A compliance view on AI, cyber risk and governance for public boards

More about the podcast

Kristy Grant-Hart is Vice President for Compliance Services at Diligent, advising organizations on how to build effective, modern compliance programs in an era of rapid regulatory change.

In this episode, Kristy shares a compliance expert’s view on AI, cyber risk and governance for public-facing boards — from school districts and education boards to municipalities and local councils.

We explore the core responsibilities of public sector boards today: staying on top of current and upcoming regulation, keeping risk assessments up to date, and tailoring regulatory requirements to the size, structure and context of each organization. Kristy explains why “application” of a rule often matters more than the rule itself and how boards can balance rising expectations for transparency and accountability with the realities of politics, elections and competing community opinions.

We also discuss what it takes to build a proactive compliance culture, including understanding skills gaps on the board, bringing in external experts on topics like cyber and AI, and making smart use of associations and umbrella bodies for guidance and training.

And we also speak about operational and organizational resilience, looking at how reputation, school and community ratings, and regulatory scrutiny intersect — and why boards should be using tabletop exercises and crisis simulations to expose vulnerabilities before a privacy breach, ransomware attack or system outage hits.

Stay tuned to the end as Kristy shares her advice for leaders on future‑proofing their organizations amid regulatory uncertainty.

Further resources on regulations for public facing boards

• Navigate 2026 public sector regulations with confidence, download our Regulations outlook guide.
• Livestreaming regulations: What public facing boards need to know
• Board training regulations: what public boards need to know
• Cybersecurity regulations: What public facing boards need to know
• AI regulations: What public elected boards need to know

Transcript for A compliance view on AI, cyber risk and governance for public boards

Jill Holtz: Welcome to the Leading with Purpose podcast, where we share practical advice for purpose-driven work and board leadership in mission-focused organisations. I'm your host, Gill Holtz from Diligent, and in this four-part series, I talk to different leaders to explore regulations and compliance for public sector boards. What's coming in 2026, why oversight matters and how to prepare.

We'll cover critical areas of regulation, but also how public-facing boards need to think about managing their oversight and compliance and policy. I hope you enjoy the series. In this episode, I talk to Kristy Grant-Hart, Vice President for Compliance Services at Diligent.

Kristy starts with the essentials, staying on top of current and upcoming regulation, keeping your risk assessment up to date, and most importantly, tailoring application to your specific size and context. We discuss transparency challenges and Kristy shares ways to build a proactive compliance culture and a resilient organisation. She has some great recommendations on how to sharpen response and expose vulnerabilities before crises hit.

Listen now as we also cover documentation, training and why secure technology can help with your compliance. And stick around to the end for Kristy's great advice for public-facing boards for how they could go about future-proofing their organisation against all this uncertainty and operational risk. Welcome, Kristy.

Kristy Grant-Hart: I'm so delighted to be here. Thank you for having me.

Compliance and public sector boards

Jill Holtz: So, Kristy, we've been looking at all the regulations and legislation that public sector organisations have to comply with, and we have a new guide coming out on this as an outlook for 2026. So, I wanted to invite you to talk to me a bit about this topic and get your perspective. So, to kick us off, can I ask what, in your view, are the core responsibilities of public sector boards?

So, it could be a school district or a local municipality and council. What do they have to do to ensure compliance? And kind of thinking as well a little bit beyond that, organisational resilience, public trust, in what, as we know, is a very rapidly changing regulatory environment.

Kristy Grant-Hart: Well, I mean, I think the number one is staying on top of current and upcoming regulation. Without being able to plan for these things is just asking for trouble and understanding that most regulation doesn't happen overnight. Even the AI regulations, there are public periods where there can be activism to say yes or no.

Frankly, a lot of times I think these boards should be engaged in the yes or no or how this should be changed activism for some of the regulations that are going to be affecting them. I think that you need to have an updated risk assessments to understand what's going to be most critical for your specific institution or whatever that jurisdiction looks like. And really understand application is different than regulation itself.

So, the regulations may say certain things, but applying it within your organisation takes planning. And also making sure that it's fit for purpose for what it is that you specifically need to do. If you're a huge system versus a very small one, it's going to look different.

So, planning for that is really critical

Challenges with complex regulations next year

Jill Holtz: So, just to recap, what I heard from you was keeping on top of regulation, even making sure you're involved kind of at consultation stages. Assessing risk is important. And then understanding the application may be different.

And it may depend on your organisation what you need to actually implement. Isn't that right? And your circumstance and your locality even.

