Sometime in the last eighteen months, pharma boards became some of the largest underwriters of AI infrastructure in the world.
Eli Lilly committed one billion dollars to AI-driven approaches. Roche announced fifty billion dollars of US investment over five years across gene therapy, weight loss medicines, and AI-enabled platforms. Across pharma in 2025, one hundred and sixty-eight new strategic alliances were signed involving AI. Industry AI spend in pharma is on track to grow from four billion dollars in 2025 to twenty-five billion by 2030.
Every one of those commitments was approved by a board.
Now look at what the data says about who is actually approving them.
The Literacy Gap
A Deloitte global survey of six hundred and ninety-five directors and executives across fifty-six countries found that sixty-six percent of board members say their own boards have "limited to no knowledge or experience" with AI. Almost half say AI is not yet on the board agenda at all.
Only thirteen percent of S&P 500 companies have a single director with AI-related expertise.
The National Association of Corporate Directors reports that only seventeen percent of boards have established an AI education plan for their directors, and only six percent have a dedicated committee to oversee AI. Just thirty-six percent of boards have any AI governance structure in place at all.
This is not a story about boards being slow to catch up to a new technology. This is a story about boards approving multi-year, multi-billion-dollar commitments inside a discipline they openly admit they do not understand.
In any other context, this would be a governance scandal. In AI, it has become the norm.
The Capability Mismatch
Pharma feels the gap more sharply than most industries, for three reasons.
First, the AI being deployed in pharma touches patient safety, prescribing decisions, pharmacovigilance, and clinical trial integrity. The cost of a silent failure is not a missed quarter. It is a regulator audit, a recall, a Phase III readout that no one trusts, or a safety signal that arrives too late.
Second, the regulatory perimeter is hardening fast. The EU AI Act, the FDA-EMA joint AI principles published in January 2026, and the EMA reflection paper finalized in September 2024 all converge on the same expectation. AI used in regulated decisions must be transparent, explainable, risk-stratified, and subject to demonstrable human oversight. Boards are now responsible for ensuring those expectations are met, and most boards do not have the literacy to ask whether they are.
Third, the capital exposure is enormous. A pharma board signing off on a fifty-billion-dollar multi-year transformation plan, with a meaningful AI component, has bound the company to a strategic direction it cannot independently evaluate. That is not delegation. That is abdication.
The Legal Exposure Is No Longer Theoretical
Delaware corporate law has long recognized that directors have a duty of oversight under the Caremark standard. A board breaches that duty if it utterly fails to implement a reporting and information system, or if, having implemented one, it consciously fails to monitor or oversee its operations.
The Delaware courts have been steadily expanding Caremark's reach. Cybersecurity cases established that boards can be held liable for failure to oversee technology risks they did not understand. The Barnhill decision raised the bar further for "mission-critical" operations, suggesting that anything the company itself describes as strategically essential carries heightened oversight obligations.
AI in pharma now sits squarely inside that category. Companies have publicly told investors that AI is central to their R&D engine, their commercial productivity, their pharmacovigilance, and their long-term competitive position. Once a board has approved that framing in earnings calls and proxy statements, the board cannot then claim AI is too technical for it to understand.
The shareholder bar is paying attention. A wave of cybersecurity-derivative suits has trained the plaintiffs' ecosystem to recognize the same pattern in AI. Boards that approve large AI commitments without documented oversight processes, without minutes that show substantive board-level engagement, and without an audit trail demonstrating how AI risks are surfaced and addressed are creating exactly the record that Caremark plaintiffs hunt for.
What Good Board Governance of AI Looks Like
The boards that are getting this right share six structural features.
First, they have at least one director with credible AI expertise. Not "interested in AI." Not "tech-adjacent." A director who can read a model card, ask the right questions about training data lineage, and recognize when management is over-claiming.
Second, they have a defined committee structure for AI oversight. Not a slide at the audit committee. A standing item on the risk committee, the technology committee, or a dedicated AI committee, with documented charter, mandate, and reporting cadence.
Third, they have a board-level AI inventory. Every material AI system in the company, mapped to its risk classification, its intended use, its data lineage, its human oversight architecture, and its regulatory exposure. The same inventory the company will eventually need for EU AI Act conformity. The board sees it. The board has questions about it. The minutes reflect the questions.
Fourth, they have a continuing education program for directors. KPMG and INSEAD launched their global AI Board Governance Principles in April 2026 explicitly because boards need a shared language. Boards that treat AI as a recurring agenda item with quarterly briefings, structured site visits to AI teams, and external technical advisors are visibly stronger than boards that treat it as a one-off presentation.
Fifth, they have explicit escalation triggers. When a high-risk AI system fails, when an override rate moves outside expected bounds, when a pharmacovigilance agent misses a signal, the board is notified, not just informed. The escalation pathway is documented and tested.
Sixth, they treat AI vendor selection as a board-level commercial decision, not an IT decision. The companies pharma is partnering with on AI infrastructure are now strategic suppliers in the same category as CDMOs and clinical CROs. Boards that delegate that selection entirely to procurement are forfeiting their visibility into the company's most consequential strategic dependencies.
The Pattern Repeats
This is not the first time corporate boards have approved technology commitments they did not understand. The cybersecurity story is the closest analogue. For most of the 2010s, boards approved large security investments without the literacy to evaluate them, and the result was a decade of regulator scrutiny, shareholder suits, and the eventual emergence of the cyber-expert director as a board norm.
AI is now running the same arc, faster.
The pharma boards that internalize this early will not just avoid liability. They will run a better company. Boards that can engage substantively with AI strategy ask sharper questions, surface risks earlier, allocate capital better, and prevent the kind of unforced governance errors that turn into regulator inspections and proxy fights.
Boards that do not will keep approving AI they do not understand, signing off on commitments they cannot evaluate, and waiting for the first major failure to remind them that approval was not the same thing as oversight.
The Implication
The AI literacy gap on pharma boards is the largest unaddressed governance risk in the industry right now.
It is larger than the EU AI Act. The Act sets a compliance floor that companies will eventually meet. The board literacy gap is a structural weakness sitting above the floor, inside the room where the most consequential decisions get approved.
The investors who care about long-term value, the regulators who are sharpening their oversight, and the plaintiffs' lawyers who hunt Caremark cases are all looking at the same boards from different angles. The boards that act now to close the gap will look like serious stewards of a fast-moving technology. The boards that wait will look like the cyber boards of the 2010s, except the technology they failed to oversee was the one their own companies told investors was strategically essential.
The pharmacist watching from inside the industry sees this clearly. The boards do not yet. That is the gap. And that gap is now the most important governance question pharma has to answer this decade.
