The rapid evolution of Artificial Intelligence (AI) presents a complex and multifaceted governance challenge for corporate boards, a sentiment echoed by leaders at Iterate.ai. As AI technologies permeate business operations at an unprecedented pace, many boards risk overlooking critical governance issues by framing AI adoption solely as an information technology project. This approach, Jon Nordmark, co-founder and CEO of Iterate.ai, warns, can lead to significant risks materializing only after considerable damage has been incurred.
Nordmark, operating from Iterate.ai’s Centennial, Colorado office, emphasizes that AI’s trajectory is outpacing traditional governance frameworks. His company, based in San Jose, California, leverages a lean board structure comprising its two co-founders, who possess deep technical understanding of AI. Crucially, this core group is augmented by an advisory board, drawing expertise from diverse economic sectors to provide comprehensive guidance, particularly on the increasingly vital aspect of ethical AI governance.
Navigating the Uncharted Waters of AI Governance
One of the most pressing topics confronting boards today, according to Nordmark, is the need to maintain governance structures that can keep pace with AI’s relentless advancement. The mandate for responsible oversight centers on risks that are often overlooked in the rush to adopt new technologies. These include the implications of shared cloud infrastructure, the long-term persistence of AI memory, and the pervasive data exposure that arises when employees mistakenly assume their AI tool interactions are private.
A stark reminder of these risks emerged when over 70,000 ChatGPT conversations were found indexed in Google search results. Nordmark points out that this incident was not a technical failure but a profound governance lapse. It underscored a fundamental misunderstanding of how data is handled and secured within these powerful AI systems.
Iterate.ai approaches AI from both a strategic and a fiduciary perspective. On the fiduciary side, the focus is on understanding the flow and location of data, and the specific policies governing its use. This involves scrutinizing vendor incentives and implementing control models that prioritize resilience over mere convenience. The company expects reciprocal scrutiny from its vendors. From the board’s vantage point, the paramount goal is to ensure that the pursuit of speed never compromises customer trust or the company’s long-term strategic positioning – two elements Nordmark asserts are more interconnected than many boards acknowledge.
The Hidden Costs of Agentic AI
Beyond data security and privacy, a significant and often unquantified risk lies in the escalating cost of agentic AI systems. Unlike conventional chatbots that consume tokens in relatively predictable quantities, autonomous AI agents designed for tasks such as compliance review or software testing engage in extensive data processing. These agents repeatedly access context, execute tool calls in complex loops, and run long workflows, leading to token consumption that can dwarf initial pilot projections. Boards that have not proactively inquired about token pricing models are now facing unexpected and substantial operational expenditures as these agents are deployed in production environments.
Nordmark elaborates on the operational risks posed by AI agents, which are often "hiding right underneath the surface." These agents make decisions while retaining vast amounts of information with persistence, rarely forgetting and frequently acting without explicit permission. This introduces a new class of operational risk if the environment in which they operate is not rigorously controlled.
At Iterate.ai, the co-founders serve as both the board and management, a dynamic that necessitates deliberate discipline. When acting in their governance capacity, their role is to establish standards applicable to all managers, including themselves. The board seat, in this model, is not a detached oversight position but a commitment to asking difficult questions, even of their own management decisions.
The immediate focus of governance efforts is on the layers below management, encompassing operations leads, product managers, engineers, and team leads who are making daily AI adoption decisions. These individuals select vendors and determine the data fed into various systems, often deploying new AI touchpoints without fully considering the destination of queries or the duration of data retention. The governance standard mandates holding these teams to a bar that deliberately moves beyond the default pursuit of speed.
Fiduciary Consequences of Procurement Decisions
The implications of procurement-level decisions are profound, carrying fiduciary consequences that many individuals making these choices may not yet fully comprehend. When an employee uploads a contract draft or customer data into a tool that processes it across shared public infrastructure, they may not be considering data retention policies, vendor terms, or the cumulative exposure that can quietly compound over time. This is not a reflection of individual negligence but rather a structural gap that robust governance is designed to address. By the time many boards engage with AI architecture diagrams and workflows, the systems are already built and creating potential exposure.
Iterate.ai draws a clear distinction between convenience and control. The temptation of convenience, such as using large language models that process data across public GPU farms or employing shared inference services without questioning their data retention practices, is significant. However, this convenience often comes at the expense of privacy, and most AI governance failures can be traced back to this specific trade-off. The board’s role, and indeed the role of boards across industries, is to ensure that individuals are explicitly confronted with this question before architectural decisions are made, rather than allowing the architecture itself to dictate the outcome.
Evolving Board Composition for the AI Era
Nordmark’s experience spans over two decades in corporate board roles, including previous startups where boards evolved from a two-person structure to five and then eight members, including venture capital representatives, independent directors, and founders. He has observed boards operating at various scales and complexities.