That can all be very variable, can't it? So, as regulations become more complex, but then at the same time, we have expectations from the community for transparency and more accountability. What do you see as being real challenges for these public facing boards?

Let's talk about next year and in the coming years.

Kristy Grant-Hart: I think that transparency can be difficult. There will always be multiple opinions of how things should be done. Especially when you are in situations where people are running for election or they're trying to keep their seats.

And I think that politics can be very heavily involved in that as well, which creates its own type of challenges. So, I think, you know, as these become more complicated, getting the right expertise in place is really important. Getting your talking points is really important.

And making sure that your constituencies get enough transparency that they feel confident that you're actually doing the right thing. Even if they don't like the way you're doing it, that you're actually responding to what's required by these regulations. And frankly, being transparent about what they are.

I think frequently people see a decision and look at it in the abstract as opposed to seeing it in the context of what the regulations require. Your average person isn't paying attention to what is coming down from AI regulation or from, you know, student protection or child protection. They're not paying attention to it.

So, when they see an outcome, they may not understand the context for it. And part of that transparency and accountability is making sure that people understand that context.

Jill Holtz: I love that. So, it's really explaining the why. Why are we doing this?

Why are we putting this new policy? Why have we made this decision? But also explaining it in terms that they can understand.

So, this regulation means that each student needs to pay attention to their AI use, for example. So, really explaining it in those terms that your constituents can understand. You mentioned getting expertise to support.

Upskilling the board on regulation and compliance

You know, is that one thing that boards should do to ensure, again, if they're going to have the oversight to navigate these risks and regulatory requirements, they need to have skills and knowledge. Nobody's a technical expert. When you stand for election for a school board, you're not coming on with a whole load of technical expertise.

So, what steps can boards take to ensure they get that knowledge and skills for oversight?

Kristy Grant-Hart: Well, first of all, understanding where their skills gap is, is really important. Every board has a different composition. Every board has people with different backgrounds.

And that diversity can be very powerful, but most of them have gaps. I don't know how many of them have a lawyer. Even if they have a lawyer on there, if it's an employment lawyer and they're trying to look at cyber regulations, it's a totally different animal.

I say that as a lawyer. As a lawyer who's spectacular at compliance and knows zero about California labor laws, 846.5, right? So, I think that one of the things that they need to do is to recognize those skills gaps and find people with those kind of expertise, whether it's in the law, whether it's in something like cyber or AI, and getting that consultation, getting information about what's expected.

It can be a heck of a lot easier, faster, and frankly, less expensive to get an expert in for several hours than it is to try to do it yourself or get it wrong.

Fostering a culture of proactive compliance

Jill Holtz: Yeah, and they can lean on their kind of school board association if they're a school district or like an umbrella government association as well. Those have resources. And if it's in a particularly technical area, for example, you mentioned cyber.

How can public facing boards foster a culture of proactive compliance and ethical leadership rather than being simply reactive to new mandates as they rise? What's your perspective on that, Kristy?

Kristy Grant-Hart: There's a lot of pressure on boards, whether it's corporate or public, to know what the culture of an organization is. And I think that having information about that is incredibly important, because if you have a culture of people who are focused on compliance and ethics, focused on understanding culture and improving it where it needs to be improved, that will always be helpful. And I think that looking for things like, do you have some sort of speak up culture?

Is there a culture of non-retaliation? Whether you have a traditional whistleblowing hotline or some other way of gathering that information, that's really important. And also, there needs to be space for allowing respectful dissent.

I was on a board once in a nonprofit organization where everyone just, whatever the CEO said, everyone said, oh, you're so brilliant. You're so smart. Everything you say is amazing.

And it was a bit of a cult of personality. I think that having the ability to say, can we see this a different way? Let's think about it differently.

Let me put my point of view forward. When it has that capacity, the board itself, its composition and its ability to respectfully dissent and allow for real conversations, that's where some of the best stuff happens.

Building organizational resilience

Jill Holtz: And I suppose for a public board to think, OK, they may have stood for election because they were passionate about an issue in the school district. But at the end of the day, the board is a collective unit of these diverse people that has to come together to make decisions in the best interest of their mission and vision, don't they? We talk, I think, now when it comes to regulation and compliance, we talk a lot about the sort of a hot topic is operational resilience, organizational resilience.

When it comes to meeting those mandates, why is that important? And again, what can boards do to build that resilience as regulations change so quickly?

Kristy Grant-Hart: I mean, people talk all the time about corporate reputation. The public sector has it, too. And things like rating of schools, rating of how good your education is in particular is really powerful.

Or when they do the where's the best places to live, these things are considered. And so it's really important to get these things correct. So it's partially making plans, have those resiliency people come in and talk to you.

