Leadership in the Age of AI

How do I build a 90-day AI risk action plan?

Thomas Green 5 June 2026 7 min read
In short

A 90-day AI risk action plan turns the diffuse "I do not know what we are exposed to" anxiety into four time-boxed workstreams a leader can take to the board next quarter: inventory, governance, exposure and ownership.

Key points
  • A 90-day AI risk action plan turns "I do not know what we are exposed to" into four time-boxed workstreams the board can see: inventory (what AI is actually running), governance (who decides what is allowed), exposure (regulatory, financial and operational), and ownership (a named person accountable).
  • Days 1 to 30 build the inventory and surface shadow AI; days 31 to 60 stand up a lightweight governance frame and map exposure; days 61 to 90 assign ownership and bring a one-page risk register to the board.
  • The biggest exposure is rarely the model. It is the gap between adoption and oversight: 78% of employees admit using unapproved AI tools at work, and only 17% of organisations give their board responsibility for AI governance.
  • Under the EU AI Act, fines for prohibited practices reach EUR 35,000,000 or 7% of worldwide annual turnover, whichever is higher, with high-risk obligations landing on 2 August 2026.
  • Most of the risk sits in people and process, not the algorithm. One 2025 governance survey found 75% of organisations have an AI usage policy, yet only 54% keep an incident response playbook and just 48% monitor their AI systems for misuse or drift. A plan that inventories tools and ignores how people actually work leaves the real exposure intact.

You are in the lift after a board meeting, and the question is still sitting on your chest. A director asked, almost in passing, whether the business is exposed on AI. You said you would come back to them. The honest answer, the one you did not say out loud, is that you do not know, and that not-knowing is starting to keep you up at night. You can feel that there are tools running across the company that nobody has mapped, decisions being shaped by systems nobody signed off, and a regulatory clock ticking somewhere you cannot quite see.

Here is the answer, and it is more reachable than the worry suggests. A 90-day AI risk action plan replaces the diffuse dread with four concrete workstreams you can take to the board next quarter: an inventory of what AI is actually running, a governance frame for who decides what is allowed, a map of your exposure (regulatory, financial, operational), and a single named owner for each. Ninety days is enough to move from "I do not know" to "here is exactly where we stand and what we are doing about it." That sentence, said to your board, is the whole point.

Why does nobody seem to know what AI we are actually running?

Because the adoption happened faster than the oversight, and it rose from the floor of the organisation rather than the boardroom. Your people did not wait for a policy. A WalkMe survey of 1,000 working U.S. adults who use AI on the job found that 78% admit to using AI tools at work that were not approved by their employer. That is shadow AI, and it is not a fringe behaviour; it is the majority. The same survey found that 51% of workers receive conflicting guidance on AI use and 49% have hidden their AI use to avoid judgement. So the "I do not know what we are exposed to" feeling is not a personal failing. It reaches down through the whole organisation.

The board-level version of the gap is just as stark. McKinsey's State of AI survey reports that among organisations using AI, 51% have already felt at least one negative consequence, and that organisations now actively manage an average of four AI-related risks, a rise from two in 2022. Yet only 17% say their board of directors oversees AI governance. EY's survey of 975 C-suite leaders across 21 countries found that 72% have scaled AI across most or all initiatives, while only 33% hold proper protocols across a Responsible AI framework (the set of policies, controls and review steps that keep an AI system safe, lawful and accountable), with strong controls in just three of nine governance areas. The adoption curve has outrun the oversight curve. The plan exists to close that distance.

What does a 90-day AI risk action plan actually contain?

Four workstreams, run in sequence, each one feeding the next. Think of it the way you would map an unplugged versus a hardwired house: before you can rewire anything safely, you have to know what is drawing power and where the current is running. The first month is discovery, the second is structure, the third is accountability.

WorkstreamWhat it answers, and the exposure it closes
Inventory (Days 1 to 30)What AI is running, sanctioned and shadow? 78% of employees use unapproved tools, so a survey of approved software alone misses most of the estate.
Governance (Days 31 to 60)Who decides what is allowed? Only 17% of organisations have board-level AI oversight; a lightweight frame closes that gap.
Exposure (Days 31 to 60)Where are we regulatory, financial, operational? EU AI Act fines reach EUR 35m or 7% of turnover; high-risk rules apply from 2 August 2026.
Ownership (Days 61 to 90)Who is accountable for each risk? CEOs are most often cited; the plan names an owner per risk and a single register.

