Maria Darby-Walker is a Visiting Fellow at Oxford University, a non-executive director and a Leadership adviser / mentor
Artificial Intelligence has rapidly become a standing agenda item in boardrooms across the world. Yet while many discussions focus on the technology itself, the more important questions are around leadership, governance and judgement.
The same is true of cyber security. Most directors recognise the threat posed by cyber-attacks, but many continue to view cyber risk as an IT matter rather than a business issue. In reality, both AI and cyber security have become matters of strategic importance that require active board oversight.
Recently, I’ve observed a growing divide between organisations that see technology as a source of competitive advantage and those that view it primarily as a source of risk. The most successful organisations understand that it is both.
For boards, the challenge is not becoming experts in artificial intelligence or cyber security. The challenge is ensuring that the right questions are being asked and that management is approaching both opportunity and risk in a disciplined way. Artificial intelligence offers significant opportunities for businesses of all sizes. It can improve productivity, enhance customer experience, support decision-making and create entirely new products and services.
In Malta, board oversight of technology is bound to become increasingly important. Many of its successful businesses have grown from entrepreneurial, founder-led organisations into more sophisticated enterprises operating across multiple jurisdictions. As organisations scale, the risks associated with cyber resilience, data governance and the use of artificial intelligence will become more significant. The challenge for these companies will be to support innovation and growth while ensuring that governance frameworks evolve at the same pace. This is not about slowing change; it is about ensuring that change is sustainable, responsible and aligned with the organisation’s long-term objectives.
The enthusiasm surrounding AI can sometimes however obscure important governance questions. How reliable is the information being generated? What controls are in place? How are customer data and privacy being protected? Are employees receiving appropriate training? What reputational, regulatory and financial risks might arise if systems fail or produce inaccurate outputs? These are not technology questions. They are board level questions.
Similarly, cyber security is no longer simply about protecting systems. It is about protecting customers, employees, reputation and ultimately shareholder value. When organisations experience significant cyber incidents, the consequences extend well beyond operational disruption. Customer trust can be damaged, regulatory scrutiny can increase, and recovery costs can be substantial. In some cases, the reputational impact can last for years.
Boards therefore need confidence that cyber resilience is being treated as a strategic priority. This does not mean reviewing technical specifications or software architecture. It means understanding the organisation’s most critical vulnerabilities, ensuring adequate investment and testing whether management is prepared to respond effectively if an incident occurs.
One of the most common mistakes I’ve observed is that technology discussions are often delegated to IT specialists. Expertise matters, but boards must avoid creating a situation where only a handful of individuals understand the risks and opportunities being discussed.
The role of the board is not to provide technical solutions. It is to exercise oversight, challenge assumptions and ensure that technology decisions align with the organisation’s strategy, values and risk appetite. This is particularly important for chief executives. Many first-time CEOs are leading organisations through a period of technological change unlike anything previous generations have experienced. They are expected to make decisions about AI, cyber resilience, data governance and digital transformation while simultaneously managing growth, culture, regulation, sustainability and stakeholder expectations.
The best CEOs do not pretend to have all the answers. Instead, they build diverse leadership teams, seek external perspectives and create an environment where difficult questions can be raised openly.
The question therefore is no longer whether artificial intelligence and cyber security should feature on the board agenda. They already do. The real question is whether boards are equipped to govern them effectively. Technology will continue to evolve, often faster than regulation and sometimes faster than organisations themselves. In that environment, competitive advantage will not come from having the newest technology. It will come from having the judgement, leadership and governance to use it wisely. Ultimately, AI and cyber security are not technology issues at all. They are tests of a board’s effectiveness.
