Boards are increasingly asking for an AI strategy. Most organisations respond with enthusiasm, pilots, and slide decks. A year later, little has changed. Some teams use AI daily. Others block it. Risk sits on the sidelines, and value is unclear. This is not a failure of ambition or technology. It is a failure of clarity.

Most boards talk about “AI” as if it were a single thing. It is not. AI enables different levels of automation, and each level changes the game in material ways. It affects how value is created, where risk sits, who is accountable, and what the board must oversee. When boards miss this, two predictable patterns emerge.

Some overreach. They talk about autonomy and transformation before basic controls are in place. That leads to stalled programmes, regulatory anxiety, and quiet reversals.

Others underreach. They treat AI as a productivity tool for analysts and marketers. They gain small efficiency wins and miss the strategic upside that competitors are already capturing.

Both outcomes stem from the same root problem: a lack of shared language. In my work with boards and executive teams, there is a simple, practical model to fix this. It breaks AI down into three levels of automation. Each level is real and already in use. Each carries a very different value and risk profile.

This model does not require technical depth. It gives boards a way to ask better questions, set clearer boundaries, and govern AI without slowing the organisation down. If you want AI to drive advantage rather than confusion, this distinction matters. The rest of this article explains the three levels, what they enable, what can go wrong, and what boards should do at each stage.

Automation Level 1 - AI to Augment Tasks Performed by Humans

At the augmentation level, AI supports humans in their work; it does not replace them. The AI acts as a partner or co-pilot: it gathers data, surfaces insights, suggests options—and the human retains final decision-making authority. The human remains in the loop, guiding strategy, interpreting nuance, and bearing accountability. This means the organisation uses AI to enhance human judgement, speed and scale tasks rather than handing over control. For boards and executives, this is often the safest entry point: lower risk, faster value, less governance burden, but still substantial potential upside.

Consider a large professional services firm’s audit department. They deploy an AI system that reads contracts, extracts clauses, flags anomalies, and offers the audit manager a ranked list of risks to review. The manager then chooses which flagged items to pursue, drafts questions, and leads the human conversations. An AI model augmented human judgment; it did not replace it. Similarly, in HR, AI might sift thousands of employee survey responses, detect underlying sentiment patterns, and surface the top themes for the HR Director to address—human insight remains central.

Think of Level 1 as a competent analyst. It produces output. You still edit and sign off on it.

Augmentation is a pragmatic first step: you retain human control, deploy AI models to improve your people’s decision-making, reduce mundane load, improve speed and insight, and thereby increase productivity. From a board governance perspective, the required oversight is manageable. Use this level to build AI literacy, governance frameworks, and internal trust before moving to higher autonomy.

The three types of AI you must not confuse.

At Level 1, boards often lump all AI into one category. That creates sloppy oversight. You need to distinguish three common model types because their risks and controls differ.

1) Classification: “Which bucket does this belong in?”

Classification sorts items into categories.

Typical uses:

• Fraud detection: suspicious vs everyday transactions

• Spam filters: spam vs not spam

• Customer support: route to the right team

• HR: identify CVs that match baseline criteria (with care)

Classification is powerful because it improves consistency and speed. It is also easier to test because the outputs are discrete classes.

Board lens: classification tends to fail in predictable ways. You can measure error rates and track drift.

2) Regression: “What number should we predict?”

Regression predicts a number or a probability.

Typical uses:

• Forecasting demand

• Predicting churn risk

• Estimating delivery times

• Credit risk scoring (within a governed framework)

Regression is often the hidden engine in planning and forecasting. It can be very valuable, but only if the underlying data is clean and stable.

Board lens: regression failures often show up as bad forecasts that look “reasonable”. The harm is business-value erosion rather than scandal until it touches regulated decisions.

3) Generative AI: “Create text, images, code, or summaries”

Generative AI produces new content. Large language models, such as ChatGPT and Gemini, sit here.

Typical uses:

• Drafting documents and emails

• Summarising reports and meetings

• Searching internal knowledge bases via natural language

• Drafting code, test cases, and documentation

• Creating first drafts of policies, training content, or comms

Generative AI is the most visible form of AI right now, and the most misunderstood. Generative AI is not a truth machine. It produces plausible output based on patterns. It can be wrong in a confident tone. It can also leak sensitive data if used carelessly.

