Metric 0 Pre-Check
Before any MAT-06 report cycle begins, two gates must pass.
Gate 1 — MAT-01 Baseline Exists
Confirm a completed MAT-01 AI Maturity Assessment provides the baseline maturity band and ROAI KPI data. Board reporting without a maturity baseline cannot demonstrate direction of travel or measure programme effectiveness. Section 5 (Maturity Progression) is meaningless without prior period comparators. If failed: complete MAT-01 before initiating MAT-06 report cycle.
Gate 2 — AI BoM Register Is Active
Confirm the DAT-06 AI Bill of Materials register is active and contains current data for all Active, Provisional, Under Review, and Suspended tools. Section 1 (AI Portfolio Overview) is the anchor section of the board report — without reliable AI BoM data, the report cannot accurately represent the organisation’s AI footprint. If failed: bring DAT-06 current before initiating MAT-06 report cycle.
---
1. Purpose
MAT-06 establishes the Boardroom AI Reporting Template: the governance framework specifying what AI programme information must be reported to the Board, in what structure, with what frequency, and with what level of authority.
Board oversight of AI is not discretionary. The Board is the ultimate accountable body for the organisation’s risk exposure. AI tools that affect client matters, process personal data, operate autonomously, or create professional liability exposure fall squarely within the Board’s risk oversight mandate. The EU AI Act, ISO/IEC 42001, and professional conduct frameworks all presuppose organisational governance structures that include board-level oversight of AI systems.
Most AI governance failures that escalate to regulatory enforcement or professional conduct proceedings share a common feature: the Board was not informed, or was not informed with sufficient specificity and frequency to exercise meaningful oversight. MAT-06 closes this gap by providing the structured reporting framework that makes board-level AI oversight operable.
The Template is not a free-form reporting guide. It is a structured content specification with seven mandatory sections, defined KPIs, specified cadence, and clear evidence retention obligations. Consistent use across reporting cycles makes the board report itself a defensibility asset.
---
2. Strategic Context
AI governance has matured significantly in the legal sector since 2023. The first generation of AI governance focused on adoption controls: AI Use Policies, basic tool registers, and practitioner guidance. The second generation — which the Legal AI Operating System represents — implements systematic governance across the full lifecycle with risk classification, evaluation harnesses, agentic authorisation panels, and incident response frameworks.
The third generation of AI governance, now beginning in leading legal organisations, is governance integration at the board level: ensuring that the systematic governance infrastructure built at the AI Governance Lead and legal operations level is visible and accountable to the board.
This shift is driven by three forces. First, the EU AI Act’s accountability requirements extend to deployer organisations, not merely AI system providers — the deploying firm’s governance is subject to regulatory scrutiny. Second, professional liability insurers are beginning to ask about AI governance in renewal cycles — a structured board report provides evidence of active governance. Third, clients of law firms are increasingly asking about AI governance as a matter of professional due diligence. A board-approved governance report is the most credible response.
MAT-06 is the vehicle for this third-generation governance integration.
---
3. Operating Principles
Principle 1 — Report from the Source
Every section of the board report is populated from data held in the Legal AI Operating System modules: DAT-06 for portfolio data, STR-07 for incident data, MAT-01 for maturity data, GOV-11 for disclosure data. No parallel data collection or manual summary is acceptable. Parallel reporting systems create version conflicts, undermine governance integrity, and multiply the AI Governance Lead’s reporting burden.
Principle 2 — Direction of Travel, Not Just Status
Every quantitative metric in the board report is presented with prior period comparators and a directional indicator (improving, stable, deteriorating). A board that sees only current-period data cannot assess whether governance is working. Direction of travel is the governance signal; point-in-time status is the context.
Principle 3 — Material Risks Surface, Minor Risks Are Summarised
The board report is not a detailed operational log. Class A agentic incidents, Tier 1 Shadow AI discoveries, material compliance gaps, and imminent regulatory deadlines are surfaced explicitly with action items. Class C and D incidents, routine monitoring findings, and administrative matters are summarised as counts without narrative detail.
