On the 2026 board agenda

The unprecedented combination of uncertainties, risks, and volatility call for deeper board engagement in strategy and evolving business contexts. The Trump administration’s policy positions on tariffs, trade, immigration, tax, and regulation more generally are reshaping the economic, geopolitical, and risk landscape—leading to action and reaction elsewhere around the globe. Meanwhile, Europe is facing ongoing geopolitical challenges, internal political fragmentation, and a renewed push for strategic autonomy in defense, digital, and economic domains. EU leaders are focused on strengthening the bloc's role in a volatile world, particularly amid uncertainty over the transatlantic relationship and ongoing security threats. At the same time continuing military conflicts in Ukraine add to the complexities. Risks related to cybersecurity, extreme weather, Generative Artificial Intelligence (GenAI), Agentic AI, and other new technologies (such as quantum computing) continue to pose major challenges for companies.

In this environment, boards play a pivotal role by actively engaging in strategy and promoting agility and resilience. A fundamental question is how the board’s role in strategy should evolve to adopt more rigorous forward-looking governance practices. Our discussions with directors have highlighted several practices that may be helpful:

Develop a vivid picture of possible future scenarios.

This is never an easy undertaking, and it is particularly challenging given the transformational changes underway. Make time for the board to have meaningful “what-if” discussions in a focused and urgent way—opportunities and risks related to AI, human capital, and supply chain should be front and center. Where are the company’s industry and competition headed? What might the business look and feel like in 2, 5, or 10 years?

Scenario planning remains critical.

Robust scenario planning can help companies make informed decisions and prepare for potential disruptions. The board should help ensure that the scenario planning process is properly resourced with the right data and expertise, management maintains a broad perspective, relevant context is considered, the process remains iterative, and outside views are heard.

Make risk, crisis planning, and resilience part of the discussion.

No strategic plan can anticipate every risk that might hinder a company trying to achieve its strategic objectives, and adjustments to strategy may be needed as conditions change. Help management reassess the company’s processes for continually identifying the risks and opportunities posed by disruption—geopolitical, economic, technological/digital, social, and environmental—and the impact on the company’s strategy and related capital allocation decisions.

Does management have an effective process to monitor changes in the external environment and provide early warning that adjustments to strategy might be necessary? That process should include risk management, business continuity, crisis planning, and resilience. It calls for frequent updating of the company’s risk profile, stress testing strategic assumptions, analyzing downside scenarios, considering the interrelationship of risks, and obtaining independent third-party perspectives.

Balance the focus on short-term agility and long-term vision.

While it is important to remain responsive to immediate, short-term risks and uncertainties, boards must help guard against short-termism. A focus on the long-term is vital to organizational endurance and value creation.

As companies forge ahead with AI and GenAI initiatives, it’s imperative for boards to stay current on the related opportunities and risks, including how GenAI and AI agents are being deployed, and how the company is managing and mitigating the risks.

Risks posed by GenAI and AI agents

The risks posed by GenAI are significant and include inaccurate data and results, cybersecurity risks, data privacy and security risks, compliance with domestic and global AI-specific laws and regulations, intellectual property risks, and reputational risks. To address these risks, companies and boards have focused on the guardrails and governance policies for the development, deployment, and use of GenAI. The deployment of GenAI has also prompted companies to take a hard look at the quality of the company’s data and data governance practices, as achieving the hoped-for productivity and efficiency improvements with AI depends on the quality of the company’s data, and how it is processed, stored, and protected.

As companies begin to deploy AI agents, it is essential that they reassess and, as appropriate, modify their AI and data-related governance policies and guardrails to address the evolving and unique risks posed by AI agents. These are primarily risks posed by AI agents’ autonomous decision-making and operational integration. The adequacy of human-on-the-loop oversight is a key area of focus.

Full implementation of GenAI

In addition to being vital for competitive advantage, the successful deployment of GenAI with strong governance and risk management is a prerequisite enabler for the more complex deployment of autonomous AI agents. Addressing GenAI foundational adoption issues, particularly risk management and trust, is essential. The board should understand the company’s strategy to generate returns on GenAI investments and monitor the trajectory of deployment as well as management’s governance structure for GenAI deployment and use, including risk management and mitigation. The board should also understand how the company is ensuring the quality and accuracy of GenAI output.

Staged deployment of AI agents

In addition to projected productivity benefits, deploying more autonomous AI agents is the building block for deploying more complex agentic AI. Staged deployment of AI agents enables companies to gain operational familiarity and establish the necessary data and governance frameworks to better position the company to handle more complex, adaptive, and autonomous AI capabilities.

ROI and the bottom line

Wherever the company is on its AI journey, return on investment (ROI) is essential. To maximize ROI and increase productivity, many companies are taking a “first principles” approach—recognizing that GenAI and AI agents provide an opportunity to rethink processes from the ground up, rather than making existing processes slightly more efficient and/or cost effective.

People

Achieving the transformational benefits of the adoption of GenAI and AI agents at scale hinges on placing people at the core of adoption—prioritizing change management, workforce empowerment, skills development, and cultural transformation. What skills are necessary in an agentic AI and GenAI world? How does the company keep employees engaged through the transition, minimize their concerns regarding being replaced, and mitigate the risk of “de-skilling”? Fundamentally changing what people do every day and how they work requires leadership.

Ongoing board education on AI in all its forms is essential. In addition to reports from management, many directors shared that they attend outside education programs and their boards receive updates from third-party experts and that they seek individual training, often incorporating the use of GenAI into their daily lives.

The explosive growth in the use of AI is prompting more rigorous assessments of companies’ data governance framework and processes. Companies usually design data governance frameworks suited to their industry and specific needs, but several established frameworks are available for consideration. The frameworks vary in many respects, but generally focus on data quality, data privacy and security, data stewardship, and data management.

