Of the six domains a board must oversee, artificial intelligence is the one where annual review has already failed. AI changes behaviour between meetings — and increasingly, it acts on its own. Governing it once a year is governing it never.
Over the first four articles, this series built its case in stages: that annual governance has become a liability, that a continuous operating model is the answer, that there are six domains where boards routinely lose sight of risk, and that continuous monitoring complements rather than replaces the audit. Now we go deeper, one domain at a time — starting with the one where the argument is most urgent and least disputable. Of the six, artificial intelligence is where the annual cadence has most plainly broken down. If you take nothing else from this series, take this: AI cannot be governed on a yearly schedule, because it does not change on a yearly schedule.
Let me give three reasons year-end is already too late.
Reason one — the tools you never approved
The first is adoption. Artificial intelligence no longer arrives through a procurement process or a board paper. A team can put a generative tool into a live workflow in an afternoon — drafting customer communications, screening applications, summarising contracts — with no risk assessment and no entry in any register. Multiply that across departments over twelve months and the picture at year-end is sobering: an organisation relying on AI systems no one catalogued, trained on data no one reviewed, embedded in decisions no one formally approved. You cannot govern what you have not seen, and an annual review is, by definition, twelve months late to see it.
Reason two — the model drifts
The second reason is subtler and, in my view, the most underestimated risk in the entire field. An AI model is not a fixed asset like a policy or a piece of equipment. Its behaviour changes after you deploy it — as the data flowing through it shifts, as the vendor updates it behind the scenes, as the conditions it was trained on drift away from the conditions it now operates in. The result is that the model you approved is not the model running today. It may be making subtly different decisions, with subtly different biases, on subtly different logic — and none of it announces itself. An annual checkpoint cannot catch a system that quietly becomes something else between checkpoints.
The model you approved last year is not the model running today.
Reason three — the AI now acts
The third reason is the newest, and the one boards have barely begun to absorb. For most of its short history, business AI generated outputs — text, predictions, recommendations — that a human then acted upon. That is changing fast. Agentic AI does not merely advise; it acts. Given access and permissions, it can send communications, move data, execute transactions and take steps across your systems on its own. This is a genuinely new category of risk. An agent with standing permissions can do things — helpful or harmful — in the eleven months between audits that no annual review was ever designed to anticipate. The governance question shifts from “what did the AI recommend?” to “what is the AI allowed to do, and where are its limits?”
Why this is a board problem, not an IT problem
It is tempting to file all of this under technology and leave it with the IT function. That would be a mistake. When AI gets a decision wrong, the consequences are not technical abstractions — they are customers treated unfairly, regulations breached, commitments broken, reputations damaged. And accountability for those outcomes does not rest with a model or a vendor; it rests with the board and management, exactly as it would for any other decision the organisation makes. “The algorithm did it” has never been, and will never be, a defence. AI governance is therefore not a technical housekeeping task. It is core to the board’s duty of oversight.
What continuous AI governance actually watches
The good news is that continuous AI governance is concrete and practical, not abstract. At a minimum it keeps four things current. It maintains a live use-case register — a single, honest answer to “what AI are we using, where, doing what, and on whose data?” — which most organisations today simply cannot produce. It applies risk tiering, because not all AI is equal: a chatbot answering opening hours is not a model deciding who gets credit, and the two deserve very different scrutiny. It monitors drift and performance, asking whether each high-stakes system still behaves as it did when approved. And it governs agentic permissions — defining what each autonomous agent may do, what it may not, and where the boundaries and stop controls sit. Around these runs the discipline of incident readiness: knowing in advance what happens when an AI system gets something wrong.
The discipline already exists
None of this has to be invented from scratch. International standards now give AI governance a credible backbone — ISO/IEC 42001, the management-system standard for artificial intelligence, and the NIST AI Risk Management Framework, which sets out how to identify and manage AI risk in practice. These are not box-ticking exercises; they are sensible scaffolding that can be calibrated to an organisation’s size and to Caribbean realities. Responsible AI governance is now a recognised discipline with recognised reference points — there is no longer any excuse to treat it as uncharted territory.
The Caribbean opportunity
There is a particular opportunity for Caribbean organisations here. AI is enormously attractive in our market precisely because it helps smaller teams do more — closing capability gaps, easing cost pressure, extending scarce expertise. Adoption is moving quickly, and that is to be welcomed. But the organisations that will benefit most are the ones that build governance in from the start, rather than bolting it on after an incident forces the issue. Governing AI well is not a brake on adoption; it is what makes ambitious adoption safe. The chance, right now, is to do both at once — to embrace AI and to govern it continuously — before a preventable failure makes the lesson an expensive one.
What good looks like
This is exactly why artificial intelligence is one of the six domains Dawgen TRUST360™ monitors continuously: a live use-case register, ongoing drift and performance checks, agentic-permission oversight, and board-ready reporting on where AI risk actually sits — refreshed through the year rather than reconstructed once at its end.
A test for your next leadership meeting
So let me leave you with a single, uncomfortable test. Ask, at your next leadership meeting, for one document: a complete list of every AI system currently making or shaping decisions in your organisation, the data each one uses, and the name of the person accountable for each. If that list can be produced quickly and confidently, your AI governance is in good health. If it cannot — and for most organisations today, it cannot — then you have just found the most important governance project you are not yet running. AI will not wait for year-end. Your oversight of it cannot either.
About the author
Dr. Dawkins Brown is Executive Chairman and Founder of Dawgen Global, an independent, integrated multidisciplinary professional services firm operating across the Caribbean, and Founding Editor of Caribbean Boardroom Perspectives.
Continue the conversation: dawgen.global · [email protected]
Next in the series — Article 6: “Your Vendors Change Faster Than Your Controls.”
About Dawgen Global
Dawgen Global is an independent, integrated multidisciplinary professional services firm headquartered at 47 Trinidad Terrace, New Kingston, Jamaica, serving more than 15 territories across the Caribbean. Founded and led by Dr. Dawkins Brown, Executive Chairman, the firm is independent and not affiliated with any international network. It delivers a full suite of professional services under one roof: audit and assurance; tax advisory; IT and digital transformation; risk management; cybersecurity; actuarial and insurance regulatory advisory; HR advisory; mergers and acquisitions; corporate recovery; business advisory and strategy; accounting BPO and virtual CFO services; and legal process outsourcing.
The proposition is simple: big-firm capability without the big-firm price. Dawgen Global’s integrated approach is built for the specific complexities and opportunities of the Caribbean market, helping organizations make sharper, better-informed decisions that drive measurable progress.
To explore a partnership, reach out:
- Website: dawgen.global
- Email: [email protected]
- WhatsApp (Global): +1 555-795-9071
- Caribbean offices: +1 876-665-5926 | +1 876-929-3670 | +1 876-926-5210