Principle 4 — Forward Agenda Is Mandatory
Section 7 (Forward Agenda) is not optional context — it is a governance requirement. The Board must see upcoming reauthorisations, planned adoptions, regulatory changes, and governance events in advance. Boards that are informed only of completed events cannot exercise meaningful oversight.
Principle 5 — The Board Acknowledges, Not Just Receives
Every board report is formally acknowledged in board minutes. Acknowledgement is not approval of every decision contained in the report — it is confirmation that the Board has received and considered the report. Material risks requiring board resolution are explicitly identified as resolution items, not merely noted.
Principle 6 — Supplementary Notification Is Immediate
The quarterly report cycle does not substitute for immediate notification of material events. A Class A agentic incident, a Tier 1 Shadow AI discovery with client exposure, or a GOV-11 disclosure to a regulator or client requires immediate notification to the General Counsel and Managing Partner, with a written supplement to the Board within 48 hours of the notification decision.
---
4. Report Section 1: AI Portfolio Overview
Purpose: Give the Board a current, accurate picture of the organisation’s AI tool footprint and its governance status.
Content elements:
1.1 AI BoM Summary
Total Active tools in the AI BoM as of the report date, broken down by Agentic Tier (Tier 0 Advisory through Tier 4 Executor). Present as a table with prior period comparator and movement indicator.
1.2 Portfolio Changes This Period
Tools newly added to Active status this period (with tool name, vendor, Tier, and use case category). Tools retired this period (with reason: planned or emergency). Tools moving between Tiers. Tools currently in Provisional status (pending governance completion).
1.3 Shadow AI Findings
USE-07 quarterly sweep results: number of unregistered tools identified; disposition outcomes (Converted, Restricted, Retired); severity classification of findings (Tier 1 through Tier 4). Trend vs. prior period. Zero Shadow AI findings is the target — a declining trend demonstrates that governance awareness is improving.
1.4 Reauthorisation Status
Tools with current authorisation as a percentage of all Active Tier 3–4 tools (Reauthorisation Currency Rate). Tools approaching reauthorisation within 60 days. Any tools currently in Suspended status with explanation.
---
5. Report Section 2: Risk Posture Report
Purpose: Give the Board visibility of current AI risk exposure across all nine Risk Taxonomy classes, with material changes highlighted.
Content elements:
2.1 Risk Register Summary
Current AI risk register status: number of open risk items by Risk Class; RAG status (Green: within appetite; Amber: elevated, monitoring; Red: exceeds appetite, action required). Present as a 9-class table with current-period RAG status and prior-period comparator.
2.2 Material Risk Changes
Any risk class whose RAG status has changed since the prior report. Brief narrative explanation of the change and the action being taken. The Board’s attention should be drawn explicitly to any Red items and any deterioration from Green to Amber.
2.3 Horizon Risk Items
Emerging risks not yet in the register that the AI Governance Lead has identified for the Board’s awareness. Regulatory developments, vendor infrastructure changes, or new use case categories that may create new Class 1–9 exposures in the next period.
---
6. Report Section 3: Compliance and Regulatory Status
Purpose: Give the Board confidence that the organisation is meeting its AI-related legal and regulatory obligations.
Content elements:
3.1 EU AI Act Compliance Status
Current compliance posture against applicable EU AI Act obligations for the organisation’s size and sector. Key indicators: AI literacy programme completion (TAL-06 compliance with Article 4); use case risk classification (high-risk determination for applicable tools); technical documentation adequacy (GOV-09 evaluation records as Article 9 evidence); incident reporting compliance (GOV-11 Article 73 notifications made).
3.2 ISO/IEC 42001 and Other Standards
Status of any active certification programme or conformity assessment. Key gap areas identified in the most recent gap analysis.
3.3 Professional Conduct Obligations
Any AI-related professional conduct matters arising in the period: SRA or Bar Council guidance updates affecting AI use; practice direction changes; client demand for AI disclosure in engagement letters. Actions taken or planned.
3.4 Regulatory Changes Requiring Response
Changes to applicable regulations or guidance since the prior report that require a governance response. Deadline, responsible party, and planned action.
