What Your Board Actually Approved
If you've said "Yes" to AI, how well do you understand the consequences?
The AI conversation at board level has mostly been a productivity conversation. Speed of drafting. Reduction in admin time. More output from the same headcount. The numbers that have been reaching boards reinforce this framing: 54% of UK businesses are now actively using AI, and 95% of UK SMEs say it has had no impact on headcount. Most boards have filed this as reassurance.
It isn’t.
Two Groups, Not One
The British Chambers of Commerce data splits into two distinct groups on closer reading. The majority are using AI for generic tasks and reporting no workforce change. A smaller group, around one in ten, are using deeper bespoke AI and are already more likely to anticipate headcount reductions. Among SMEs actively investing in AI training, 14% expect workforce changes in the next twelve months. The firms showing no headcount impact are doing what they were already doing, slightly faster. The firms showing early signs of structural change are the ones actually rethinking what work needs to exist at all. The board that reads the reassuring headline has missed the question inside it: which of those two groups is the business actually in?
That is the operational question. There is a second one, and it arrived faster than most boards were ready for.
A Different Kind of Risk
In April, Anthropic published details of its Mythos model. Working autonomously, overnight, at a cost of around $20,000, it identified and fully exploited a 17-year-old vulnerability in FreeBSD. It found critical flaws in every major operating system and every major browser. More than 99% of those vulnerabilities remain unpatched. Anthropic is refusing to release Mythos publicly until defensive infrastructure can catch up. This is not a threat from a hostile actor. It is a demonstration of what AI can now do, at a cost that is within reach of almost any organisation, legitimate or otherwise. It arrived while most boards were still debating whether their productivity numbers were credible.
The Trustmarque AI Governance Index found that only 7% of UK businesses have any oversight structure in place for how AI is used. The gap between adoption and governance has always been a concern. Mythos made it a different kind of problem. A board that approved AI spend without understanding what AI can now do autonomously, and without anyone responsible for overseeing how the tools are used and what they can access, is not merely behind on productivity. It is behind on risk.
What the Investment Questions Reveal
For investors assessing an AI-exposed business, a Codurance white paper by Lee Sanderson identifies three questions most board packs cannot answer. The first is whether the company’s AI improves with use or is simply a polished interface over a public model with no proprietary data and no pricing power. The second is whether there is genuine technical talent capable of delivering whatever AI vision management has articulated. The third is how the commercial model will evolve as AI automates more of what the product delivers. These are investor questions, but they are equally governance questions. A board that cannot answer them does not have visibility over what it approved.
The Dependency Nobody Examined
There is a further dimension. The AI approval process creates vendor dependency that is rarely examined at the time. A Zapier survey found that nearly three-quarters of enterprise executives admitted that losing their primary AI vendor would either seriously disrupt operations or leave them entirely dependent on it. Builder.ai was valued at $1.2 billion, backed by Microsoft, and filing for bankruptcy by May 2025. Customers who had built workflows around it faced a sudden and expensive transition. The board that approved the subscription is unlikely to know which one. Somewhere in most organisations’ current AI spend is a tool that will look like a poor decision in eighteen months.
What a board approved when it approved AI spend was capability access, data access, and vendor dependency at the same time. The productivity conversation was always the easy part. The harder part is whether anyone in the organisation understands what AI can now do autonomously, what it can access, and who is responsible for knowing when the answer changes. If that question has not yet been asked, it is worth asking before the answer arrives uninvited.
Sources: AI Governance Index — Trustmarque, 2025; UK Businesses and AI report — British Chambers of Commerce, 2025; AI in Enterprise Systems: A Technical Due Diligence Framework — Codurance (Lee Sanderson), 2025; Claude Mythos Preview — Anthropic, 2026; AI vendor lock-in survey — Zapier, 2025