Somewhere in your organization, a capable manager is about to put an AI tool into a workflow that touches a material decision — a reserves narrative, a maintenance call, a trading input, a hiring screen — and the approval for it will be an email thread, not a board decision. That is the gap. Most energy companies have a rigorous process for approving a new drilling program or a capital lease, and almost no process for approving software that quietly participates in the same judgments. The board’s job is not to understand the model. It is to ask the small set of questions that decide whether an AI tool is a governed asset or an undocumented liability.
The good news: boards already know how to do this. You do it for financial controls, for HSE, for anything that carries regulatory and reputational weight. AI decisions need the same treatment — an owner, a risk tier, and a record. What follows is the short list of questions to run before anyone signs off, and why each one earns its place.
What Decision Is This Tool Actually Going to Influence?
The first question sounds obvious and is the one most often skipped. Vendors sell “productivity” and “efficiency”; boards should translate that into which decisions the tool will touch. A scheduling assistant is low-stakes. A model that helps estimate reserves, prioritize inspections, or rank job candidates is not — because its output feeds a decision that shows up in a disclosure, a safety outcome, or a discrimination-risk exposure. The right framing isn’t “is this AI safe?” It’s “if this tool is wrong, what breaks, and who is accountable when it does?” Tools that only touch internal convenience can move fast. Tools that touch material decisions belong in a governed lane with a named owner.
Can We Reconstruct a Decision the Tool Influenced Six Months Later?
This is the question that separates a defensible AI program from a hopeful one. When an auditor, a regulator, a plaintiff’s attorney, or an institutional investor asks “how was this determined, and what controls were in place,” the answer cannot be “the model suggested it.” You need to reconstruct the inputs, the version of the tool, the human who reviewed it, and the basis for the final call. If the tool doesn’t produce a record you can retrieve later, you haven’t bought a decision aid — you’ve bought a decision you can’t defend. Ask the vendor, plainly: what does this system log, where does that log live, and can we export it on demand?
Who Is the Named Human Accountable for Its Outputs?
Governance fails when accountability is diffuse. “The data team uses it” is not accountability; it’s a shrug with a headcount. For every AI tool that touches a material decision, one named person should own its use — responsible for the tier it’s classified in, the review step before its output is acted on, and the record that proves both happened. This is exactly how boards already handle financial-control ownership. AI simply extends the same principle to a new class of decision. The NIST AI Risk Management Framework formalizes this — inventory where AI touches decisions, tier each by risk, and assign a human to each tier — and it reads less like a technology standard than like the internal-controls discipline your audit committee already runs.
What New Exposure Does This Tool Create That We Don’t Have Today?
Generative tools in particular introduce failure modes that traditional software doesn’t: confidently stated errors, sensitive data leaving your boundary through a prompt, outputs that drift as the underlying model updates, and content that looks authoritative but has no verifiable source. NIST catalogued these specifically for generative systems in its Generative AI Profile, and the list is worth reading before approval, not after an incident. The board doesn’t need to memorize it. It needs to ask whether management has mapped these risks to this tool in this workflow — and what the mitigation is for each one that’s real.
Does This Belong in a Governance Program or a Procurement Checklist?
The most common and most expensive mistake is treating AI approval as an IT purchasing question. Procurement can tell you whether a tool is secure, compliant with your data-handling rules, and reasonably priced. It cannot tell you whether the tool’s participation in a reserves estimate is defensible to a regulator. Those are governance questions, and they belong to the risk committee or the board — not because the board runs the tool, but because the board owns the consequences when a decision it enabled is challenged. The energy companies getting this right are building the inventory and the audit trail before an outsider asks to see it. (That “controls and audit trail for AI-influenced decisions” layer is the specific problem ModalPoint was built to solve — but whoever builds it, the requirement is the same: a record that survives the room.)
The Board’s Pre-Approval Checklist
Before any AI tool that touches a material decision is approved, management should be able to answer all seven — in writing:
- Decision mapped. Which specific decisions will this tool influence, and how material are they (disclosure, safety, capital, hiring)?
- Risk tier assigned. Has the tool been classified low / medium / high risk, with the tier written down?
- Named owner. Who is the single accountable human for its outputs?
- Reconstruction test. Can we retrieve, six months later, the inputs, version, and human review behind any decision it touched?
- Human-in-the-loop. Where a decision is high-tier, is there a required review step before the output is acted on?
- Failure modes mapped. Have the generative-specific risks (hallucination, data leakage, model drift) been mapped to this workflow with a mitigation for each?
- Exit and change plan. If the vendor updates the model or we drop the tool, what happens to the records and the decisions already made?
If management can answer all seven, the approval is a governance decision made on evidence. If it can’t answer even two, the board isn’t approving a tool — it’s inheriting a liability with a friendly interface.
Why This Lands on the Board, Not the CIO
In oil and gas, reputation and defensibility have always been the currency. A JV partner, a lender, or a regulator judges you on whether your decisions hold up under scrutiny — and AI has quietly become a participant in those decisions faster than most governance has caught up. The board doesn’t need to slow the business down or become fluent in machine learning. It needs to insist that any AI tool touching a material decision arrives with an owner, a tier, and a record. Those three things are the entire difference between an AI program that strengthens your defensibility and one that quietly erodes it. The questions above take an afternoon to ask. Not asking them is the decision that gets discovered later — usually by someone outside the company, at the worst possible time.
Matthew Bertram is CEO of EWR Digital, a Houston SEO and digital marketing agency operating since 1999, and President of ModalPoint, an AI decision-governance advisory. He serves as fractional CMO and co-host at the Oil & Gas Global Network (OGGN), co-hosts The Best SEO Podcast (680+ episodes), created the LLM Visibility™ methodology for getting brands cited in AI search, and is a member of the NIST AI Safety Institute Consortium.