---
7. Report Section 4: Incident Summary
Purpose: Give the Board visibility of AI incidents, disclosure actions, and root cause patterns, so governance improvement opportunities are identified and tracked.
Content elements:
4.1 Incident Volume and Severity
STR-07 incidents opened this period: total count and breakdown by Class A through Class D. Trend vs. prior period. Any Class A or Class B incident is named individually with a brief description, outcome, and remediation action. Class C and D incidents are presented as counts only.
4.2 Disclosure Actions
GOV-11 disclosures made this period: category (Client Disclosure; DPA Notification; Professional Regulatory Body; Internal Governance Record); number of each; and for any Category 1 or 2 disclosure, a brief description of the incident triggering the disclosure and the outcome.
4.3 Root Cause Patterns
If more than two incidents of the same class occurred in the period, identify the common root cause and the remediation being implemented. The Board should be able to see whether incident patterns are being structurally addressed, not merely resolved case by case.
4.4 Open Incidents
Incidents opened in a prior period that remain open as of the report date, with status and expected resolution date.
---
8. Report Section 5: Maturity Progression
Purpose: Give the Board a strategic view of the organisation’s AI governance maturity development over time, and calibrate investment in the AI governance programme.
Content elements:
5.1 Current Maturity Band
Current MAT-01 maturity band (1 Foundational through 5 Defensible) and score. Prior period comparator. Any band progression since the prior annual report.
5.2 ROAI KPI Trend Analysis
For each of the four ROAI quadrants (Protect, Comply, Grow, Transform), present the primary KPI trend over the preceding four quarters. Use a simple chart or table format. The Board should be able to see whether each quadrant is improving, stable, or deteriorating on a rolling basis.
5.3 Band Milestone Achievements
Any new maturity band capabilities achieved this period (e.g., first GOV-08 Panel convened; first GOV-09 Evaluation Harness completed; USE-07 quarterly sweep operationalised). Milestones demonstrate that the AI governance investment is producing governance capability uplift.
5.4 Next Maturity Target
The next maturity milestone the organisation is working toward, the estimated timeline, and the key dependencies. This section gives the Board a forward view of the programme’s ambition and resource requirements.
---
9. Report Section 6: ROAI Governance KPI Dashboard
Purpose: Give the Board a single consolidated view of the AI governance programme’s current performance against its four core KPIs, one per ROAI quadrant.
Dashboard format: Four-quadrant table with current-period status, prior-period comparator, direction of travel indicator (arrow), and RAG status.
Protect Quadrant
Primary KPI: AI BoM Coverage Rate — percentage of tools in operational use that are at Active status in the AI BoM. Target: 100%. Secondary KPI: Shadow AI Incident Rate — number of unregistered tools discovered per quarter per 100 Active tools.
Comply Quadrant
Primary KPI: Reauthorisation Currency Rate — percentage of Active Tier 3–4 tools with a current Agentic Deployment Authorisation Certificate. Target: 100%. Secondary KPI: AI Literacy Completion Rate — percentage of staff who have completed their tier-appropriate TAL-06 training as of the report date. Target: 100% Tier 1 (all staff); 90%+ Tiers 2–4.
Grow Quadrant
Primary KPI: Time to Active Status — mean business days from Stage 1 initiation to Active DAT-06 status, reported separately for Tiers 0–2 and Tiers 3–4. Target: under 5 days (Tiers 0–2); under 10 days (Tiers 3–4). Secondary KPI: Evaluation Coverage Rate — percentage of Active tools that have undergone a GOV-09 Evaluation Harness within the past 12 months or since material model version change.
Transform Quadrant
Primary KPI: Agentic Tier Distribution — percentage distribution of Active tools by Tier (0 through 4) compared to prior period. Direction should show net advancement toward higher, better-governed tiers. Secondary KPI: Maturity Band Progression — current MAT-01 band vs. 12 months prior.
---
10. Report Section 7: Forward Agenda
Purpose: Enable the Board to exercise forward-looking oversight rather than reactive governance.
Content elements:
7.1 Scheduled Reauthorisations
All Tier 3–4 tools with reauthorisation due in the next 90 days: tool name, Tier, reauthorisation due date, and status (on track / at risk). Any at-risk reauthorisation requires a brief explanation and contingency plan.
