Bias, Hallucination, and Liability — The AI Risk Briefing Every Board Needs

AI bias is the systematic and unequal treatment of different groups by an AI system. A credit AI that approves applications from one demographic group at a higher rate than another — all else equal — is biased. A hiring AI that ranks CVs from graduates of certain universities higher regardless of underlying qualifications is biased. A healthcare AI that performs more accurately for patients of one demographic than another is biased. 'We did not intend to discriminate' is not a legal defence against AI discrimination claims. Intent is irrelevant; outcome is the legal standard in most AI bias frameworks.

Historical data bias is the most prevalent pathway: AI trained on historical decisions inherits historical discrimination. If credit has historically been extended at lower rates to certain demographic groups — due to discriminatory lending, geographic redlining, or socioeconomic barriers — a model trained on historical approval decisions learns to replicate that pattern. The model did not create the discrimination; it encoded and automated it. For any AI trained on historical decisions — credit, hiring, promotion, healthcare allocation — require explicit testing for historical bias encoding before deployment.

The EU AI Act classifies AI in high-stakes domains as high-risk, triggering mandatory governance obligations. High-risk domains under the EU AI Act include: recruitment and employment decisions, education and vocational training, essential private services (credit, insurance), law enforcement, border control, and biometric identification. High-risk AI requires: fundamental rights impact assessment, bias testing, human oversight architecture, technical documentation, and registration in the EU database before deployment. Map your AI system portfolio against the EU AI Act high-risk categories. High-risk AI requires a structured governance programme — not just standard IT deployment governance.

Disaggregated reporting requires breaking performance metrics down by protected characteristic groups. For a credit AI: report approval rates, false positive rates, and recall separately for each gender, age group, and ethnicity category. Compare across groups. Statistically significant differences in outcomes require investigation — they may be explicable by legitimate factors (e.g., actual creditworthiness differences) or may indicate discrimination. Require disaggregated performance reports for all AI systems making decisions that affect individuals in protected characteristic categories. Aggregate metrics are insufficient governance.

Hallucination occurs because generative AI models predict what text should come next — they do not look up or verify facts. An LLM generates each token (roughly, each word) based on its probability given the preceding context and training. The model that produces 'The case was decided in Smith v. Jones [2019], in which the court held...' is generating a highly probable continuation — not retrieving a verified case reference. If Smith v. Jones [2019] does not exist, the model does not know that. Generative AI outputs that include specific facts, citations, calculations, or regulatory references require external verification before professional use. Fluency is not accuracy.

Three categories define hallucination consequence severity for enterprise leaders. Category one — high consequence: legal, medical, financial, and compliance contexts where hallucinated facts can cause direct harm, legal liability, or regulatory violation. These require expert human verification of all specific facts, citations, and calculations before professional use. Category two — moderate consequence: customer communications, HR documentation, and public content where hallucination can cause reputational damage or customer harm. These require human review before external publication. Category three — low consequence: internal drafts, brainstorming, and research assistance where hallucination is discoverable in context and causes limited harm. Map your AI use cases to these three consequence categories. The mapping drives your hallucination governance architecture — avoid applying category one governance to category three use cases.

The most effective hallucination governance mechanism is structured factual grounding before generation. RAG architecture, verified document libraries, and constrained generation (the AI can only generate content supported by specified source documents) all reduce hallucination by anchoring outputs to verified facts before generation begins. Verification is built into the generation process, not applied post hoc. For category one and two contexts, require RAG or constrained generation architectures from vendors. Unconstrained generation in high-consequence contexts is an unacceptable governance posture.

The board AI risk briefing has four components. One: AI risk register — a mapped inventory of AI systems by consequence tier, with bias testing status and hallucination governance status for each. Two: incident log — any identified bias issues, hallucination events, or AI-related regulatory contacts in the period. Three: regulatory landscape — material changes in AI regulation (EU AI Act, FCA guidance, ICO enforcement) and the organisation's compliance status. Four: governance actions — any threshold changes, model retraining events, vendor contract amendments, or governance framework updates in the period. Structure the board AI risk update with all four components as standing agenda items. Boards that receive these four components quarterly are governing AI risk; boards that receive ad hoc updates are not.