At an insurance congress this week I heard that AI belongs in the business, not in IT. But as long as nobody at supervisory-board level can oversee it, that's only half the story.
TL;DR
- AI has to be handled in two places at once. Inside management and on the supervisory board, not one or the other.
- The debate about the right C-suite seat is legitimate. A CCO, a COO or a Chief AI Officer, but oversight of it goes unmentioned.
- The 2025 Code and the EU AI Act already require it. Digital expertise and AI literacy at oversight level, with personal liability when it fails.
- Almost no Dutch board has the expertise in-house. We are repeating the cyber scenario, only ten times faster this time.
This week I sat in the AFAS Theater in Leusden at the VIP congress, the annual stage for the Dutch insurance and mortgage world. The theme of this anniversary edition: re:Invent. In a session hosted by PwC, Martin Holm spoke, a director and digital change agent at C-level in insurance.
At one point he simply said it out loud. AI belongs in the business. Not in IT.
What he meant is that AI ownership does not belong with the CIO. A CCO, a COO or a new Chief AI Officer makes more sense. But if AI keeps switching seats inside the C-suite, who oversees it at supervisory-board level? I heard nobody ask that question.
The CIO's plate was already full ten years ago
Let's be honest about the role we keep pushing this towards, or away from. What is already on the plate of an average CIO in the insurance and financial sector?
Legacy systems and technical debt: core systems that keep the organisation breathing and that you also have to phase out in a controlled way without shutting up shop. Cloud strategy and FinOps: orchestrating migrations while reining in cloud costs that keep running out of control. Vendor management with the tech giants Microsoft, AWS and Google, plus a jungle of SaaS suppliers with complex SLAs and vendor lock-in as the silent killer. Business continuity and disaster recovery: making sure you are operational again within minimal time after an outage, failure or major incident.
Cybersecurity has grown exponentially over the past decade within its own frame. Where it used to be a shared responsibility of IT, it now demands its own setup with a CISO, a SOC and incident response. Data management the same: data governance, data quality, accessibility and integrity are no longer afterthoughts but a programme in their own right, with their own KPIs and governance.
And then the compliance stack specific to our sector. DORA for the operational digital resilience of financial institutions. The GDPR for personal data. The European Accessibility Act for the accessibility of digital services. Certifications such as ISO 27001, ISAE 3402 and SOC 2, year in year out, with the accompanying documentation marathon and external audits. Detecting shadow IT and regulating what departments buy outside IT. IT service management, incident management, on- and offboarding with equipment and access rights. Network architecture with zero-trust for hybrid working. Talent management in a market where cloud architects and security engineers are gold. And on top of that, endlessly developing ERP and CRM, because that is what the daily operation runs on.
And then that CIO is supposed to just add AI on the side. With agentic workflows, EU AI Act compliance, model governance, hallucination mitigation and the question of how you let business units experiment without blowing up your data security. And don't forget the provider and model choice with the token prices that come with it.
Everyone reading this knows: that won't work. Not because the CIO isn't capable, but because it doesn't fit. The CIO is also judged on stability, continuity and compliance. That is a fundamentally different mindset from AI innovation, where you want to iterate fast, let proofs of concept fail and break open old processes. On that point Holm is simply right. AI ownership does not belong there.
The Chief AI Officer: new and therefore awkward, but the logical place
If AI ownership does not belong with the CIO, then where? A CCO or COO could work, and in some organisations it works fine because AI sits close to the customer or the operation there. But in organisations where AI structurally touches strategy, product, customer contact and governance at the same time, a separate Chief AI Officer is the obvious choice. Dedicated attention, no conflict of interest between efficiency KPIs and innovation KPIs, and a profile tailored specifically to this technology transition.
Yes, I know: then the General Motors story inevitably comes up. In March 2025 GM appointed its first Chief AI Officer, Barak Turovsky, with experience at PayPal, Microsoft, Google and Cisco. Exactly the profile you want on paper. Eight months later he stepped down and the AI team was moved into Manufacturing Engineering. For sceptics that is proof the role doesn't work. For me it is the honest story of a role still finding its shape.
Every new C-role has been through that phase. The first CIOs twenty years ago had exactly this search: where in the organisation do I belong, what is my scope, who do I report to? The Chief Digital Officer a decade ago had a similar cycle. CIO Dive (opens in new window) quoted an expert who made the comparison directly: it takes years before a standardised AI leadership role settles. That is not a problem. That is normal.
What GM does show us is that a CAIO cannot work in isolation. Without a mandate, budget and clear KPIs, and without the other C-roles moving with it, it becomes a symbolic appointment. That is a leadership question, not a role question. So the role is not finished, but it is the most fitting place the moment AI responsibility needs dedicated attention.
And here is the hinge of this piece. Wherever AI is placed inside management, the supervisory board cannot sit back and wait. AI is not a choice between "at C-level" or "on the board". It is needed in both places at once. At C-level someone has to steer it, on the board someone has to oversee it. If either place stays empty, the organisation is only half equipped.
We have seen this before, and it did not go fast
Anyone who thinks this will sort itself out should look back at cyber. Cyber has largely found its place inside management. With the CISO under the CIO, or reporting independently to the CEO in larger organisations. That side has been built out over the past fifteen years. At supervisory-board level it is a different story.
The numbers are stubborn. Research by WSJ Pro from 2022 looked at 4,621 directors at S&P 500 companies and found 86 with cyber experience over the previous decade, less than two percent. Diligent and NightDragon reached 12 percent of the S&P 500 with a cyber expert on the board in their October 2023 report. Other counts land below fifteen percent. The order of magnitude is always the same: a small minority.
