--- title: date: 0001-01-01 canonical: https://mariothomas.com/blog/ai-board-director-cfo/ --- # AI and the CFO: Still the One Who Signs EY's 2026 [Global DNA of the CFO Survey](https://www.ey.com/en_gl/insights/finance/dna-of-the-cfo-survey) asked more than 1,600 finance leaders how ready their function is to use AI well. Only **21%** rated their preparedness as leading or advanced. Over the same period the function was treating AI as central to its future: in Deloitte's [Q4 2025 CFO Signals](https://www.deloitte.com/us/en/insights/topics/business-strategy-growth/4q-2025-cfo-signals-survey.html), **87%** of CFOs expected AI to be extremely or very important to finance operations in 2026, and **54%** named integrating AI agents a top priority for the year. The gap between those numbers is the working condition of the role. Boards are already asking the CFO what AI will deliver. AI is already inside the close, the forecast, and the control environment. The function does not yet feel equipped to answer for any of it. The CFO is being held to account for results the function is not ready to produce. The principle underneath does not bend. The doing of the work can move to a machine. Accountability for the numbers and the capital cannot. This article walks through the CFO's recognised duties and sorts AI's effect into four honest groups: where it does the work, where it sharpens the judgement, where it operates out of sight, and where it changes almost nothing. ## The principle the CFO operates Beneath the breadth of the modern finance remit sit two duties that define the office. The first is the integrity of the financial record: the accounts give a true and fair view, and the CFO stands behind them. The second is the stewardship of capital: the CFO answers for whether the organisation's spending earns its keep. Almost everything else the function does serves one or the other. Both rest on binding texts. The [Companies Act 2006](https://www.legislation.gov.uk/ukpga/2006/46) requires every company to keep adequate accounting records (section 386) and to prepare accounts that give a true and fair view (section 393). The [FRC's 2024 UK Corporate Governance Code](https://www.frc.org.uk/library/standards-codes-policy/corporate-governance/uk-corporate-governance-code/) requires the directors to present a fair, balanced and understandable account of the company's position, to assess its principal risks, and to maintain and review its system of internal control. The recognised shape of the role was captured in Deloitte's [Four Faces of the CFO](https://deloitte.com/us/en/programs/chief-financial-officer/articles/gx-cfo-role-responsibilities-organization-steward-operator-catalyst-strategist.html) framework, which describes the steward, operator, strategist, and catalyst, and corroborated by the [ICAEW](https://www.icaew.com/technical/business/strategy-risk-and-innovation/strategy/cfo-and-strategy/the-cfos-role-in-strategy/the-many-strategic-roles-of-the-cfo), which sets out a remit spanning leadership, operations, controls, and strategy. None of these has been rewritten for AI. Within that settled remit, agency and accountability behave differently. A model can run the close. A tool can draft the forecast. An agent can flag a control breach. None of those uses is illegitimate in itself. What cannot move is accountability for whether the numbers are true and the capital was well stewarded. The texts have not changed. The conditions under which the duties are discharged have changed completely. The rest of this article works through where. ## Where AI does the work, and a human still signs The first group is the routine numbers work: the close, reconciliations, tax preparation, and the drafting of standard reports. This is where AI does the heavy lifting well. The sharper point comes first, though. Finance understands human-in-the-loop governance better than almost any function in the organisation. Segregation of duties, approval thresholds, attestation, reconciliation, and independent review are disciplines the function has built over decades. They are precisely the controls that AI oversight requires. The sensible pattern in practice gives a tool autonomy over gathering, analysis, and drafting, while a person approves anything that touches the ledger or leaves the building. Finance has been operating that pattern long before AI arrived. The control muscle already exists. This is where the readiness gap needs reading with care. EY's finding that only **21%** feel ready measures AI-specific capability and tooling, not control discipline. The discipline is there. It has not yet been pointed at AI. That is a more encouraging position than the headline number alone suggests, and it is the opportunity in this group: the function that already knows how to govern a human-in-the-loop process is well placed to govern a machine in one. What AI is not doing is signing. No CFO is putting a true and fair view over a close that an agent ran unsupervised. Deloitte's [State of AI in the Enterprise](https://www.deloitte.com/global/en/issues/generative-ai/state-of-ai-in-enterprise.html) (2026), drawn from 3,235 leaders across 24 countries, found that worker access to AI rose by **50%** in a year, while only **25%** of organisations had moved 40% or more of their AI pilots into production. Adoption is broad; production is early and uneven. **Autonomous execution of the close is an intent, not a practice.** The line holds. The sign-off on the accounts stays human. The Companies Act fixes the true and fair view as a matter the directors certify, and the FRC Code requires reporting that is fair, balanced and understandable. A machine can produce the figures faster and with fewer errors — it cannot be the one who certifies them. ## Where AI sharpens the judgement, and the call stays human The second group is where AI upgrades the work rather than replaces the worker. Forecasting, scenario analysis, capital allocation, and risk assessment all depend on reading an uncertain future, and this is where the technology earns its place. A finance team that once hand-built three or four cases can now map a far wider range of possible futures and test each against live data. Combined with the [four indicator types](/blog/maximum-fidelity-four-indicators/) set out in earlier work, which separate the confirmed, the signalled, the modelled, and the proven, this moves the forecast closer to maximum fidelity: everything knowable made available before the judgement is made. One discipline matters more than the tooling. Predictive work explores a portfolio of possible scenarios; it does not name a single likely outcome. The value sits in the range, not in the point estimate. A Board that reads a distribution of futures and seizes on one path as the answer has misused the instrument. The