AEGIS · Module 6 · Brief
Artifact 6.2
Board Reporting Pack
Quarterly board-grade summary of the AI program. Eight slides, one appendix, pre-cleared by General Counsel — the version the board sees.
- Client
- [CLIENT NAME]
- Engagement
- [ENGAGEMENT ID]
- Version
- v1.0
- Issued
- 2026-05-18
Delivered by TechFides under the AEGIS Governance Operating Services engagement. This document is proprietary to the client named above. Redistribution beyond the engagement steering committee requires written consent.
Purpose
The Board Reporting Pack is the quarterly artifact delivered to the board (or the board committee with AI oversight, typically Audit or Risk). It is the externally-defensible companion to the Executive AI Dashboard: fewer signals, more narrative, cleared for redistribution to auditors and regulators on request. It is authored by the AI Governance Lead, reviewed by General Counsel, and approved by the Executive Sponsor at least 5 business days before the board meeting.
Eight-Slide Structure
Intent — Standing structure. Same eight slides every quarter so the board reads trends, not new framings.
1 · Cover + Reporting Period
Contents: Client, quarter, program stage, author, GC clearance line, classification badge.
Source: Header from 6.1
Do not: Do not add a subtitle that promises results. Cover is identification only.
2 · Program Posture (one chart, one sentence)
Contents: Overall signal (Green / Amber / Red) with the rule that produced it. One-sentence narrative.
Source: 6.1 · §2 Program Signal
Do not: Do not soften Amber or Red with language. Report the color.
3 · What We Did This Quarter
Contents: 5–7 bullets: workflows shipped, policies approved, incidents closed, audits passed, training delivered.
Source: QGR minutes (5.1) · Inventory (3.1) · Incident log (2.6)
Do not: Do not list activity with no outcome. Each bullet pairs action with observable change.
4 · Value Realized + In-Flight
Contents: Value realized trailing-90 with method + assumptions. Spend vs envelope. Top 3 initiatives by projected value with gate state.
Source: 3.3 Value & Spend Tracker
Do not: Do not report value the Value Tracker has not already booked.
5 · Risk + Incidents
Contents: Open Very High / High count + top 3 by exposure with treatment. Incidents this quarter by severity, with root-cause category and closure state.
Source: 2.3 Risk Register · 2.6 Incident Runbook
Do not: Do not combine incidents across severities into a single headline number.
6 · Compliance Posture
Contents: Framework mapping heatmap (NIST AI RMF, ISO 42001, ISO 27001, SOC 2, EU AI Act + any sector regs). Any opened/closed findings. Attestation currency.
Source: Policy Core (Module 2) · Training currency (5.3)
Do not: Do not conflate “mapped” with “certified”. Be explicit about which controls are evidenced vs designed.
7 · Decisions Requested of the Board
Contents: 1–3 explicit asks with recommendation, alternative, and consequence of no decision.
Source: QGR open decisions (5.1) · Exec dashboard (6.1)
Do not: Do not bring more than 3 decisions. Park the rest at Executive level.
8 · Forward 90 Days
Contents: Top 3 risks, top 3 value milestones, top 3 regulatory / external watch items. Named owners + dates.
Source: 2.3 Risk Register · 6.3 12-Month Roadmap
Do not: Do not promise milestones that slip every quarter. Trim and be honest.
Standing Appendix
Intent — Appendix rides along every quarter. Board members do not read it unless they need to — that is the point.
| Appendix Section | Contents | Source |
|---|---|---|
| A. Program Charter + RACI (current) | One-page charter + RACI matrix. Updated only on change. | 2.2 RACI |
| B. Active AI Inventory (summary) | Count by status + list of tools at CLIENT-RESTRICTED or BOARD classification. | 3.1 AI Inventory |
| C. Top 10 Risks (current) | Full row per risk: description, inherent, treatment, residual, owner, aging. | 2.3 Risk Register |
| D. Incident Log (quarter) | All incidents opened or closed this quarter with severity + RCA tag. | 2.6 Incident Runbook |
| E. Training Currency (snapshot) | Percentage in-cycle by tier + named cohorts below 95%. | 5.3 Role-Based Training |
| F. Regulatory Watch (90-day) | External items entering the 90-day action window. | AI Governance Lead scan |
| G. Glossary | One-page glossary of AEGIS terms + framework shorthand. | Standing |
Authorship & Clearance
Intent — Board packs that have not been cleared through the chain below are not board packs.
| Step | Owner | Timing | Output |
|---|---|---|---|
| 1. Assemble | AI Governance Lead | T-15 business days | Draft 1, all numbers traced to source |
| 2. Numbers audit | CFO delegate + CISO | T-10 | Every claim verified against source artifact |
| 3. Legal clearance | General Counsel | T-8 | Red-line on language; disclosure review |
| 4. Exec Sponsor approval | Exec Sponsor | T-5 | Signed approval + one-line cover memo |
| 5. Distribution | Board Secretary | T-3 | Secure channel per charter; retention per records policy |
| 6. Minute the delivery | Board Secretary | Meeting + 5 | Minutes reference pack version + SHA |
Redistribution & Classification
Intent — This document is classified BOARD. Distribution rules below are non-negotiable.
No copy/paste into email bodies.
Reference the pack by name + version + SHA; link via secure channel.
No external distribution without GC-signed NDA or legal request.
Auditor, regulator, acquirer DD — all require a named clearance path.
Retention per records schedule.
Default 7 years unless sector regulation requires longer. Archive immutable.
Redaction rules are pre-defined.
If a redacted version is needed for a wider audience, GC has pre-approved mask patterns stored with the template.
Material incidents inside the quarter trigger a board-committee flash update.
Do not wait for the next quarterly pack. Flash is issued within 72 hours of incident classification.
Regulatory & Framework Mapping
Intent — Board oversight of AI is named specifically in the frameworks below. This pack is how the program evidences that oversight.