Two numbers tell you where to point the effort. Gartner predicts that at least 30% of generative AI projects will be abandoned after proof of concept by the end of 2025, and that over 40% of agentic AI projects (systems that act on their own, taking steps and making calls without a human at each one) will be cancelled by the end of 2027, in both cases citing inadequate risk controls, unclear business value and escalating costs. And the harm is already showing up in the record: Stanford's 2025 AI Index, the most cited independent annual audit of the field, logged 233 AI-related incidents in 2024, a 56.4% rise on the year before and the highest count on record. The exposure you are worried about is mostly an oversight and integration problem wearing a technology costume.

Take a plan to the board, not a worry

If you want a sounding board on shaping these four workstreams into something your directors will accept next quarter, that is exactly the conversation to have before you start.

Book your Strategy Session

How do I run each of the 90 days so the board trusts the answer?

Sequence matters more than speed. You earn each workstream by completing the one before it. Here is the cadence.

  1. Days 1 to 15, surface the shadow. Run an anonymous, judgement-free survey of how people actually use AI, alongside an audit of sanctioned tools and data flows. The goal is honesty, so make it safe to disclose. Nearly half your people have hidden their use; an inventory built on fear will be fiction.
  2. Days 16 to 30, build the register. Consolidate every AI use, sanctioned and shadow, into one living register: what it does, what data it touches, who relies on it, and what happens if it is wrong.
  3. Days 31 to 45, stand up the governance frame. Define who approves new AI use, what tiers of risk exist, and which decisions need board sight. Keep it to one page. A frame people read beats a policy people ignore.
  4. Days 46 to 60, map the exposure. Score each register entry against three axes: regulatory (EU AI Act and local equivalents), financial (cost, contractual liability), and operational (what breaks if it fails). This is where the EUR 35m or 7% of turnover ceiling becomes a real line item rather than an abstraction.
  5. Days 61 to 75, assign ownership. Every material risk gets one named, accountable human. Not a committee. A name. McKinsey finds the CEO is most often cited as responsible, which holds for the apex risk and breaks the moment you stretch one person across the whole register.
  6. Days 76 to 90, take it to the board. One page: top risks, owners, mitigations in flight, and the regulatory clock. The deliverable is confidence you can defend, not a document nobody opens.

Now the part most plans miss, and it is the part that decides whether the whole exercise holds. The risk does not live in the model. It lives in the distance between writing a rule and running it. A 2025 AI governance survey by Gradient Flow (an independent research firm that tracks how organisations build and run technology) found that 75% of organisations have an AI usage policy, yet only 54% keep an incident response playbook and just 48% monitor their AI systems for accuracy, misuse or drift. So three in four have written the rule, and barely half can act when the rule breaks. If your 90-day plan inventories software and leaves untouched how people actually work, you have mapped the easy quarter of your exposure and missed the rest. The bottleneck is no longer the technology. Most leaders are trying to install new software on broken hardware, and the same is true of risk: you cannot govern an AI estate with a human operating system you have yet to upgrade.

The AI risk you cannot see is rarely the model. It is the gap between how fast your people adopted and how slowly your oversight followed.

Ninety days from now, the lift question lands differently. A director asks whether you are exposed, and you have a register, a frame, an owner for each risk, and a clear read on the regulatory clock. You move from the back foot to the front. That is the shift this plan buys you: not the elimination of risk, which no one can promise, but the capability to see it, hold it, and steward it forward.

Frequently asked questions

How long does a 90-day AI risk action plan really take to feel useful?
The first 30 days deliver the change that matters most: the inventory. Once you can see what AI is actually running, including shadow AI, the dread lifts because the unknown becomes a list. Given that 78% of employees use unapproved tools, simply surfacing that estate moves you further than months of policy drafting. Governance, exposure mapping and ownership then build on that visibility over the following 60 days.
Who should own AI risk: the CEO, the board, or someone else?
McKinsey finds the CEO is most often cited as responsible and that only 17% of organisations have board-level AI oversight. The workable answer is layered: the board owns oversight of the apex risks and the regulatory exposure, the CEO owns the overall frame, and each material risk in the register gets one named operational owner. Diffuse accountability is what created the not-knowing in the first place; a name per risk is what resolves it.
What is the most expensive AI risk to leave unmanaged?
Regulatory exposure carries the hardest ceiling. Under Article 99 of the EU AI Act, non-compliance with prohibited practices can draw fines of up to EUR 35,000,000 or 7% of total worldwide annual turnover, whichever is higher. Prohibitions have applied since 2 February 2025 and high-risk system obligations apply from 2 August 2026, so the clock is already running. Operational and reputational exposure from the 51% of organisations that have already had a negative AI consequence often arrives sooner, if less visibly.
Thomas Green

About the author

Thomas Green

British technology futurist, AI keynote speaker and advisor. Thirty years across enterprise technology and AI strategy, helping leaders navigate the future of work. The futurist who died.

Get Thomas’ thinking into your inbox

Thoughts, stories and ideas on AI, leadership, and the future of work.