AI In The Boardroom: Judgment, Information Systems And The Modern Duty Of Care

Key insight

Artificial intelligence does not change directors’ duties – but it is reshaping how those duties will be assessed. Courts are focusing less on decision outcomes and more on whether boards exercised informed oversight of the systems producing AI‑influenced information. The inability to explain how AI was governed may matter more than the correctness of the decision it informed.

Artificial intelligence is now embedded in the systems through which directors receive, filter and understand information. The question for boards is no longer whether to use AI, but how to govern it. AI does not change the content of directors’ duties – it changes the environment in which those duties are performed. In doing so, it exposes a longstanding reality of the duty of care and diligence: its focus is less on the correctness of decisions and more on whether directors have maintained effective oversight of the systems that generate and shape the information on which those decisions are based.

Recent authority confirms that this duty now operates in two settings: where directors rely on AI-influenced outputs in making decisions, and where AI itself is deployed within the organisation as a source of material operational and legal risk. Existing principles of reliance remain fit for purpose, but they place heightened emphasis on information architecture – ensuring boards have visibility of the limitations, risks and assumptions embedded in AI systems. Properly understood, the “old rules” still apply. The challenge for directors will be demonstrating that they have been applied, through robust AI governance and information systems.

The recent decision in Star¹ is not, on one view, about decision-making at all. It is about the systems through which information reaches directors. The Court’s analysis did not turn on whether the directors made the “right” decisions. It turned on whether they had positioned themselves to receive information capable of supporting those decisions. The focus was on reporting structures, escalation mechanisms and the informational environment in which the board operated. For boards, this shifts the question from whether a decision was reasonable to whether the systems informing that decision were capable of supporting informed oversight.

That approach is consistent with earlier authority. In Daniels v Anderson,² directors were required to take a diligent and intelligent interest in the affairs of the company. In Centro,³ they were required to read and understand the financial information placed before them. In James Hardie,⁴ the limits of reliance on others were exposed in the context of board approval of misleading disclosure.

Star sharpens the point. The duty of care is increasingly concerned with whether directors have ensured that the organisation’s information systems are capable of surfacing material risk in time for meaningful oversight. In that sense, it is a case about information architecture rather than decision-making. Much of the current discussion of AI in governance assumes that it presents a new category of legal problem. It does not. AI sits within the systems that generate and present information to directors. It acts as a filter, a synthesiser and, increasingly, a generator of information. It affects how board materials are prepared, how risks are identified and how trends are analysed.

Star has two clear implications for AI. First, where directors rely on AI-generated outputs, the organisation's information architecture must allow the limitations of that reliance to be understood before those outputs inform board decisions. Second, the use of AI within the organisation gives rise to material AI risks that this same information architecture must be capable of identifying and escalating to the board where appropriate.

AI and the duty of care and diligence

Section 180(1) of the Corporations Act 2001 (Cth) imposes an objectively assessed duty of care and diligence on directors and officers. The Court considers what a reasonable person in the director's or officer's position would do, having regard to the responsibilities and circumstances of the office.⁵

The modern objective standard is anchored in AWA.⁶ Directors must be in a position to guide and monitor management, cannot be passive and cannot rely blindly on others.⁷ The “responsibilities” referred to in the statute extend beyond formal statutory duties and include “whatever responsibilities [original emphasis] the officer concerned had within the corporation, regardless of how or why those responsibilities came to be imposed on that officer”.⁸

Whether the standard has been met requires a balancing of the foreseeable risk of harm against the potential benefits reasonably expected to accrue to the company by reason of the director’s or officer’s actions, taking into account the expense and practicality of taking alleviating action.⁹ While directors are entitled to rely without verification on the judgment, information and advice of management and other officers, that entitlement is conditional.¹⁰ A director’s reliance must:

• involve an independent assessment of the information or advice provided;
• be made in good faith; and
• be based on reasonable grounds as to the competence and reliability of the person relied upon.

Reliance on AI-enabled systems can fall within this framework, but only if directors treat the system as standing in for a competent person (for example, an external expert or an internal team) and it satisfies those same statutory conditions. The analysis should therefore focus on the person responsible for the system and the controls surrounding its use. AI complicates that analysis. The statute is framed in terms of persons, not systems, and it is difficult to characterise an algorithm as an “expert” in its own right.

The better view is that the relevant expertise lies with the person or entity deploying or standing behind the system – whether an internal team, an external adviser or a vendor. That does not resolve the issue. Where systems are opaque or proprietary, a director’s ability to assess competence, reliability and limitations becomes more difficult. The system does not substitute for that assessment.

Independent assessment remains a demanding requirement. A director cannot discharge it by accepting an AI-generated output at face value. AI introduces a structural tension into the reliance framework – the law assesses the competence of the person relied upon, but the output may be generated by a system that neither the director nor that person can fully explain, test or challenge. AI may inform a decision. It cannot constitute the decision.

Operationalising oversight of AI‑informed decisions

For AI-enabled decision-making, the starting point for boards is not technical expertise, but structural oversight.

Directors should be able to answer at a minimum:

• Where is AI used in the business?
• What decisions does it influence?
• Who is affected by those decisions?
• Can the outcome be reviewed or overridden by a human?
• Are outputs tested, or simply accepted?
• Can the process be explained and audited?
• If the system is third-party, what assurance exists as to its performance and limits?

For material or high-impact uses of AI, board should expect evidence of four core elements:

Purpose – why AI is used and what it is not used for

Validation – assumptions, known limitations and material changes

Exceptions and overrides – flagged anomalies and human interventions

Assurance – data lineage, controls, audit logs and a named accountable owner

These are the mechanisms by which boards position themselves to interrogate AI -informed outputs and demonstrate disciplined judgement. Where AI outputs are adopted without testing or inquiry, there is a real risk that no relevant “judgment” has been exercised at all.

