AI Literacy for Directors: What It Actually Means in the Boardroom

Open LinkedIn on any given day and the same instruction scrolls past, post after post: directors need to get AI literate. Put it on the agenda. Book the seminar. Adopt a policy. None of that advice is wrong. But almost all of it explains what AI is, and almost none of it explains what it means for a director to be AI literate, how they actually get there, or, perhaps most crucially, how a court would decide whether your board actually is AI literate.

The Chief Justice of New South Wales put the same question to boards in his 2026 Harold Ford Memorial Lecture, asking whether “AI-literacy or competency” should be a criterion of a board’s skill matrix, and what it takes for directors “to become AI-literate”. I covered that lecture, and what it means for directors’ duties and the safe harbours, in that companion piece. But whether directors should be AI literate is the easy question, and everybody already answers it yes. The harder question is what the law actually asks of you.

On that, the law turns out to be quite specific. It has built a literacy standard for directors before, and not that long ago. Directors are already expected to be financially literate, and they did not start out that way. A court decided it, drew the line with some precision, and the expectation has held ever since. If you want to know where AI literacy is heading, that is the map to read, because it shows how a broad duty of care hardens into a specific competency you cannot opt out of. It also sets a far higher bar than “we held a workshop”.

How the law built financial literacy

For a long time, a director could plausibly say the numbers were the accountant’s job. That excuse ran out in 2011, with the Centro decision.

In ASIC v Healey [2011] FCA 717, the directors of the Centro property group signed off on financial statements that misclassified billions of dollars of short-term liabilities as long-term. The mistake was there to be seen by anyone who read the accounts against what they already knew about the company’s borrowings. Every non-executive director and the chief executive were found to have breached the duty of care and diligence under section 180(1) of the Corporations Act, and so was the chief financial officer, who was an officer of the company rather than a member of the board.

What makes Centro the template is how Justice Middleton got there. Four parts of his reasoning carry across to AI almost word for word.

First, he put the obligation in a place no director can delegate away. “There is a core, irreducible requirement of directors,” he held, “to be involved in the management of the company and to take all reasonable steps to be in a position to guide and monitor.” You can rely on management, on the auditors, on the audit committee. What you cannot do is rely your way out of understanding what you are signing.

Second, he said what the competency actually was, in plain terms. “All directors must carefully read and understand financial statements before they form the opinions which are to be expressed in the declaration.” The duty was to read the accounts, grasp them, and catch the kind of error that should have jumped off the page.

Third, and this is the part directors tend to miss, he set the bar at a sensible height. “The basic concepts and financial literacy required by the directors to be in a position to properly question the apparent errors in the financial statements were not complicated.” Nobody expected the directors to sit the accountancy exams. They were expected to understand enough to ask the obvious question. Financial literacy was a floor, not a ceiling.

Fourth, and most useful of all, he reached back to older authority to describe the posture the duty demands. “What each director is expected to do is to take a diligent and intelligent interest in the information available to him or her, to understand that information, and apply an enquiring mind to the responsibilities placed upon him or her.”

Hang on to that last sentence. Middleton J was drawing on an older line of authority, running back through the AWA litigation and Daniels v Anderson, and the principle is a simple one: a director cannot be a passive figurehead. It is also remarkably portable. Cross out “financial statements”, write in “AI output”, and you have a working definition of AI literacy you could hand to any board.

The pattern has already repeated once

Financial literacy was not a one-off. The same duty of care has since stretched to cover a risk nobody had in mind when section 180 was drafted.

In ASIC v RI Advice Group [2022] FCA 496, the Federal Court held that a licensee’s failure to put adequate cybersecurity controls in place fell short of its obligation to provide financial services efficiently and fairly. Justice Rofe accepted that, given how heavily modern business leans on digital systems, cyber risk is a significant risk that has to be managed actively, and from the top. Handing your IT to a third party, the case made clear, does not hand off the responsibility with it. That case turned on a financial-services licensee’s obligations rather than directors’ personal duty of care under section 180, but the principle it illustrates, that managing the risks of a critical technology is a board-level responsibility you cannot outsource, reaches well beyond licensees. (If that ground is new to your board, our primer on cyber security for boards is a reasonable starting point.)

Look at the shape of that. A technology becomes central to how organisations run. Its risks become foreseeable. The duty of care, which never names the technology, expands to expect directors to understand it and to oversee how it is managed. Digital literacy followed financial literacy. AI is next in the queue, and the Chief Justice’s lecture reads to me as the early warning that the courts have already noticed.

He put the questions to boards directly. Should AI competency sit on the skill matrix? How much does a director actually need to understand about the tools the company depends on? Those are the very questions that, once a court answers them, become the next literacy baseline. We are not guessing here. We have watched this happen twice.

What AI literacy actually means

The seminar version of AI literacy is usually a tour of the tools: how to prompt ChatGPT or whichever model is newest, what the latest features can do, a couple of cautionary headlines. Often it does not even get to what a large language model actually is, or why that matters. And in any case, knowing how to drive the tools is an operator’s skill, which is not the literacy the law asks of a director. Useful as far as it goes, but it is not what a court would test you on. Follow the Centro template and AI literacy is not a body of technical knowledge at all. It is that diligent and intelligent interest, the understanding, and the enquiring mind, pointed at AI instead of a balance sheet. In practice it comes down to five things you should be able to do.

