AI and cybersecurity have firmly moved into the boardroom. They are no longer technical topics, they are central to strategy, risk, compliance, and long-term value creation.
Åsa Schwartz, KnowIt
This was the key message from the seminar “Cybersecurity and Trustworthy AI – Board-level Governance and Legal Perspective”, arranged by Sherpany in collaboration with Legal Transformation Network and ELTA, where Åsa Schwarz and a panel of in-house counsel highlighted a growing reality: legal transformation today is as much about governance and trust as it is about technology.
From awareness to responsibility
Boards are already responsible for strategy, risk management, and compliance. In practice, this means AI and cybersecurity are already part of their mandate.
The challenge is to address four dimensions simultaneously:
- Future relevance: staying competitive in an AI-driven market
- Growth: capturing efficiency and new revenue opportunities
- Risk: managing increasingly sophisticated cyber threats
- Compliance: responding to regulations such as the AI Act and NIS2
Standing still is not an option, but neither is moving fast without control.
The governance gap
Many organisations are adopting AI faster than they can govern it. Security incidents are common, and basic controls – such as identity management for AI agents- are often lacking.
This gap is reinforced by a recent report from Gravitee, which highlights that AI agents are already operating in production while security models lag behind. The issue is not a lack of awareness, but that existing identity and authorization frameworks were not designed for autonomous systems, creating clear governance challenges for boards.
At the same time, trust is becoming a decisive factor. Customers are willing to pay more for secure and reliable AI-enabled services. This makes trust not only a risk issue, but a business driver.
The conclusion is clear: AI cannot be managed as an IT project. It requires a governance framework embedded into existing management systems, aligned with standards, and designed to handle risk, compliance, and accountability at scale.
Vanessa Eriksson, Executive Advisor, Miranda Espenäs, Swedish Company Lawyers Association and Spotify, Louise St Cyr Ohm, Storskogen, Åsa Schwarz, KnowIt and Anna Forsebäck, Hemnet
What boards should focus on
The discussion pointed to a number of practical priorities for boards:
- Ensure sufficient competence in AI, cybersecurity, and regulation
- Embed these topics into the board’s structure and annual cycle
- Verify that management has the right capabilities and resources
- Confirm that management systems and standards are in place
- Integrate regulatory requirements into operations and oversight
- Ensure governance is built into products and services, not just policies
In short: move from discussion to discipline.
The role of legal
Legal teams play a key role in this shift. Not only by interpreting regulation, but by helping translate it into governance structures, decision-making frameworks, and practical guidelines.
As highlighted in the panel, this includes building cross-functional competence, supporting the board with clear frameworks, and applying sound judgment to what is acceptable and responsible in practice.
__________________________
AI and cybersecurity are no longer future issues. They are current governance challenges, and a defining part of how boards create trust, resilience, and competitive advantage in an AI-driven world.
The images have been provided by Sherpany, and the photographer is Natasha Kolesnikova.