AI Governance: Who Bears the Harm When AI Goes Wrong?

OpenAI, Google, Anthropic - the major AI companies speak with one voice: AI will benefit all of humanity. It's a compelling claim. But who bears the harm?

A recent peer-reviewed study from Carnegie Mellon University analysed 499 publicly reported AI incidents. The headline finding: most harms are experienced by people who never chose to use the technology in the first place.

Here's what that means in practice:

🛑 The party obtaining the benefit, ie. the AI company, the deploying organisation, the end user, is routinely not the party absorbing the harm.

🛑 Secondary stakeholders bear the cost, ie. the person whose image was deepfaked, the community targeted by AI-generated misinformation, the worker displaced by a system they had no say in adopting.

Why does this matter for boards?

Research like this gives us a rare opportunity to get ahead of known failure modes (rather than discover them the hard way). The incident patterns are visible and the harm categories are documented. The question is whether boards are using this intelligence to design governance frameworks that are fit for purpose from the outset.

This is not just an internal governance question. It's an ESG question about your supplier relationships and your downstream footprint. If you are procuring or deploying AI, you sit somewhere in this value chain.

❓ The question is whether your governance framework reflects that responsibility.

Questions for your board to consider

🔹Design from the outset: Are our AI systems and procurement decisions designed with humanity centred from the start, or are ethics and risk considerations bolted on after the fact?

🔹 Incident reporting: Do we have systematic mechanisms to capture AI-related harms, including harms beyond our direct operations, and are external incidents actively informing our internal risk intelligence?

🔹 Systemic issues: Are we looking across incidents for patterns? Are we asking whether isolated events are signals of something structural that requires a governance response?

🔹 Known risk categories: Do we have mitigations in place for the risk categories we already know about? Do we have mitigations in place for the risk categories we already know about, for example, misuse, unanticipated application, secondary harm to those outside the transaction?

🔹 Accountability and remediation: When harm occurs, is accountability clear? Is there a traceable, credible path from incident to learning to remediation that our board can stand behind?

💡 AI governance that centres humanity means designing frameworks where those who bear the harm have visibility, voice, and recourse not just those who capture the benefit.

💡 We can make deliberate and responsible choices now that will shape our systems and organisations for many years, seeking to minimise harm and benefit all of humanity.