Board lens: generative AI risk is less about “accuracy in a test set” and more about real-world use: confidentiality, IP, bias, audit trail, and who relies on output without checking.

Real Level 1 examples that boards will recognise

Many organisations are already integrating these use cases into their everyday work, boards included. Examples include:

• Board pack summarisation: AI creates an executive summary, a draft risk heatmap, and a list of questions to ask. The company secretary and the exec team verify.

• Contract and policy drafting support: AI drafts clauses or compares versions. Legal reviews and owns the final document.

• Finance analysis: AI flags anomalies, drafts commentary, and suggests drivers. Finance signs off on numbers and narrative.

• Risk and incident support: AI clusters incidents, suggests root causes, and drafts post-incident reports. The incident manager validates.

Level 1 is not “small”. It can change cycle times, reduce rework, and lift decision quality across the organisation. This can have a tangible impact on bottom lines. However, some things can go wrong at this level. Some common failure modes include:

• Over-trust. People treat AI output as correct because it reads well.

• Data leakage. Staff paste confidential content into public tools.

• Poor prompts, poor results. Output quality varies wildly by user skill.

• Shadow AI. Teams use tools outside policy because it is easy.

Level 1 failures are usually containable if you set rules early. The key here is to keep governance simple and enforceable by doing the following:

• Define where AI is allowed.

• Internal-only drafts? Fine.

• Customer-facing comms? Tight controls.

• Regulated decisions? Treat as Level 2 governance even if “advisory”.

• Set “human-in-the-loop” standards.

  • What must be checked every time?

  • What can be sampled?

  • Who signs off?

• Lock down data handling.

  • Approved tools and approved accounts.

  • Clear rules on confidential and personal data.

  • Central logging, where feasible.

• Train staff on safe use.

  • Not a vague e-learning. A short, sharp playbook:

  • What to use AI for,

• What not to use it for,

• How to verify outputs.

Questions directors should ask at Level 1

• Where is AI being used today, formally and informally?

• What data is going into prompts, and where does it go?

• What outputs are customer-facing or regulator-facing?

• Where is human review required, and is it happening?

• How do we capture incidents and near-misses?

If you cannot answer these, you do not have Level 1 under control. Do not move to Level 2.

Automation Level 2 - AI to automate well-defined tasks previously done by humans

At this level, the AI takes over well-defined tasks (or workflows) that humans previously did, with minimal human intervention. The task is sufficiently structured and repeatable that the AI can automate it reliably. Humans still monitor, manage exceptions and escalations, but the daily execution is machine-led. AI for automation means replacing specific tasks with AI models. This works best with tasks that are repeatable, bounded, high-volume, and have clear success criteria. This is where measurable cost savings and speed gains arrive. It is also where risk rises sharply because errors scale.

Typical Level 2 use cases include

• Claims handling for simple cases (with escalation for edge cases)

• Invoice processing and reconciliation

• Customer service resolution for routine issues

• Document processing and extraction at scale

• Automated KYC checks in defined scenarios

• Scheduling and routing in operations

At Level 2, the risks shift from “bad output” to “bad outcomes”. Key risks include:

• Scale of harm. A model error hits thousands of cases quickly.

• Fairness and bias. If it affects customers or staff, scrutiny increases.

• Explainability and audit. You need to show what happened and why.

• Control failures. No clear kill switch or escalation path.

• Drift. Performance degrades quietly as data changes.

The board does not need to understand the complex mathematics of these models, but it does require confidence that controls match the impact.

Board-level controls that matter at Level 2

• Explicit decision rights

  • Who approved automation?

  • Who owns outcomes?

  • Who can pause it?

• Clear boundaries and exception handling

  • What cases are automated?

  • What cases must escalate?

  • What is the fallback process?

• Monitoring of outcomes, not activity. Track:

  • error rates,

  • rework rates,

  • complaint rates,

  • time to resolve,

  • fairness indicators where relevant,

  • financial leakage.

• Independent testing before deployment

  • Test on historic data.

  • Test on edge cases.

  • Red-team the process: how could it fail in practice?

• Audit trail

  • What data was used?

  • What version of the model ran?

  • What decision was made?

  • Who overrode it?

Automation is the next step beyond augmentation: you’re handing over execution of tasks to AI. The human oversight role remains, but the operational burden shifts. For board/executive teams: this is where you must raise governance, risk monitoring, exception management and change management sharply, because the scale is bigger. Value is real — cost down, throughput up — but risk moves up too.

