Boards that treat AI as an IT initiative rather than a governance challenge may discover the risks only after the damage is done. The rapid evolution of artificial intelligence presents a complex landscape for corporate governance, demanding a proactive and comprehensive approach. Companies failing to integrate AI governance into their core fiduciary responsibilities risk significant financial, reputational, and operational damage. Jon Nordmark, co-founder and CEO of Iterate.ai, emphasizes that this oversight is not merely about technological implementation but about fundamental risk management and strategic foresight.
The Accelerating Pace of AI and the Governance Lag
The core challenge, as highlighted by Nordmark, is the sheer velocity of AI development. "AI is moving faster than most governance frameworks, and our board has to stay ahead of that," he states. This disparity creates a critical gap where potential risks can emerge and escalate before established governance structures can adequately address them. The mandate for boards, therefore, centers on identifying and mitigating these often-overlooked risks.
One such overlooked area is the use of shared cloud infrastructure. Employees, accustomed to the perceived privacy of their personal digital tools, often assume that the AI platforms they use for work also operate with the same confidentiality. This assumption can lead to unintentional data exposure. A stark illustration of this was the incident where over 70,000 ChatGPT conversations were found indexed in Google search results. Nordmark clarifies that this was not a technical malfunction but a fundamental governance failure. The lack of clear policies and understanding regarding data handling within these AI tools led to sensitive information becoming publicly accessible.
Fiduciary Duty in the Age of AI
Iterate.ai approaches AI as both a strategic and a fiduciary topic. On the fiduciary side, the focus is on understanding the intricate journey of data – where it resides, how it moves, and which policies govern its utilization. This involves a rigorous examination of vendor incentives and the development of control models that prioritize resilience over mere convenience. The company expects its vendors to apply the same level of scrutiny. From the board’s perspective, the overarching goal is to ensure that the pursuit of speed in AI adoption never compromises customer trust or the company’s long-term strategic position. These two aspects, speed and trust, are more interconnected than many boards are willing to acknowledge.
Unforeseen Cost Exposures of Agentic AI
Beyond data security and privacy concerns, there exists a significant cost exposure that many boards have yet to fully account for. The advent of agentic AI systems, which operate with a higher degree of autonomy and persistence, fundamentally alters the cost dynamics of AI utilization. Unlike basic chatbots that consume tokens in relatively predictable quantities, autonomous agents engaged in tasks like compliance review or software testing repeatedly access context, call tools in loops, and execute lengthy workflows. This intensive operational pattern can lead to token consumption at scales vastly exceeding initial pilot projections. Boards that have not proactively questioned token pricing models are now facing unexpected budget overruns as these agents operate in production environments.
Mitigating AI’s Toughest Challenges: A Governance Framework
The persistence of AI agents in decision-making and information storage presents a new frontier of operational risk. These agents "act with persistence. They tend not to forget and they do not ask permission," Nordmark observes. This inherent characteristic creates a significant challenge if the environment in which they operate cannot be effectively controlled or audited.
At Iterate.ai, the co-founders serve as both the board and management, a dynamic that necessitates deliberate discipline. When acting in their governance capacity, their role is to establish standards that apply to all managers, including themselves. The board seat is not viewed as a detached oversight position but as a commitment to posing challenging questions, even to their own management instincts.
The immediate focus is on the layer below management: operations leads, product managers, engineers, and team leads who are actively involved in AI adoption decisions. These individuals are responsible for selecting vendors and determining the data fed into various AI systems. They are also often responsible for deploying new AI touchpoints without fully considering the destination of queries or the retention periods of the data. The governance standard applied by Iterate.ai is explicitly designed to hold these teams to a higher bar than simply defaulting to "whatever is fastest."
The Fiduciary Ramifications of Procurement Decisions
Procurement-level decisions, particularly concerning AI tools, carry fiduciary consequences that are often not fully appreciated by those making them. When an employee uploads a contract draft or customer data into a tool that processes this information across shared public infrastructure, they may not be considering data retention policies, vendor terms, or the potential for quietly compounding exposure over time. This is not a criticism of employees but an acknowledgment of a structural gap that robust governance is intended to close. By the time many boards review AI architecture diagrams and workflows, these systems are already built and actively creating exposure.
Iterate.ai maintains a clear distinction between convenience and control. The allure of convenience is strong, with the ease of initiating conversations with large language models that process data across public GPU farms or using shared inference services without questioning their data retention practices. However, this convenience often comes at the expense of privacy. The majority of AI governance failures can be traced back to this specific trade-off. The responsibility of the board, according to Nordmark, is to ensure that the individuals making these day-to-day decisions are explicitly asked about this trade-off before the architecture is finalized, thereby preventing the technology itself from making the choice.
Evolving Board Recruitment for the AI Era
Nordmark’s experience spans multiple startup board structures, from a lean two-person board to larger compositions including venture capital representatives, independent directors, and founders. The current structure at Iterate.ai is intentionally small, comprising only the two co-founders. This lean approach is complemented by a robust advisory board, carefully curated for diverse expertise.
