Board Duties in the Governance of AI Systems

Swiss corporate law does not, as of the date of this article, have a body of case law specifically addressed to the board’s duties in overseeing artificial-intelligence systems. It does not need one. The existing duties — Art. 716a OR on non-delegable board responsibilities, Art. 717 OR on care and loyalty, the sectoral overlays that govern regulated industries — already answer most of the questions a Swiss board needs to ask about deploying AI in its business. What has changed is not the doctrine but the factual character of the risks: systems that take autonomous action over customer-facing, safety-critical, or financially consequential decisions; model behaviour that is not fully predictable at time of deployment; dependencies on third-party vendors whose training data and safety measures the deployer cannot inspect. This article states how the established duties reach those risks, and what a Swiss board taking its responsibilities seriously should put in place.

1. The statutory starting point

The board’s duties with respect to AI systems derive from the same provisions that govern every other material operational risk in a Swiss stock corporation. Three warrant particular attention.

Art. 716a para. 1 ch. 2 OR — determining the organisation. Where a company integrates AI systems into material operational processes, the resulting organisational design is itself a board responsibility. Who owns the decision to deploy a model? Who reviews changes to its behaviour? How are its outputs monitored, its failures identified, its degradation over time addressed? These are structural questions that do not belong in line management alone; the board must ensure that the structure exists and that it places decisions in the right places.

Art. 716a para. 1 ch. 5 OR — overall supervision of management. The board’s non-delegable Oberaufsicht duty extends to ensuring compliance with applicable laws and regulations. For AI deployment, applicable laws now include sector-specific frameworks (banking, insurance, medical devices, employment), general data-protection rules under the revised nDSG, and — for Swiss companies offering services into the EU — the EU AI Act. The Act applies to Swiss deployers where AI systems are placed on the EU market or where the output is used in the EU, producing extraterritorial reach that most Swiss companies of meaningful scale must assume engages them.

Art. 717 OR — the care standard. The duty of diligence is measured against the standard of an orderly and conscientious director, calibrated to the risk profile of the company and to the specific decision at hand. A board that deploys or oversees AI in a decision-bearing capacity is measured against what a competent director in that sector would know to ask about the systems being used. See the Director Duties article generally; the particular content of the care standard for AI is treated in sections 2–4 below.

2. The mission-critical framing

The Delaware Supreme Court’s 2019 decision in Marchand v. Barnhill articulated, for common-law directors, an intuitive principle: where a risk is central to the business, the board must implement and actively monitor an information system that gives it timely visibility into that risk at board level. The comparative-law commentary on Marchand seen from Switzerland sets out the transposition; the short form is that Swiss law reaches the same conclusion on a shorter and doctrinally sterner route, via Art. 716a(1)(5) and Art. 717 OR, and without Delaware’s bad-faith gloss.

The boards for which AI is now a mission-critical risk fall into recognisable categories. Financial institutions whose customer decisions — credit, pricing, insurance underwriting, claims handling — are intermediated by models. Medical and medtech businesses where AI assists or makes diagnostic or triage decisions. Manufacturers whose safety-critical product logic incorporates AI components. Operators of autonomous or semi-autonomous physical systems. Information businesses whose content moderation, fraud detection, or eligibility determinations are model-driven. Professional-services firms whose work product is produced with materially AI-assisted workflows. For these, model risk is not a technology-team topic to be delegated out of the boardroom; it is an operational risk on the same register as product safety or credit risk.

The Swiss board’s response to mission-critical AI risk should therefore follow the structure the doctrine already imposes for other mission-critical risks: a defined board-level owner (ordinarily a committee); a cadence of substantive reporting; an agreed set of KPIs calibrated to the company’s specific exposures; documented decisions on deployment, retention, and decommissioning; minutes that reflect the substance of the board’s engagement.

3. What a Swiss board should know about model risk

Board-level oversight does not require board-level technical expertise; it requires the board to ask the questions that oblige management to produce an answer. Five categories of question recur in practice.

Intended use and boundaries. Where is the model deployed? What decisions does it make, and what decisions does it inform? Where are the guardrails — the cases in which a human must review, in which the model must refuse, in which the system must fail safe? A model that has been deployed beyond the boundaries of its validated use is the paradigmatic source of model-related harm.

Training data and data governance. What data was the model trained on, and is that data representative of the population on which the model will now be used? Does training data contain personal data whose processing is lawful for the deployment? Are inputs to the deployed model preserved in a form adequate to later audit? Swiss data-protection rules under the revised nDSG apply in parallel with corporate-duty considerations; for cross-border deployments, the EU AI Act and GDPR apply cumulatively.