7.2 Planned AI Tool Adoptions
Any new AI tools currently in Stage 1 or Stage 2 of the lifecycle that are expected to reach Active status in the next reporting period. Tool name, vendor, proposed Tier, intended use case. This enables the Board to raise any concerns before deployment rather than after.
7.3 Regulatory and Policy Horizon
Regulatory changes, guidance updates, or professional conduct developments expected in the next 3–6 months that will require a governance response. The AI Governance Lead’s recommended response and timeline.
7.4 Governance Events
Scheduled GOV-08 Panel sessions, GOV-09 evaluation engagements, USE-07 discovery sweeps, and TAL-06 literacy refresh events in the next reporting period. This section demonstrates to the Board that governance is a planned, ongoing programme, not a reactive one.
7.5 Programme Investments Requested
Any resource, budget, or policy decisions required from the Board to maintain or advance the AI governance programme. State clearly what is being requested, why it is needed, and what the risk of not funding it is.
---
11. Reporting Cadence and Authority
Quarterly Board Report (Sections 1, 2, 3, 4, and 7)
Prepared by the AI Governance Lead within 10 business days of the quarter close. Reviewed and approved by the General Counsel before presentation. Presented to the Board, Governing Partners, or Risk Committee at the first available board meeting after preparation. Board acknowledgement recorded in minutes.
Annual Board Report (All Seven Sections)
Prepared as an expanded quarterly report at the end of Q4 or Q1 of the following year. Includes full KPI trend analysis (Section 5 and 6) and next-year programme targets. Presented at the annual governance review board meeting.
Event-Triggered Board Supplement
Prepared within 48 hours of the triggering event for: any GOV-08 Class A agentic incident; any GOV-11 Category 1 or 2 disclosure to a client or regulator; any USE-07 Tier 1 Shadow AI discovery with confirmed client data exposure. The supplement covers: what happened; what was done immediately; what the disclosure status is; what the regulatory exposure is; and what the Board is being asked to note or decide. Delivered to the General Counsel and Managing Partner immediately, with formal distribution to the full Board within 48 hours.
Reporting Authority Matrix:
- AI Governance Lead: Prepares and signs off on accuracy of all data in the report.
- General Counsel: Reviews for legal privilege and disclosure risk before distribution; presents to the Board.
- Managing Partner or Risk Committee Chair: May request additional detail or supplementary analysis on any section.
- Board: Acknowledges report in minutes; formally resolves on any items identified as requiring resolution.
---
12. ROAI 4-Quadrant Alignment
Protect
Section 1 (AI Portfolio Overview) and Section 2 (Risk Posture Report) give the Board the information needed to exercise meaningful Protect oversight: they can see the AI footprint, the governance coverage rate, the Shadow AI exposure, and the current risk posture across all nine risk classes. Primary Protect KPI reported: AI BoM Coverage Rate. Target: 100%.
Comply
Section 3 (Compliance and Regulatory Status) and Section 4 (Incident Summary, including GOV-11 disclosures) give the Board the information needed to confirm the organisation is meeting its legal and professional obligations. The EU AI Act Article 4 literacy compliance indicator and the Reauthorisation Currency Rate are primary Comply KPIs. Target for both: 100%.
Grow
The Forward Agenda (Section 7) and the ROAI KPI Dashboard (Section 6 Grow quadrant) give the Board the information needed to support the AI Governance Lead’s programme development activities. Board visibility of planned adoptions, evaluation timelines, and Panel sessions creates the organisational permission structure for the AI Governance Lead to operate with appropriate resource and authority. Primary Grow KPI: Time to Active Status.
Transform
Section 5 (Maturity Progression) is the Transform reporting section. It gives the Board the directional signal: is the organisation’s AI governance capability advancing over time? Is the AI portfolio maturing toward higher, better-governed tiers? Is the programme delivering the sophistication and defensibility improvement that the investment is intended to produce? Primary Transform KPI: Maturity Band Progression and Agentic Tier Distribution trend.