range is the finding. The pull to collapse it into a forecast is the error to guard against. Better forecasting serves the Board directly. It sharpens the capital-allocation decisions the CFO and the Board own, and it supports the thorough assessment of principal risks the FRC Code requires of the directors in Provision 28. The same modelling gives the audit committee a clearer view of where the genuine uncertainties lie, which is where independent challenge does its real work. The call does not transfer. The instrument improves; the judgement does not move with it. A wider, better-modelled set of futures makes the allocation decision better informed. It does not make the decision for anyone. The choice, and the accountability for it, stay with the CFO and the Board. ## Where AI operates out of sight, and the CFO still owns the consequence The hardest group is the one the CFO can see least. Two things are happening at once. AI is entering the control environment itself, the very system of checks the financial record depends on. And AI is being bought and used across the business, creating value and risk in places the finance function has no clear line to. The common reading is that the CFO is the executive least consulted on AI. That is the wrong frame. The CFO is the officer accountable for the financial consequence of AI that the organisation is deploying faster than anyone, the CFO included, can see or govern. Where a deployment decision is made deliberately, ownership is often contested rather than clearly the CFO's. KPMG's 2025 [CFO and CIO Collaboration Survey](https://kpmg.com/kpmg-us/content/dam/kpmg/pdf/2025/kpmg-cfo-cio-collaboration-survey.pdf), a small sample of around 100 US leaders at billion-dollar companies, found **59%** of CFOs and **61%** of CIOs each claiming primary responsibility for AI investment decisions. The figure is illustrative of contested ownership rather than a precise measure, and contested ownership is its own exposure: where two officers each assume responsibility, accountability for outcomes can fall through the gap between them. Most deployment is not even that deliberate. [Gartner's 2025](https://www.gartner.com/en/newsroom/press-releases/2025-11-19-gartner-identifies-critical-genai-blind-spots-that-cios-must-urgently-address0) survey of cybersecurity leaders found **69%** of organisations suspect or have evidence that staff are using prohibited public AI tools, and Gartner expects more than **40%** of enterprises to face a security or compliance incident from unauthorised shadow AI by 2030. The financial exposure lands on the CFO's desk. [IBM and the Ponemon Institute](https://www.ibm.com/reports/data-breach), in their 2025 Cost of a Data Breach report, found shadow AI was a factor in **20%** of breaches and added roughly **$670,000** to the average breach cost, while **63%** of breached organisations had no AI governance policy or were still building one. The same problem reads in legal terms under the [EU AI Act](https://artificialintelligenceact.eu/), whose high-risk obligations apply from August 2026 and turn an incomplete inventory of AI systems into a disclosure exposure. The opportunity is to extend control and assurance to AI itself, and to claim the value-measurement seat rather than cede it. [Minimum Lovable Governance](/toolkit/minimum-lovable-governance/) is the operating principle: light enough to keep the speed advantage, structured enough that the audit committee can attest to what has been built. The same control discipline that governs a human-in-the-loop process extends to the machine, including the growing practice of finance teams generating code that touches audited systems, where the [verification premium](/blog/vibe-coding-vs-classical-training/) decides whether that output can be trusted. The line to hold is the sharpest in the piece. **Accountability follows the consequence, not the line of sight.** The task is to build the visibility, because the CFO is answerable for the value and the risk whether or not the function can currently see them. The FRC Code makes this concrete in Provision 29, which requires the directors to monitor and review the effectiveness of all material controls, with the effectiveness declaration applying for financial years beginning on or after 1 January 2026. A control environment the CFO cannot see is a declaration the CFO cannot truthfully make. ## The part that does not move Some of the role barely changes at all. Three parts of it sit almost untouched by AI. The first is the judgement of whether the business is a going concern, a matter [Cadbury](https://cadbury.cjbs.archios.info/report) placed at the constitutional core of the finance function in 1992. The second is the relationship with the audit committee and the external auditor, the structure of independent challenge the FRC Code sets out in Provisions 24 to 27. The third is the act of standing behind the numbers to investors and to the market, which the directors' responsibility statement makes a personal undertaking. These are matters of judgement and relationship. AI can inform them at the edges. It can surface an early signal of liquidity stress, or assemble the evidence an audit committee reviews. It cannot form the judgement that the business will meet its obligations as they fall due, and it cannot sit inside the relationship of trust between a CFO, an audit committee, and an auditor. Naming this plainly matters, because the anxiety around AI tends to assume the whole role is dissolving. The core of it is not. The parts of the job that turn on judgement, and on standing behind a position, are the parts AI reaches last, if it reaches them at all. ## The line that does not move This is the same principle the series has carried from the start, applied now to the finance chief. [AI and the Director](/blog/director-ai-governance-playbook/), [AI and the Chair](/blog/ai-board-director-chair/), and [AI and the Company Secretary](/blog/ai-board-director-secretary/) traced it through the oversight roles, whose duty is to the Board's collective accountability. The CFO is the first executive officer in the series, and the object shifts to the integrity of the financial record and the stewardship of capital. The principle does not shift with it. Agency for the doing can be transferred to the machine. Accountability for the truth of the numbers and the stewardship of the capital cannot. The readiness gap is real, and it is the tension the CFO works inside. It is not the ending. The ending is older and steadier than any survey finding. The CFO's job has never been to produce the numbers. Clerks, then systems, then models have always produced them. The job has been to stand behind them. AI changes who produces the numbers. It does not change who signs for them. That is the line that does not move.