Claude, Gemini, and ChatGPT Each Built an AI Risk Slide for the Board

Boards want answers, not technical dashboards. Three AI tools tried to build the perfect AI risk slide for ACME Corp, and all three left out what matters most.

‍

The Experiment

‍

The prompt was simple: Create a single slide presenting AI risk metrics to the board of a fictional company, ACME Corporation, with $500M in revenue. I used the three leading AI tools on the market, and the responses revealed a lot, not only about the tools, but about the current state of how organizations frame t AI risk, as well as how AI conceptualizes its own risk.

‍

Claude: The Risk Officer's View

‍

‍

Claude's output resonated with me because it felt as if it was built by a seasoned CISO who's had years of experience defending a risk budget in front of skeptical directors. I’ve watched firsthand this scene play out many times in the cybersecurity world. All of my conversations around AI Risk with executives show that the uncertainty of AI will only exacerbate these conversations. The slide presents five risk categories: 

‍

1. Model & Accuracy
2. Data & Privacy
3. Regulatory/Legal
4. Operational
5. Reputational/Bias 

‍

Each of these categories is paired with a concrete metric, a current value, a target, and a trend arrow. The metrics are specific and measurable. For example, there is a 4.2% hallucination rate against a target of below 2%, three PII exposure events year-to-date against a target of zero, and EU AI Act coverage at 61% versus a 90% target. The categories and numbers, without a doubt, are representative of the information a risk committee might actually deliberate over. 

‍

What's particularly strong is the "Board Actions Required" section. Claude maps each risk exposure to a time-bound action and owner. The tool advises the board to designate an AI risk owner within 30 days, commission a full AI inventory within 30–90 days, and approve a $2.5–4M risk budget within 30–90 days. The slide also calls out a 34% staff AI risk training coverage against an 80% target, a governance detail most slides (including the ones generated by ChatGPT and Gemini) miss entirely.

‍

The philosophy behind these choices is immediately apparent. Claude is optimizing for accountability and decision readiness. Every number on the slide is designed to drive action, which is exactly the role of a board. A major red flag, however, is that while these are excellent metrics, the proper tooling and AI governance must be in place to support them. It raises a real question about the amount of effort it would take a team to reach this level of measurement without the right tools. Without a structured governance platform or set of modules, gathering and maintaining these metrics would likely require significant manual effort and coordination across teams.

‍
ChatGPT: The Governance Framework Builder

‍

‍

ChatGPT took a different angle. Rather than presenting a snapshot of current AI risk levels, the LLM built something closer to a governance architecture slide, a structured view of what the organization should be tracking, with coverage metrics showing how far along it currently is. I found this impressive because establishing a clear baseline early on for tracking these types of metrics over time is critical for measuring the success of the program.

‍

The output shows control coverage across six domains: Governance (72%), Data/Privacy (58%), Security (61%), Model Safety (63%), Monitoring (55%), and Vendor (49%). It also includes a "leading indicators" bar chart and a 90-day action roadmap focused on deploying prompt DLP, adding injection testing to CI/CD pipelines, and establishing vendor change notifications.

‍

The language is notably far too operational for a board of directors, which is a big miss in my book. There are mentions of prompt injection success rates, safety filter efficacy, model change control, and audit traceability, all of which are far too granular when a CISO or AI risk leader has limited time to get their point across and their budget approved. To be fair, however, there is a callout to board-level decisions needed today, which include approving risk appetite thresholds and funding a 90-day control uplift.

‍

ChatGPT’s approach makes sense if you're building toward a mature governance program and want to show the board a framework in progress. It's less useful if the board needs to understand right now what the organization’s exposure is and whether it aligns with higher-level objectives. For example, vendor risk at 49% coverage is a flashing warning sign, but translating those gaps into business impact, context that is crucial in this case, requires another step that the slide doesn't take.

‍

Gemini: The Executive Dashboard

‍

‍

Gemini delivered what could be described as a polished middle ground. However, if this were the dashboard an organization relied on to measure its AI governance program, it would raise some serious concerns. While the overall direction is understandable, the output, even with hypothetical metrics, falls short of presenting a coherent narrative or a set of indicators that a board of directors could meaningfully interpret and act upon.

‍

The dashboard is organized into three clear sections: Key Risk Metrics, Top 3 Critical Vulnerabilities, and a Strategic Roadmap. The risk metrics panel uses familiar red, yellow, and green status indicators to display measures such as shadow AI usage at 12%, data lineage coverage at 0.03%, hallucination rate, human-in-the-loop fallback, and AI ROI at $2.4M. The vulnerabilities panel highlights issues related to data provenance gaps, model drift, and third-party dependencies. The roadmap outlines four milestones, including DLP deployment (Q1, complete), AI liability insurance (Q2, in progress), and an ISO 42001 LLM audit (Q4, pending).

‍

From a risk management perspective, the most constructive element is the framing of risk oversight as a value-generating activity rather than a cost center. This positioning is effective for a broad executive audience who want to see specifically how their investments are pushing the business further towards its goals. The reference to ISO 42001 also demonstrates awareness of the evolving regulatory landscape.