Understand how the tools behave well enough to interrogate them. This is the “read and understand” piece. You do not need to know how a model is trained, any more than you need to know double-entry bookkeeping. You do need a working grasp of how these systems fail: they hallucinate confident nonsense, they carry the biases in their training data, they are sycophantic and tend to tell you what you want to hear, the same prompt can give you different answers, and the reasoning behind an output is often a black box nobody can fully open. Without that, you cannot tell a reliable answer from one that merely sounds reliable.

Apply an enquiring mind to what they produce. Centro punished directors for nodding through figures they should have questioned. The AI version is nodding through an output because it is fluent and nicely formatted. The questions a director needs here are not mysterious, and they do not require a technical background. They fall straight out of knowing how the tools fail. What was this drawn from? What has it likely missed? Where is it most likely to be wrong? Has anyone checked it against a real source? Treat the output as a draft to be tested before it becomes a decision.

Map where your organisation actually uses AI. A financially literate director understands their own company’s finances. The same specificity applies to AI. Know where AI sits in your products, your operations and your decisions, what data is being fed into which tools, which tasks have quietly been handed to a system, and who your vendors and dependencies are. RI Advice is the reminder that outsourcing the technology does not outsource the risk. You cannot govern a use you do not know about, which comes down to whether your board has done its homework.

Weigh the risks that are specific to AI. Confidentiality is the one staring at you right now. A director who drops the details of a confidential deal into a public AI tool has very likely breached the company’s obligations and walked straight past its data governance. Behind that sit bias in automated decisions, intellectual property exposure, over-reliance and the slow erosion of genuine boardroom debate, and the litigation tail: your prompts, transcripts and outputs are discoverable. The Delaware case Fortis Advisors v Krafton, where a chief executive’s deleted ChatGPT logs turned up as evidence, is the cautionary tale. So, closer to home, is ASIC v Bekier, which the Chief Justice called the first Australian judgment to reflect on AI use by directors, and in which Justice Lee noted that many directors are already using AI informally to prepare for meetings.

Know the limits of reliance. This is where AI literacy runs straight into the safe harbours. As the Chief Justice warned, a director who simply adopts an AI’s recommendation may find the business judgment rule is not there for them, because they never made the conscious, independently reasoned decision the law requires. Literacy means using AI, in words the lecture endorsed, “as an aide to their own decision-making, rather than as a substitute for making an independent assessment”, and being able to set out your own reasoning without the machine. Knowing when to lean on the tool matters. Knowing when not to matters more.

What it is not

It is worth marking the other boundary too, because overcooking the requirement is its own kind of failure.

AI literacy does not mean directors have to code, build models, or follow the mathematics of machine learning. Centro is explicit that the financial literacy required “was not complicated”, and the same calibration applies. You do not discharge the duty by recruiting one technologist and deferring to them on everything, any more than you discharge the financial duty by leaving the numbers to the one director who used to be an accountant. The competency is collective, and it is general. It is the floor every director stands on. A few specialists cannot hold it up for everyone else.

Nor is it ticked off by a policy nobody reads or a single induction session. Financial literacy is something you keep current. With AI moving as fast as it is, that upkeep has to happen more often.

What boards should do

The practical steps fall straight out of the definition.

1. Put AI literacy on the skill matrix as a baseline capability. Be honest about where the board actually sits against the five capabilities above, and close the gap with real education, repeated. Treat it the way you treat financial literacy: a competency expected of everyone on the board. A structured governance work plan for responsible AI adoption can give that education a backbone.
2. Map your AI use before you try to govern it. Make management tell the board where AI is being used, in operations and in the preparation of board papers, which tools, on what data, and how the outputs were checked. You cannot bring an enquiring mind to a use you cannot see.
3. Calibrate. Do not catastrophise, and do not rubber-stamp. The goal is directors who can question an AI-shaped recommendation the way Centro expected them to question the accounts, neither waving it through because it reads well nor banning the technology outright and pushing its use into the shadows.
4. Tie literacy back to the decision. For any significant decision AI has touched, every director should be able to explain their own reasoning. If the only account of the decision is the AI’s, you have a literacy problem, and quite possibly a duties problem.

The test that outlasts AI

AI is the technology forcing the question today. It will not be the last. The same reasoning that builds an AI literacy standard out of the duty of care will build the next one too, because the duty itself never names a technology. It asks directors to be appropriately informed and to bring their own judgment to bear, and the bar for “appropriately informed” climbs as each new tool puts more within reach.

So it is worth holding on to the general version. When any technology starts to shape the decisions a board makes, a director should be able to:

1. Understand how it works well enough to question it, including the ways it fails.
2. Bring an enquiring mind to whatever it produces, and know which questions to ask.
3. Know where and how the organisation actually relies on it.
4. Understand the risks it brings with it.
5. Know the limits of that reliance, and keep the judgment their own.

Write in “AI” today. Write in whatever the board is grappling with in five years’ time. The questions do not change, because this has always come down to one thing: whether directors understand what they are deciding.

Pull Centro, RI Advice and the Chief Justice’s lecture together and you see one steady progression: the law keeps lifting the floor of competence directors are expected to stand on. Financial literacy was once novel and is now simply assumed. AI literacy is travelling the same road. So measure yourself against what a court would ask, not against a box you can tick after an afternoon seminar. The boards that do that now will be the ones standing comfortably on the floor when a court finally decides where it sits.

This article is general in nature and is not legal advice. Directors should seek advice tailored to their own circumstances.