The company intentionally avoids the bureaucratic overhead of larger boards and the need to educate members on fundamental AI concepts. Instead, governance is supported by two legal counsel and financial oversight from accounting firms. The rationale for staying lean is to prevent strategic interference and to ensure that board time is utilized efficiently, focusing on high-level strategic guidance rather than foundational AI education. Given that AI capabilities are reported to be doubling every three months, a pace significantly faster than Moore’s Law, boards must operate with agility.
A key innovation in Iterate.ai’s approach is the formalization of its advisory board. Rather than prioritizing financial representation, the focus is on recruiting operators with substantial business experience in domains crucial for the next decade. This includes individuals like Cathy Halligan, Elaine Boltz, Frank Kollmar, and Ted Shelton, each bringing distinct insights into retail and consumer markets, global operational scale, generative AI strategy, and ethical AI governance. These are considered essential capabilities for responsible oversight, extending beyond mere specialized knowledge.
The company actively recruits advisors with fluency in AI governance, cybersecurity, regulated environments, and digital transformation, recognizing these as the critical domains where risk is currently concentrated. Nordmark, with over 20 years of experience on corporate boards, observes that boards failing to adapt to the AI reality risk falling behind the very companies they are meant to govern.
The Looming Threat of Quantum Computing
The governance challenges extend beyond current AI capabilities. Nordmark points to the imminent threat of quantum computing, which is poised to introduce a new layer of exposure. As quantum machines approach the threshold where they can break current encryption standards, credible forecasts place this critical window between 2028 and 2032. The architectural decisions being made today will determine a company’s vulnerability when this technological shift occurs. While most boards are not yet actively discussing this, the timeline is rapidly approaching.
Staying Ahead: Proactive Strategies for Emerging Technologies
Maintaining currency with emerging technologies is no longer a discretionary activity but a fundamental governance obligation. The relentless pace of technological advancement means that the board cannot afford to wait for technology to slow down. Curiosity must be an intrinsic component of board operations, not an optional add-on.
Surveys indicate a significant preparedness gap among directors. Reports suggest that only about 30% of directors feel adequately prepared for modern AI oversight, with nearly 40% having received no AI training. This deficit has tangible consequences, even if the full impact has not yet materialized. A board that does not understand the technologies it approves cannot ask the pertinent questions, and asking the right questions is the essence of effective governance.
Iterate.ai bridges this gap through direct engagement with operators, researchers, and policymakers. The company analyzes real-world incidents rather than hypothetical scenarios, evaluating infrastructure exposure, memory retention, and regulatory obligations holistically. Participation in cross-industry forums, such as the "IterateOn" initiative in Colorado, facilitates the cross-pollination of ideas. Insights from sectors like healthcare or aerospace can reveal patterns directly applicable to Iterate.ai’s operations, sharpening oversight and fostering a more forward-looking perspective.
On the policy front, Nordmark’s appointment to Colorado’s AI Task Force has provided firsthand experience in shaping SB 205, a landmark AI bill. Engaging in debates about AI bias and the balance between consumer protection and legislation that could stifle innovation offers a crucial context for understanding risk at the board level, a perspective that internal deliberations alone might not provide.
Building Resilience Through Architectural Design
True resilience, according to Nordmark, is impossible without a clear understanding of data location. This understanding is compromised if critical systems reside on uncontrolled shared infrastructure or if the AI stack retains un-auditable or un-erasable memory.
Iterate.ai’s board prioritizes architectures that grant the company control rather than fostering dependence. This includes a focus on private AI environments, on-premise and offline options, model portability, and runtime control that allows for the isolation or replacement of models as market conditions shift or vendor terms change. The company deliberately designs its systems to avoid single-vendor lock-in.
The issue of token pricing, often overlooked by boards, is presented as a critical aspect of this resilience challenge. The shift to agentic AI drastically alters consumption patterns. A single autonomous agent performing a long-running task can generate millions of tokens through recursive loops and tool calls. When deployed across an enterprise with dozens of such agents, the cost exposure becomes substantial and volatile, subject to the pricing decisions of third-party providers. In contrast, a private model running on controlled infrastructure eliminates token meters, offering fixed and predictable economics. This leverage is precisely what Iterate.ai’s board prioritizes, underscoring how private AI architectures that protect data also safeguard budgets.
The critical questions Iterate.ai pushes management to answer revolve around the company’s ability to withstand regulatory shifts, major vendor outages, or broad industry-level AI incidents. These are no longer theoretical considerations. Resilience in the current technological landscape is an architectural decision, built through privacy-first design, genuine transparency in data retention, and the operational capacity to execute workloads outside the cloud when necessary. The board’s role is to ensure these capabilities are integrated proactively. Boards that defer these critical inquiries until a headline event occurs will find that their existing architectures have already made irreversible choices for them.