---
13. DPS Evidence Retention Schedule
Adoption lens — 5-year retention:
Board reporting schedule records (confirming quarterly cycle was followed); AI Governance Lead preparation records; General Counsel review and approval records.
Sophistication lens — 5-year retention:
Completed board reports (all sections, all periods); event-triggered board supplements; KPI dashboard data underlying each report; ROAI quadrant data supporting each quarter’s analysis.
Defensibility lens — 7-year retention:
All completed and formally presented board reports, including quarterly reports, annual reports, and event-triggered supplements. Board minutes acknowledging each report. Any formal board resolutions on AI governance matters arising from the reports. These records are the primary evidence that the Board exercised active AI oversight — if regulatory scrutiny ever reaches board level, these are the documents that establish the governance standard the organisation held itself to.
---
14. Monitoring Cadence
Continuous: AI Governance Lead maintains a running draft of Section 1 (AI Portfolio Overview) by updating it with each lifecycle event (new Active tool, retirement, Shadow AI discovery). This ensures the quarterly report does not require a data gathering exercise — the underlying data is current.
Quarterly: Complete board report preparation and presentation cycle. Post-presentation: update the KPI trend tracking file with current-period data for each ROAI quadrant metric.
Annual: Full report preparation including Section 5 (Maturity Progression) and KPI trend analysis. Review the report template itself for any required updates based on regulatory changes, schema changes to underlying modules, or Board feedback.
Event-triggered: Event-triggered supplement preparation for Class A incidents, Tier 1 Shadow AI discoveries with client exposure, and GOV-11 Category 1 or 2 disclosures.
---
15. Related OS Modules
- DAT-06 AI Bill of Materials Standard — Primary data source for Section 1 (AI Portfolio Overview). AI BoM Coverage Rate and Reauthorisation Currency Rate are drawn from DAT-06 Active status data.
- MAT-01 AI Maturity Assessment — Data source for Section 5 (Maturity Progression) and the Transform quadrant of Section 6. MAT-01 maturity band score and KPI data are the foundation of the annual maturity narrative.
- STR-07 AI Incident Response Framework — Data source for Section 4 (Incident Summary). STR-07 incident register provides the volume, severity, and status data for all AI incidents reported in the period.
- GOV-11 AI Incident Disclosure Standard — Data source for Section 4 (Disclosure Actions). GOV-11 Category 1 and 2 disclosures are surfaced individually in the board report. GOV-11 event-triggered supplement requirement is the primary trigger for immediate board notification.
- USE-07 Shadow AI Discovery and Conversion Playbook — Data source for Section 1 (Shadow AI Findings) and Section 2 (Risk Posture, Class 6). Quarterly discovery sweep results feed directly into the board report.
- TAL-06 AI Literacy Curriculum Map — Data source for the Comply quadrant of Section 6 (AI Literacy Completion Rate). TAL-06 competency verification records provide the completion data for EU AI Act Article 4 compliance reporting in Section 3.
- GOV-08 Agentic Governance Charter — Data source for Reauthorisation Currency Rate (Section 6), scheduled Panel sessions (Section 7), and Class A incident reporting (Section 4). GOV-08 Agentic Deployment Authorisation Certificate status drives the primary Comply KPI.
- GOV-09 AI Evaluation Harness Specification — Data source for Evaluation Coverage Rate (Section 6 Grow quadrant). GOV-09 evaluation records support EU AI Act Article 9 compliance reporting in Section 3.
- GOV-10 AI Lifecycle Operating Manual — The operational framework from which Section 1 portfolio data is drawn. The GOV-10 Lifecycle Governance Calendar aligns with the Forward Agenda reporting in Section 7: scheduled reauthorisations, planned adoptions, and governance events in Section 7 are drawn from the GOV-10 calendar.
- GOV-02 AI Use Policy — Data source for Section 3 (Compliance Status). GOV-02 policy currency is one of the compliance indicators reported to the Board.
image pending
Four-quadrant ROAI governance KPI dashboard structure for board AI reporting
Treat each MAT-06 report as a formal governance artefact: source data from OS modules, obtain General Counsel sign-off, and retain the full evidence package for at least seven years.