AI and the business judgment rule

The business judgment rule in Section 180(2) of the Corporations Act operates where a director has exercised a judgment. It does not apply to failures of oversight or failures to engage with systems of information. That is not a defect in the law, but a constraint on how AI can properly be used in governance.

Where a director has not turned their mind to a matter, there is no “business judgment” to protect.¹¹ This has a direct implication for AI-enabled decision-making. If a director simply adopts the output of a system without interrogation, it is not clear that any judgment has been exercised. In those circumstances, the statutory safe harbour is not engaged. This exposes a structural tension. The attraction of AI lies in its capacity to produce faster, more consistent and often more accurate outputs than human judgment.

The business judgment defence has always been about process, not clairvoyance. Rich¹² clarifies aspects of the burden of proof and the requirement that directors be ‘appropriately informed’. None of these authorities demand technical omniscience. They require an inquiring mind, proportionate reliance and credible documentation. The same principles apply in an AI context.

The governance challenge presented by AI is therefore not technical, but structural. Directors are not required to understand how an algorithm operates at a technical level. They are required to ensure that the systems through which AI operates produce information that can be evaluated, understood and, where necessary, challenged.¹³

The critical question is whether the organisation has established systems capable of identifying and escalating material risks to the board. Where directors rely on AI-generated outputs, the legal issue is not whether the output was correct, but whether the systems through which it was produced were capable of supporting informed oversight. In an AI context, that means focusing on outputs, validation and accountability.

AI governance: board oversight, risk escalation and accountability

Governing the risks posed by AI tools themselves is as important as scrutinising the accuracy of their outputs. Consistent with the principles in Star, organisational structures must ensure that material AI risks (such as biased or inaccurate outputs, cyber security vulnerabilities, or breach of applicable laws relating to anti-discrimination or privacy) are identified, assessed and escalated to the board, with appropriate assurance that proportionate controls are in place to manage these concerns.

Clear responsibility for the implementation, oversight and monitoring of AI systems is essential. This may be supported through cross-disciplinary governance forums (an ‘AI risk committee’) and designated responsible AI officers, so that AI risks are understood and addressed at the appropriate level of seniority.

Only assessed and approved tools should be used, supported by an AI policy that sets out which AI tools and use cases are permitted, restricted or prohibited, with particular attention to high-risk domains. Shadow AI (unauthorised use of AI tools by employees) poses significant confidentiality, privacy and compliance risks and should be actively addressed.

Governance frameworks should also require consideration of whether proposed AI use cases create legal or regulatory risks, including risks arising under anti-discrimination, privacy cyber security or consumer protection laws. Directors should be satisfied that AI systems are subject to appropriate access controls and data governance.

Organisations may elect to publish a public-facing AI policy to build trust and clarify expectations, but such statements must reflect actual practices, else risk claims of misleading and deceptive conduct under the Australian Consumer Law. Taken together, these measures comprise the information architecture that Star demands. Just as directors cannot claim ignorance of financial misstatements in the absence of adequate reporting systems, they will struggle to defend failures of AI governance where no framework existed to identify, assess and escalate the risks AI poses.

Applying established directors’ duties in an AI‑enabled environment

AI does not represent a departure from established principles of corporate law. It is the context in which those principles will be tested most acutely. The duty of care does not require directors to decode technology. It requires them to ensure that the organisation’s systems, including those incorporating AI, are capable of supporting informed oversight.

AI exposes a structural tension. The law assesses the competence of the person on whom reliance is placed. The decision may in substance be driven by a system that neither the director nor the delegate fully understands. That tension does not displace the statutory framework. It raises the standard of inquiry required to satisfy it.

The question is not whether organisations and directors will use AI, but whether they will be able to explain how the AI systems they operate are governed. Directors must be able to identify, understand and respond to the risks AI presents, and to demonstrate how judgment was exercised.

Footnotes

1. Australian Securities and Investments Commission v Bekier (Liability Judgment) [2026] FCA 196 (Star).

2. Daniels v Anderson (1995) 37 NSWLR 438 (AWA).

3. Australian Securities and Investments Commission v Healey (2011) 196 FCR 291(Centro).

4. Australian Securities and Investments Commission v Hellicar [2012] HCA 17; (2012) 286 ALR 501, the limits of reliance on others were exposed (at [162]–[163] per French CJ, Gummow, Hayne, Crennan, Kiefel and Bell JJ).

5. Australian Securities and Investments Commission v Adler [2002] NSWSC 171; (2002) 168 FLR 253 (at 346–347 [372(4)] per Santow J).

6. AWA Ltd v Daniels (1992) 7 ACSR 759.

7. AWA.

8. Shafron v Australian Securities and Investments Commission [2012] HCA 18; (2012) 247 CLR 465 (at 476 [18] per French CJ, Gummow, Hayne, Crennan, Kiefel and Bell JJ).

9. Vrisakis v Australian Securities Commission (1993) 9 WAR 395 (at 449–450 per Ipp J). The balancing exercise is not confined to commercial considerations or monetary consequences and extends to “all of the interests of the corporation”: Australian Securities and Investments Commission v Cassimatis (No 8) [2016] FCA 1023 (2016) 336 ALR 209 (at 640–641 [459] per Thawley J).

10. AWA (at 868 per Rogers CJ).

11. See Star at paragraph 1436 and 1465 to 1467.

12. Australian Securities and Investments Commission v Rich [2009] NSWSC 1229; (2009) 236 FLR 1 (Rich).

13. In Star, the Court’s focus was not on the merits of the board’s decisions but on whether the board had positioned itself to receive information capable of supporting those decisions. The duty of care was engaged at the level of information architecture, not outcome.