing for the decision-request page.
• State of AI governance, May 2026 - the peer-benchmarking view for the executive summary paragraph.