In its oversight of data governance, the board should insist on a robust data governance framework that:

• Makes clear what data is being collected, how it is stored, managed, and used, and who makes decisions regarding these issues,
• Identifies which business leaders are responsible for data governance across the enterprise, including the roles of the chief information officer, chief information security officer, and chief compliance officer (or those performing similar functions), and
• Determines which vendors and third parties may have access to company data and their obligations to protect it.

Boards should also consider whether the company’s data governance framework supports the company’s strategy and whether the framework is properly aligned with the company’s separate, but interrelated, AI governance framework and processes.

While management teams and boards have devoted substantial time and attention to addressing increasingly sophisticated cyber threats, companies must continue to upgrade their defenses against fast-moving AI-driven and quantum computing threats.

The risk of data breaches and malware attacks, including ransomware, data corruption, and model poisoning, continues to mount, with AI enabling cybercriminals to scale their attacks in terms of speed, volume, variety, and sophistication. Quantum computing may pose an even greater threat because its breakthrough computational capabilities could undermine the encryption methods that secure today’s digital information.

To assess the company’s preparations to address these threats, boards should ask for regular briefings on:

• How management is ensuring that the company’s cyber defenses are staying ahead of AI-enabled attack trends, such as deepfakes and autonomously generated phishing campaigns.
• The robustness of management’s cyber response plans. Recognizing that it isn’t possible to stop all attacks, a focus on resilience is essential.
• The state of the company’s readiness against quantum computing risks. Special attention should be paid to “harvest now, decrypt later” attack scenarios and the company’s plans to transition to quantum-resistant encryption before quantum computing reaches a critical threshold.

Given the advances in AI-driven and quantum computing risks, boards should ensure that they have the relevant expertise, obtain that expertise through outside advisors, and/or consider the use of an advisory board to enable them to probe these issues more deeply with management.

Companies’ approaches to human capital management, environmental, and sustainability issues are widely seen as essential to business success and long-term value creation by certain stakeholders, including investors, ratings firms, activists, employees, customers, and regulators. However, pushback against these issues has caused many companies to reassess those initiatives.

Several fundamental questions are essential in boardroom conversations about sustainability:

• Which sustainability issues are material or of strategic significance to the company? The sustainability issues of importance will vary by company and industry. Relevant issues may include physical risk associated with climate change, business model risk and opportunity associated with the energy transition, and labor, diversity, and safety issues associated with the workforce and the supply chain. Those companies within the scope of the Corporate Sustainability Reporting Directive will also need to assess “double materiality,” i.e., material risks to the business and material risks to the 
• Each company should engage in its own materiality assessment frequently enough to keep it fresh and relevant.
• How is the company addressing sustainability issues strategically and embedding them into core business activities (strategy, operations, risk management, incentives, and corporate culture) to drive long-term performance?
• Is there a clear commitment from the C-suite and enterprise-wide buy-in?
• In internal and external communications, does the company explain why sustainability issues are materially or strategically important?

Management’s efforts to prepare for regulatory mandates for climate and sustainability disclosure remain an important area of board focus and oversight.

Achieving a “healthy tension” in the boardroom—where the board is advising the CEO and management team while maintaining objectivity, independence, and skepticism—isn’t easy. Striking this balance has become more challenging and more important given the tremendous pressure on boards and CEOs to deliver results. Our discussions with directors about the keys to maintaining a healthy board–CEO relationship revealed three areas of focus:

Insist on candor and transparency to help build a culture of trust and confidence.

The starting point for an effective and high-value CEO–board relationship is full, open, transparent communication in both directions. The CEO sets the tone for management’s engagement with the board and committee leaders. The board should expect no surprises from management, and management should expect no surprises from the board.

Set clear expectations that the board’s role includes ongoing engagement in strategy and serving as a resource for the CEO and management.

Setting the expectation that the board’s job extends beyond compliance and monitoring is essential. Boards can best serve this role when they are composed of directors with diverse experience and backgrounds who have experience dealing with crises, disruption, technological change, and activism.

A robust CEO succession planning process is essential.

CEO turnover, particularly when unexpected, poses a significant risk of disruption to the business. Key questions for the board are whether its CEO succession planning process is sufficiently robust for various scenarios of CEO departures, and is evolving to identify the CEO skills, traits, characteristics, and experience necessary to lead the company today, and whether the company is maintaining a robust talent pipeline.

Refining board and committee risk oversight responsibilities requires diligence. The increasing complexity and fusion of risks requires a holistic approach to risk management and oversight. Investors, regulators, rating firms, and other stakeholders expect high-quality disclosures—particularly on climate, cybersecurity, AI, human capital, consumer trends, and sustainability risks—about how boards and their committees oversee the management of these risks.

The challenges for boards:

• Continue to monitor the adequacy of management’s enterprise risk management processes. Management should maintain an up-to-date inventory and analysis of the company’s critical risks and how those risks are being managed and mitigated, and management and the board should have a common view of the company’s key risks.
• Clearly delineate the risk oversight responsibilities of the board and each standing committee, identify any overlap, and implement a committee structure and governance processes that facilitate information sharing and coordination among committees and with the full board.

Essential to effectively managing a company’s risks is maintaining critical alignment—of strategy, goals, risks, internal controls, performance metrics and incentives. The full board and each standing committee should play a role in helping to ensure that—from top to bottom—management’s strategy, goals, objectives, and incentives are properly aligned, performance is rigorously monitored, and that the culture the company has is the one it desires.

Carrying out the board’s 2026 agenda will be a significant oversight challenge. Having the right board leadership, composition, and committee structure—together with ongoing director education and rigorous board, committee, and individual director evaluations—will be essential to meeting the challenge.