Iterate.ai’s current board is intentionally small, consisting of the two co-founders, supported by a robust set of board advisors. While governance is paramount, the company prioritizes agility and avoids the bureaucracy that can slow down decision-making. Legal and financial oversight is handled by external firms, maintaining a lean structure to prevent strategic interference and ensure that board time is used efficiently, without the need for extensive AI education. Given AI’s current doubling of capabilities every three months, a pace significantly faster than Moore’s Law, boards must be equipped to move with commensurate speed.
A key innovation in Iterate.ai’s approach is the formalization of its advisory board. Rather than prioritizing financial expertise, the focus is on recruiting operators with direct business experience in domains critical for the next decade. This includes individuals like Cathy Halligan, Elaine Boltz, Frank Kollmar, and Ted Shelton, each bringing distinct perspectives on retail and consumer insights, global operational scale, generative AI strategy, and ethical AI governance. These are viewed not as supplementary skills but as essential capabilities for responsible board oversight in the current landscape.
The advisory board’s expertise is instrumental in sharpening the company’s focus on private AI and the development of products for secure private environments. Recruitment criteria emphasize fluency in AI governance, cybersecurity, regulated environments, and digital transformation, as these are the areas where risk is most concentrated.
Nordmark posits that boards that fail to adapt to the realities of AI will inevitably fall behind the companies they are meant to govern. He extends this concern beyond AI, highlighting the looming threat of quantum computing, which is projected to reach a threshold capable of breaking current encryption between 2028 and 2032. Architectural decisions made today will determine a company’s vulnerability when this capability emerges. While most boards are not yet being asked about this timeline, it is far shorter than often perceived.
Maintaining Vigilance in a Rapidly Shifting Technological Landscape
Staying current with the opportunities and risks presented by emerging technologies is no longer optional but a fundamental governance obligation. The pace of technological advancement will not decelerate to accommodate human learning curves. Therefore, curiosity must be an intrinsic element of board operations, not an ancillary pursuit.
Surveys indicate a significant preparedness gap among directors. Reports suggest that only approximately 30 percent of directors feel adequately prepared for modern AI oversight, with nearly 40 percent having received no AI training whatsoever. This deficit has tangible consequences, even if the full impact has not yet materialized. A board that does not comprehend what it is approving is incapable of asking the pertinent questions, which constitutes the core of its function.
Iterate.ai bridges this gap through direct engagement with operators, researchers, and policymakers. The company analyzes real-world incidents rather than relying solely on hypothetical scenarios. It evaluates infrastructure exposure, memory retention, and regulatory obligations holistically, rather than in isolation. Participation in cross-industry forums, such as the Colorado-based IterateOn initiative, facilitates the cross-pollination of ideas, where insights from sectors like healthcare or aerospace can reveal patterns applicable to Iterate.ai’s operations. This cross-pollination enhances the sharpness and forward-looking nature of oversight.
On the policy front, Nordmark’s appointment to Colorado’s AI Task Force has provided firsthand experience in shaping legislation like SB 205, the state’s pioneering AI bill. This involvement has immersed him in critical debates surrounding AI bias and the delicate balance between consumer protection and regulatory frameworks that could potentially stifle innovation within the startup community. This contextual understanding profoundly informs the company’s risk assessment at the board level, offering a depth that purely internal deliberations might miss.
Strategies for Building Enduring Resilience
Nordmark asserts that resilience is unattainable without a clear understanding of data location. This knowledge is contingent upon critical systems not residing on uncontrolled shared infrastructure and AI stacks not retaining un-auditable or un-erasable memory.
Iterate.ai’s board prioritizes architectures that grant the company control rather than fostering dependence. The company actively pursues private AI environments, on-premises and offline options, model portability, and runtime control mechanisms that allow for the swift isolation or replacement of models in response to market shifts or changes in vendor terms. The design philosophy is explicitly geared towards avoiding single-vendor lock-in.
The issue of token pricing, often overlooked by boards, is presented as a critical facet of this resilience problem. The advent of agentic AI fundamentally alters the consumption curve. A single autonomous agent engaged in a long-running task can generate millions of tokens through recursive loops and extensive tool calls. When multiplied across an enterprise deploying numerous agents, the cost exposure becomes substantial and inherently volatile, as it is subject to the pricing decisions of third-party providers. In contrast, a private model operating on company-controlled infrastructure eliminates token meters, offering fixed and predictable economics. This leverage is precisely what Iterate.ai’s board prioritizes, demonstrating how a private AI architecture that safeguards data also protects the budget.
The questions Iterate.ai’s board presses management to answer are designed to assess the company’s capacity to withstand regulatory shifts, major vendor outages, or broad industry-level AI incidents. These are no longer hypothetical scenarios but present and immediate concerns. Resilience in the current technological climate is an architectural decision, built through privacy-first design, genuine transparency regarding data retention, and the operational capability to execute workloads outside the cloud when necessary. The board’s imperative is to embed these capabilities now, as any board that delays its inquiry until a headline event occurs will discover that the architecture has already made irreversible choices for them.