Automation Level 3 - AI to behave as an autonomous agent to plan & execute actions to achieve goals

Agentic AI refers to AI systems that behave as autonomous agents: they set or are given goals, plan the tasks to achieve those goals, decide which tools to use, take actions, and adjust course, often without human prompting. The human might be in the loop, but AI is doing far more than executing rules; it is orchestrating workflows, making decisions, and continually adapting. According to Oracle: “Agentic AI refers to an AI system that’s capable of making autonomous decisions … then executing on its decisions.”

From the board’s perspective, this is the highest autonomy tier, offering significant value potential, but also the highest risk. Value arises from scalability, speed, adaptive workflows, and “digital workers” replacing or extending humans significantly.

Some carefully bounded examples of what Level 3 can do in real organisations include:

• IT operations agents that diagnose incidents and run approved fixes

• Security response agents that triage alerts and trigger defined actions

• Procurement agents that run sourcing workflows within thresholds

• Sales enablement agents that build account plans and schedule outreach (with controls)

• Finance agents that chase approvals, reconcile variances, and prepare close packs

What boards should demand before Level 3 scales:

• A clear agent charter

  • What goals is it allowed to pursue?

  • What goals are prohibited?

  • What constraints are non-negotiable?

• Permission design

  • Least privilege access.

  • Separate environments.

  • No shared credentials.

  • Strong identity controls.

• Human approval gates

  • external communications,

  • payments,

  • contract changes,

  • customer decisions,

  • production deployments.

• Continuous logging and replay

  • prompts, actions, tool calls, outputs, timestamps.

• Testing for failure behaviours

  • edge cases,

  • adversarial inputs,

  • conflicting objectives,

  • unexpected tool responses.

• A shut-down path that works

  • immediate revoke of permissions,

  • stop job queues,

  • fall back to manual process.

Agentic AI is the frontier of autonomy: significant potential gains, but also big governance stakes. Boards and executives must not treat it as just another automation tool. They need to think about goals, boundaries, oversight, accountability, and learning loops. If the governance is weak, the risk is high. If it’s done well, value can scale.

How to Use the Three Levels as a Board

Below is a simple, board-friendly way to operationalise this model.

1) Create an “AI Automation Register”

This is a one-pager. Updated quarterly and presented to the board or a board committee.

For each AI system:

• owner,

• business area,

• automation level (1/2/3),

• what it does,

• what data it uses,

• what outcomes it affects,

• key controls and monitoring.

If you cannot list it, you cannot govern it.

2) Match governance intensity to automation level

• Level 1: policy, training, approved tools, human review rules, and incident logging.

• Level 2: formal risk assessment, monitoring of outcomes, audit trail, kill switch tests.

• Level 3: agent charter, permission controls, approval gates, deep logging, tighter board scrutiny.

Do not over-govern Level 1. It kills adoption and drives shadow use.

Do not under-govern Level 2 and 3. It creates systemic risk.

3) Link AI to strategy in plain terms

Boards get stuck because “AI strategy” sounds abstract.

Use a simple framing:

• Which strategic outcomes do we need? (growth, cost, risk, service, speed)

• Which business constraints block them? (capacity, cycle time, decision quality, cost to serve)

• Which automation level addresses each constraint safely?

AI becomes a portfolio of interventions, not a hype programme.

4) Set a risk appetite for autonomy

The board should make an explicit call:

• Where are we comfortable with augmentation only?

• Where are we comfortable with automation?

• Where do we allow agents, and under what constraints?

Make it explicit. If you do not, the organisation will decide by default, project by project, with uneven controls.

Summary: What to Remember

Level 1 augments people. It improves speed and quality. Keep humans accountable. Know the difference between classification, regression, and generative AI.

Level 2 automates tasks. This is where savings scale. Risks scale too. Govern outcomes, not tools.

Level 3 uses agents. Autonomy makes goal-setting, permissions, and logging the main governance issues. Treat this like delegation, not software.

The board’s job is not to become technical. It is to ensure the organisation is making explicit choices about autonomy, value, and risk.

If you found this useful, subscribe to AI in the Boardroom. I write for directors and senior leaders who want clear thinking, practical controls, and real-world examples of what works and what fails.