Artificial intelligence has moved from the periphery of corporate strategy to its centre. According to McKinsey's 2024 Global AI Survey, 72% of organisations now use AI in at least one business function, up from 55% just one year earlier. Yet this accelerating adoption has outpaced the governance frameworks designed to manage it. The Stanford AI Index 2025 reports that documented AI safety incidents rose from 149 in 2023 to 233 in 2024, a 56.4% year-on-year increase, while public trust in AI companies declined from 50% to 47%. The gap between the speed of AI deployment and the maturity of AI governance is now one of the most significant unmanaged risks in the corporate landscape.
For sustainability professionals, this matters because AI governance is rapidly becoming an ESG issue. The environmental footprint of AI (energy consumption, water usage, electronic waste) is a material environmental concern. The ethical dimensions of AI (bias, transparency, accountability, privacy) are material social and governance concerns. Investors, regulators, and rating agencies are increasingly expecting companies to disclose how they govern AI, just as they expect disclosure on climate risk, workforce diversity, and board composition. Responsible AI is not a technology issue. It is a board-level sustainability issue, and the companies that recognise this earliest will be best positioned as the regulatory and market expectations crystallise.
Why AI Governance Is Now a Board-Level ESG Issue
The Environmental Dimension
AI's environmental footprint is substantial and growing. The IEA projects that data centre electricity consumption could reach 945 TWh by 2030, with AI accounting for 35 to 50% of this total. Research published in the journal Patterns estimated that AI systems could be responsible for 32.6 to 79.7 million tonnes of CO2 emissions in 2025. The OECD has highlighted that AI's water footprint is largely unreported, with a single large language model training run consuming over 700,000 litres of water for cooling alone. For companies reporting under the CSRD or IFRS S2, AI-related energy and water consumption is increasingly material to their environmental disclosures.
The Social Dimension
AI systems make decisions that affect people: hiring and recruitment, credit scoring, insurance pricing, healthcare diagnostics, content moderation, and law enforcement. When these systems contain biases, whether from training data, model design, or deployment context, the social harm can be significant and disproportionately affect vulnerable populations. The Stanford AI Index notes that the AI Incident Database now tracks over 1,200 real-world incidents, including flawed content moderation, unsafe automation, election-related misinformation, and privacy violations. For companies reporting under social standards such as ESRS S1 (Own Workforce) and ESRS S4 (Consumers and End-users), the impact of AI on employees, customers, and communities is a disclosure-relevant consideration.
The Governance Dimension
At its core, responsible AI governance is about accountability: who in the organisation is responsible for the decisions that AI systems make? How are risks identified, assessed, and mitigated? What oversight mechanisms exist to ensure that AI systems operate as intended? These are fundamentally governance questions, and they sit squarely within the remit of the board and senior management. The ISO/IEC 42001:2023 standard, the world's first certifiable AI management system standard, explicitly requires leadership commitment and board-level oversight of AI governance. The EU AI Act, which entered into force on 1 August 2024 and becomes fully applicable on 2 August 2026, imposes penalties of up to 7% of global annual turnover for non-compliance, placing AI governance firmly in the category of material financial risk.
The Regulatory Landscape: What Companies Must Know
The regulatory environment for AI governance has evolved at remarkable speed. Five frameworks now define the global baseline for responsible AI, and any company operating internationally must understand how they interact.
Framework | Scope | Status | Key Requirement |
Mandatory (EU + extraterritorial) | In force Aug 2024; fully applicable Aug 2026 | Risk-based classification; conformity assessment for high-risk AI; fines up to 7% of global turnover | |
Voluntary (global, certifiable) | Published Dec 2023 | AI management system; Plan-Do-Check-Act; bias mitigation; transparency; human oversight | |
Policy (38+ countries + EU) | Adopted 2019, updated 2024 | Transparency, accountability, safety, fairness; referenced by EU AI Act | |
Voluntary (US-origin, global adoption) | Published Jan 2023 | Govern, Map, Measure, Manage lifecycle approach to AI risk | |
Policy (194 member states) | Adopted Nov 2021 | Human rights-centred; proportionality; safety; fairness; sustainability |
In addition, the Council of Europe Framework Convention on AI, opened for signature in September 2024, is the first legally binding international treaty on AI, covering human rights, democracy, and the rule of law. The G7 Hiroshima Code of Conduct for organisations developing advanced AI systems was adopted in 2023, with a reporting framework established in 2025. At the national level, jurisdictions from Singapore to Brazil to Canada are developing or implementing AI governance requirements, creating a patchwork of obligations that multinational companies must navigate.
ISO/IEC 42001: The Governance Standard for AI
ISO/IEC 42001:2023 deserves particular attention because it is the first international standard that provides a certifiable framework for AI governance. Published in December 2023 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it establishes requirements for an AI Management System (AIMS) that any organisation developing, providing, or using AI can implement and certify against.
The standard follows the Plan-Do-Check-Act (PDCA) methodology familiar from ISO 9001 (quality) and ISO 27001 (information security), making it integrable with existing management systems. Organisations already certified to ISO 27001 can achieve ISO 42001 compliance up to 40% faster than those starting from scratch, because many controls (risk management, incident management, training, internal audit) transfer directly. ISO 42001 addresses AI-specific requirements including transparency and explainability, data governance and quality, bias identification and mitigation, model validation and testing, human oversight for critical decisions, AI vendor and third-party governance, and continuous monitoring and improvement.
Complementary standards include ISO/IEC 23894:2023 (AI risk management guidance) and ISO/IEC 42005:2025 (AI system impact assessment), which together provide a comprehensive toolkit for organisations building their AI governance capability.