Performance monitoring and drift. Model behaviour degrades over time as the underlying population changes. What monitoring is in place to detect drift? Who is responsible for deciding to retrain, revalidate, or retire a model? What are the thresholds that trigger escalation? Absence of drift-monitoring is a particularly clean case of the Marchand-type oversight failure: the system exists, but the board has no mechanism to learn that it has stopped working as intended.

Failure modes and incident response. What are the foreseeable failure modes of the deployment — biased outputs, systematic misclassification, exploited prompt injection, confabulation — and what response protocol exists if one materialises? Who reports to whom? What is the customer or regulator communication path? A board that cannot describe, in outline, the incident response for its material AI deployments has not completed the oversight work.

Third-party dependency. Where the model, weights, or infrastructure is provided by a third party — a foundation-model vendor, a cloud inference provider — the board’s oversight responsibility does not evaporate. Contractual commitments from the vendor on model behaviour, on notification of material changes, on audit rights, and on transition support if the vendor discontinues the service are substantive governance artefacts. Concentration risk in a single vendor is itself a board topic.

4. Sectoral overlays

Swiss sectoral regulators have issued, or are in the process of issuing, expectations that translate AI oversight into concrete operational requirements for regulated entities. Where these apply, they take priority over, and specify, the general corporate-duty framework.

Financial services — FINMA. FINMA has published guidance on governance, risk management, and use of AI in supervised institutions, framed around the principles of accountability, robustness, transparency, and non-discrimination. Banks, insurers, asset managers, and other FINMA-supervised entities operate under expectations that are, in substance, the regulated-industry equivalent of the Marchand mission-critical framing applied to AI.

Medical devices and health — Swissmedic. Where AI is integrated into a medical device or a diagnostic pathway, the overlapping frameworks of HMG (Heilmittelgesetz), MepV, and international device-regulation equivalents apply. The board’s AI oversight duty is additive to, not displaced by, these frameworks.

Data protection — FDPIC. The Federal Data Protection and Information Commissioner, operating under the revised nDSG, has jurisdiction over processing of personal data by Swiss AI deployers. Automated individual decision-making, profiling, and high-risk processing engage specific requirements, including — in defined cases — the obligation to provide human review of automated decisions.

Cross-border — the EU AI Act. Swiss companies whose AI systems are placed on the EU market, or whose outputs are used in the EU, fall within the territorial scope of Regulation (EU) 2024/1689. High-risk classification under the AI Act produces substantive governance requirements — risk management, data governance, human oversight, transparency, registration — that a Swiss board cannot treat as a line-management compliance project alone.

5. Governance artefacts

The governance infrastructure for AI oversight in a Swiss company of any size typically comprises five artefacts, each of which the board should be able to identify.

A charter or policy. A written document that allocates responsibility for AI use within the company, states the principles the company has committed to, and identifies where deployments of particular risk require elevated sign-off. The charter is not the governance; it is the place where the governance can be read.

An inventory. A record of what AI systems the company operates, where, for what purposes, with what data. In companies of any meaningful AI footprint, an up-to-date inventory is the precondition for oversight; its absence is itself an oversight gap.

A deployment gate. A defined review that meaningful new AI deployments must pass before going live, scaled to the risk class of the deployment. For high-risk deployments, this gate reaches the board or a delegated committee; for lower- risk deployments, a standing working group suffices.

A monitoring and incident cadence. Regular reporting to the board or committee on the inventory, the performance of the material deployments, incidents that have occurred, and remediation status. The expectation is not that the board reads every incident report; it is that the board sees enough of the incident pattern to recognise when something is materially changing.

A minuted record of decisions. Deployment approvals, material changes, retirement decisions, incident responses — these should appear in the minutes of the competent board or committee in enough substance that a later reviewer can see that the decision was made on informed grounds. The Litigation Readiness discipline applies here as elsewhere.

6. What this means for boards

Three practical points follow.

Do not defer. AI is already embedded in the operations of most Swiss companies of any size; the question is not whether the board’s duties are engaged but whether they are being discharged. A board that has not yet engaged with the company’s AI footprint is the board that the Art. 716a oversight analysis will scrutinise in the event of harm.

Calibrate to the risk, not to the technology. The governance response should be proportionate to the risk profile of the specific deployments, not to the novelty or prominence of AI as a topic. A customer-facing credit-scoring model in a bank warrants more intense oversight than an internal summarisation tool used for drafting routine correspondence. The board’s time and attention should follow the risk.

Build the record. AI-related liability cases are in their early stages in Switzerland as elsewhere. When they arrive, the evidence a Swiss court will ask for is the evidence it asks for in any director-liability case: what the board knew, what it asked, what it decided, and why. The minutes, charters, inventories, and incident records are the record. A board that documents its AI oversight contemporaneously is not defending speculatively; it is building the factual basis that the doctrine already calls for.