‍

That said, the slide’s supporting notes introduce a degree of disconnect. The notes reference a $1.2M budget request for compliance software and remediation initiatives and state that the organization is on track for EU AI Act readiness by Q3. While this adds some narrative context, the relationship between these statements and the visual metrics on the dashboard is not clearly established, leaving the overall story somewhat fragmented.

‍

What All Three Got Right

‍

Despite their different approaches, there are meaningful points of agreement across all three outputs:

‍

• All three treated regulatory compliance, particularly around the EU AI Act, as a present concern rather than a future one. This makes sense with the looming deadline of August 2, 2026. 
• All three included some form of vendor or third-party AI risk signal.
• All three structured the slide or included  “Actions” that needed to be taken, in addition to the standard metrics that simply inform.  

‍

What All Three Missed

‍

1. Shadow AI: identified but not inventoried. Gemini flags "shadow AI usage at 12%" as a key risk metric. Claude mentions the commission of a full AI inventory as a required board action. But none of the three slides addresses the foundational question that precedes all others: Do we actually know every GenAI system operating in this organization?

‍

This is the very premise behind AI Asset Visibility as a governance discipline. Without a living, verified inventory of sanctioned, shadow, and embedded GenAI tools that map which tools access which data, which departments use them, and who owns each one, every other metric on the slide is built on an incomplete foundation. 

‍

‍

‍2. Financial exposure is rarely quantified, and when it is, the ranges tend to be broad and presented without any probability context. Claude’s slide includes an estimated $18–34M annual AI risk exposure, which is a meaningful and directionally valuable figure. However, there is a substantial distinction between a high-level estimate and a quantified risk model. For boards making budget and strategic decisions, understanding the distribution of potential losses is critical. Rather than relying on a midpoint range alone, decision makers benefit from seeing the probability of different outcomes, including the potential impact of tail events. This type of probabilistic view allows organizations to move from abstract risk discussions toward financially grounded decision-making.

‍

3. Governance maturity versus governance coverage. ChatGPT’s coverage figures (55% monitoring, 49% vendor) provide meaningful insights for measuring governance quality rather than just governance activity. But coverage alone does not equate to institutional preparedness.  Two organizations can both report 60% control coverage and face dramatically different real-world risk exposure depending on the depth, testing, and real-world effectiveness of those controls.

‍

A more mature AI governance approach benchmarks programs against recognized frameworks like NIST AI RMF and ISO 42001, sets specific target maturity levels, and, most importantly, connects those maturity assessments to financial exposure modeling. This allows the board to see not just where gaps exist, but what each gap costs and which improvements will deliver the highest return. The slides produced here describe risk. A true governance dashboard should be able to prioritize risk remediation by measurable business impact.

‍

What This Tells Us About AI-Generated Governance Artifacts

‍

All three tools made a reasonable attempt at AI risk reporting, but they ultimately fall short when it comes to the types of metrics organizations truly need to govern AI effectively.

‍

The deeper issue is that each output reflects the same underlying assumption that risk is something to be measured and reported. In practice, leading enterprise AI governance programs approach risk much differently. Risk is not simply reported, but something to be modeled continuously, with financial context, and tied to a verified inventory of AI assets and an operational control framework.

‍

When those elements are in place, the resulting board-level reports will look very different from the slides produced here. Instead of static indicators, leadership receives a financially grounded view of exposure that supports real decision-making.

‍‍What a Purpose-Built AI Governance Platform Actually Looks Like

‍

This is what Claude, Gemini, and ChatGPT were each reaching for. A verified asset inventory connected to quantified financial exposure, tied to a governance program that a board can actually fund and hold accountable. Here's my attempt at what that actually looks like, built around the gaps identified above.

‍

The first slide addresses the foundational issue all three tools missed: AI asset visibility. Rather than flagging shadow AI as a metric, it treats inventory as the prerequisite. 85% of all AI systems are inventoried across sanctioned, embedded, and shadow categories, mapped to real risk classifications. Policy enforcement is shown as an operational reality, not an aspiration, with 1,247 blocks logged, 312 shadow AI redirects tracked, and 78.6% of incidents auto-resolved without CISO intervention.

‍

‍

The second slide tackles financial quantification directly. Instead of a broad exposure range, it presents a probabilistic model: a $12M expected annual loss at the median, a $34M tail risk at the 90th percentile, and a $3M budget ask framed against the gap it closes. Compliance posture is mapped to specific frameworks (EU AI Act, NIST AI RMF, ISO 42001) with named gaps ranked by materiality, not just coverage percentage.

‍

‍

That's the standard AI risk reporting should be held to. Not because it's more complete, but because it speaks the language boards actually use to make decisions. Directors fund and support specific exposures with known costs and clear remediation paths. When risk is presented as a verified inventory tied to a probabilistic loss model and mapped to named governance gaps, it stops being merely compliance or activity update and starts being a capital allocation decision, which is exactly the conversation the board is equipped to have.

‍

Want to see what this looks like built around your organization's actual AI footprint? Schedule a demo with our AI governance team today.

‍

‍