The ESG Disclosure Connection: CSRD, ISSB, and AI
While no current ESG reporting standard explicitly mandates an "AI governance" disclosure, the existing frameworks create multiple points where AI governance is directly relevant. Under the CSRD/ESRS, companies must disclose their material environmental impacts (ESRS E1 Climate Change), which for AI-intensive companies includes the energy and carbon footprint of their AI infrastructure. Social disclosures under ESRS S1 (Own Workforce) require consideration of how technology, including AI, affects working conditions, and ESRS S4 (Consumers and End-users) is relevant where AI systems interact with or make decisions about customers. ESRS G1 (Business Conduct) addresses governance structures, internal controls, and ethical business practices, all of which encompass AI governance.
Under IFRS S2, companies must disclose climate-related risks and opportunities, including those arising from the energy consumption of AI infrastructure. The CDP questionnaire increasingly asks about the role of technology and digital tools in emissions measurement and reduction. And ESG rating agencies are beginning to incorporate AI governance metrics into their assessments, recognising that companies with poor AI governance face material reputational, regulatory, and operational risks.
The trajectory is clear: AI governance will become an explicit ESG disclosure requirement within the next two to three years. Companies that begin building their disclosure capability now will be ahead of the curve when this expectation formalises.
The Responsible AI Governance Checklist for Companies
For organisations seeking to establish or strengthen their AI governance as part of their broader ESG strategy, the following checklist provides a structured starting point. It is designed to be actionable for companies at any stage of AI maturity, from those just beginning to deploy AI to those with extensive AI operations.
1. Board Oversight and Accountability
Assign explicit board-level responsibility for AI governance (whether through an existing committee or a dedicated AI ethics committee). Ensure at least one board member has sufficient AI literacy to provide informed oversight. Include AI risk in the enterprise risk management framework. Report on AI governance to the board at least quarterly.
2. AI Inventory and Risk Classification
Maintain a complete inventory of all AI systems in use across the organisation, including third-party AI tools. Classify each system by risk level (following the EU AI Act's four-tier framework: unacceptable, high, limited, minimal risk). Prioritise governance resources on high-risk systems that affect fundamental rights, safety, or material business decisions.
3. Policy Framework
Publish an organisation-wide AI policy that articulates principles for responsible AI use, including fairness, transparency, accountability, privacy, and safety. Establish clear guidelines for AI procurement, development, deployment, and retirement. Define prohibited AI uses (e.g., social scoring, real-time biometric surveillance in public spaces, as per the EU AI Act).
4. Bias and Fairness Testing
Implement mandatory bias testing for all AI systems that make or influence decisions about people (hiring, lending, pricing, access to services). Test across protected characteristics including gender, race, age, disability, and socioeconomic status. Document testing methodology, results, and remediation actions. Repeat testing regularly, as model drift can reintroduce bias over time.
5. Transparency and Explainability
Ensure that individuals affected by AI decisions can understand how and why a decision was made. Provide clear disclosure when customers or employees are interacting with an AI system. Document model design, training data, limitations, and known failure modes. Align with the EU AI Act's transparency obligations, which become fully applicable in August 2026.
6. Human Oversight
Establish human-in-the-loop controls for high-risk AI decisions. Define escalation procedures for cases where the AI system's output is uncertain, contested, or involves significant consequences. Ensure that human reviewers have the authority, training, and information needed to override AI recommendations when appropriate.
7. Data Governance
Implement robust data governance for AI training, validation, and testing datasets, ensuring accuracy, representativeness, and freedom from discriminatory bias. Comply with data protection regulations (GDPR, local equivalents) in all AI data processing. Maintain data lineage records that support auditability and regulatory compliance.
8. Environmental Impact Measurement
Measure and disclose the energy consumption, carbon emissions, and water usage associated with your AI operations. Include AI-related environmental impacts in your Scope 2 and Scope 3 emissions reporting. Set targets for reducing the environmental footprint of AI, including model efficiency, renewable energy procurement for data centres, and responsible hardware lifecycle management.
9. Third-Party AI Governance
Extend governance requirements to AI systems procured from third-party vendors. Include AI governance clauses in procurement contracts (requiring disclosure of model design, data sources, bias testing, and incident reporting). Assess the responsible AI practices of AI vendors as part of your supplier due diligence process.
10. Continuous Monitoring, Audit, and Improvement
Monitor AI system performance continuously, not just at deployment. Conduct regular internal audits of AI governance compliance. Report AI incidents promptly and transparently. Use findings from monitoring and audit to improve governance processes, following the Plan-Do-Check-Act methodology embedded in ISO/IEC 42001.
Conclusion
Responsible AI governance is no longer a voluntary aspiration for technology-forward companies. It is an emerging regulatory requirement, a material ESG risk, and a board-level strategic priority. The EU AI Act, ISO/IEC 42001, the OECD AI Principles, and the NIST AI Risk Management Framework collectively establish a global baseline for how organisations should govern AI. The connection to ESG reporting is direct and growing: AI's environmental footprint is a climate disclosure issue, AI's impact on people is a social disclosure issue, and AI accountability is a governance disclosure issue.
For sustainability professionals, the practical message is clear. Start with an AI inventory. Classify systems by risk. Establish board-level oversight. Implement bias testing and transparency measures. Measure and disclose the environmental impact. Extend governance to third-party AI. And prepare for the day, which is approaching rapidly, when responsible AI governance is not just expected but required as part of your sustainability reporting. The companies that treat AI governance as the next ESG pillar will build the trust, resilience, and competitive advantage that distinguishes leaders from laggards in the decade ahead.
Share this post