A qualitative study in Management Science (opens in new window) by Lowry, Vance and Vance from 2026 exposes the core and goes beyond the numbers. Without domain expertise, oversight becomes symbolic. Formally it checks out, in substance it is empty. Directors without cyber knowledge do the same things as experts, but their oversight lacks substance, and they often don't realise it falls short. In practice they lean heavily on the CISO who coaches them, so the party being supervised effectively sets the terms of its own oversight. The CISO speaks systems language, the directors speak legal and financial, and in the end everyone nods without anything really having been exchanged.
The lesson is clear. Cyber was sorted out inside management, but the supervisory board systematically lagged behind. Fifteen years of attention and we are still at a small minority. AI does not have that luxury. The EU AI Act is already here, the Corporate Governance Code 2025 too, and the sector is still busy experimenting with where AI belongs inside management. If the board does not move with it straight away, we repeat the cyber scenario in ten times less time. AI adoption is moving considerably faster than any other innovation before it.
Follow me on LinkedIn
What the 2025 Code and the AI Act already require
Here comes the point where many directors still think: interesting debate, but not urgent. Forget that.
The Dutch Corporate Governance Code (opens in new window) was updated in March 2025 by the Monitoring Committee. What it states more sharply: digitalisation and Responsible AI touch the core of strategy and operations, and both management and the supervisory board must have deep knowledge and experience of it in-house. A company may choose whether to appoint a dedicated digitalisation supervisory director, but that does not relieve the other directors of close involvement. In practical terms that includes an inventory and review process for AI applications, including bias mitigation. No longer optional.
In parallel: Article 4 of the EU AI Act (opens in new window). Applicable since February 2025, with national enforcement ramping up from August 2026. Every organisation using AI must ensure AI literacy at every level, from employee to director. At supervisory-board level that translates into one question: can you conduct oversight of AI risks on substance?
And then the liability angle. A working paper from Stanford Law School (opens in new window) from October 2025 mapped this out precisely. The AI Act quietly redefines directors' responsibility. GUBERNA (opens in new window), the Belgian directors' institute, puts it bluntly: non-compliance can lead to fines of up to 7 percent of global turnover or 35 million euros. And directors can be held personally liable if oversight of AI demonstrably falls short.
The translation for the Netherlands: supervisory directors will soon be on the hook not just morally but legally if oversight of AI policy fails. And then "I don't really get it, that's what we have a chief for" is no longer a defence.
For anyone who wants it laid out, the three frameworks that make this binding for the board:
| Framework | What it requires | When relevant |
|---|---|---|
| Dutch Corporate Governance Code 2025 | Securing digital expertise on the board, plus an inventory and review process for AI applications including bias mitigation | From financial year 2025, accountability via comply-or-explain |
| EU AI Act, Article 4 | AI literacy at every level of the organisation, including oversight | National enforcement from August 2026 |
| Director liability under the AI Act | Fines up to 7 percent of global turnover or 35 million euros, plus potential personal liability | From the moment enforcement starts in the Netherlands |
What an AI supervisory director is, and what it is not
Over the past while I have had a number of conversations about supervisory and advisory roles. What strikes me: when "AI" comes up in a role profile, the search committee too often thinks of the youngest person on the board who "gets that digital stuff", or a retired CIO with a course under their belt. Both miss the point.
An AI supervisory director is not a techie who reads through the Code. It is someone who can connect three worlds: strategy, legal frameworks and the operational reality of AI. Someone who does not ask the first question after the CEO update ("do we have AI?") but the second ("what assumptions sit inside the model you are buying from this supplier, and who is accountable for the output?"). Someone who understands that a RAG architecture, an AI agent and a classic prediction model have three completely different risk profiles, and therefore three different governance questions.
The comparison that works for me: just as the audit committee needs someone with real financial depth, and the risk committee someone with real insight into operational risk, the board will soon need someone with real AI depth. Not as a box to tick, but because the law demands it and because the sector is already heading that way.
And yes, those people are scarce. I sit in these conversations myself, on both sides of the table. Scarcity does not mean you can postpone it as an organisation. It means you have to start looking now, while others are not yet doing so.
Back to the room
As I walked out of the theatre after the session, I thought again about that line from Martin Holm. AI belongs in the business. He is right that the sector is still figuring out which seat inside the C-suite actually fits. Personally I land on the Chief AI Officer, or something similar in that vein, because that is where dedicated attention is possible without the conflicts of interest you quickly bring in with a CIO or CCO.
What he did not say, and the room did not ask, is the next step in the reasoning. AI has to be handled in two places at once. Inside management and on the supervisory board. As long as only the first side is worked out, the organisation is only half equipped. And the law asks for both.
Just as biometric emotion recognition was reined in by the EU AI Act while text-based sentiment analysis still has free rein, risk shifts to places where there is no deliberate attention yet. Now part of that risk shifts to the supervisory board, which often still has the same composition as five years ago.
The chair exists, on paper: in the Code, in the AI Act, in the liability. It is just that nobody has sat down on it yet.
If you are sitting at a supervisory-board meeting tomorrow, look around. Who can ask the second question about AI? And if you are not sure of the answer, that is your answer.
Sources
- Monitoring Committee Corporate Governance Code — The Dutch Corporate Governance Code 2025 (opens in new window)
- European Commission — Regulatory framework on AI (governance and enforcement) (opens in new window)
- Stanford Law School — Working Paper No. 122: The EU AI Act's Silent Impact on Corporate Roles (opens in new window)
- GUBERNA — What should Directors know about the AI Act? (opens in new window)
- Lowry, Vance & Vance — Inexpert Supervision: Field Evidence on Boards' Oversight of Cybersecurity, Management Science 2026 (opens in new window)
- CIO Dive — GM chief AI officer steps down (opens in new window)