And one of the things I think can be very powerful that isn't utilized enough are tabletop exercises where the board is faced with this went wrong, that went wrong. Oh, no, this other thing went wrong. We've got privacy leaks.

We've got operational challenges. This system went down. There's a ransomware attack here.

I think when they actually experience that as if it's real, that can give a lot of perspective on how much we need to focus on this and where the vulnerabilities are.

Jill Holtz: I love that. I think that's excellent advice. Speaking of hot topics, AI, I think is top of mind for nearly every organization nowadays.

Obviously, it introduces new opportunities, new risks. There's a lot of talk about AI in education, AI in government. But you do also need to comply with the AI regulations that exist where you are.

AI governance for public facing boards

So how can public facing boards think about building out a robust AI governance framework? So how are we managing the AI use in our organization? What do they need to be thinking about there, Kristy?

Kristy Grant-Hart: There's such an important series of questions there. I think that number one, everything in compliance tends to start with a risk assessment. What's being used?

What's happening there? If you've got children, it is a whole other kettle of fish because there's so many children protections and child protections that need to be considered. Things like voice recognitions or deep fakes are all the things that can come from AI usage that, frankly, a lot of times I don't think the board is nefarious enough to consider how badly things can go wrong.

So looking at that risk assessment is really critical. I think one of the challenges that people face is they want to nail down exactly what is and isn't allowed. And that changes on a moment to moment basis.

And the tools change all the time. So I think that principles-based can be very helpful. I also think that there needs to be a consideration from your IT people of what can be done.

How can we block sites? What sort of protections can be put in place? What kind of ring fencing can we do in terms of where information goes and how it's stored and how long it's kept?

And then from an academic perspective, how are we going to allow it to be utilized where we're still teaching our students if we're in an education perspective? How are we making sure they actually learn skills without over-relying on it? So there's a lot of considerations there, but I think that they can be tackled and should be.

And it's an iterative process. I think people sometimes think they make a governance structure or they make a policy and they say, great, we're done with that. Or they make a risk assessment, that's finished.

And it's particular when it comes to AI and AI tools and their adoption. We have to be vigilant that these things change all the time.

Jill Holtz: So it's really important, again, the risk message I'm hearing from you. Assessing your risks, understanding what is and isn't allowed, but not as a one-off exercise. That's going to change regularly.

But also calling on your IT expertise around protections and ring fencing. I think that's really good advice because if you're using, for example, if you think about AI for governance and if you're summarizing board materials, you don't want to use an open AI where sensitive data about the school students or staff or something gets kind of fed into those systems, do you? So you need to be aware of that as well.

Technology, governance and compliance

Speaking of technology, we sell Diligent Community. We're passionate about that, helping boards and their district and municipality operations. So how important is, what role does technology have there?

How should public sector boards be thinking about integrating technology into their governance processes to be compliant? What's your perspective on that, Kristy? I think it's absolutely critical.

Kristy Grant-Hart: I recently had the very fun experience of being hacked. And in my personal email from when I was in college, that account still was floating out there. They found it.

And the level of discomfort that you feel when someone is on your LinkedIn as you trying to contact your contacts, when you have that experience, it's so powerful to realize just how vulnerable we are in our organizations are. So I still see so many people emailing very sensitive documents, very sensitive pieces of information and not being very conscious of how damaging that can be. So I think the technology is absolutely critical.

And that if we aren't paying attention to it, we're asking for trouble. So the more we can put in those protections with very sensitive data, the better. And technology can really help us do that.

Jill Holtz: Yeah. And I mean, even in the kind of open meeting laws kind of arena, you know, if you have three people emailing, that can be a meeting. And then you're in breach of the open meeting laws where if you were doing it through board software, for example, you know, you're not having that instance arise.

You're taking care of that risk. I know you touched on cyber risk there. Again, sending things out by email is just so sensitive, so easily hacked, isn't it?

You know, there's a lot that technology can do to help boards be compliant from the get go for some of those things.

Kristy Grant-Hart: You don't control a lot of that data once it's out there in email. Things get forwarded, things get manipulated, things get wrong people added because they're both named Ian. There is so much that can go wrong when you're when you're emailing and utilizing public systems in ways they just shouldn't be.

Jill Holtz: And I suppose from a kind of a compliance perspective, boards are required in many localities and states to publish their meeting minutes in advance of meetings to make sure that or the agenda and then minutes after meetings. And again, that can be a very manual sort of awkward thing without technology doing that for you in a way that makes sure you're meeting your compliance requirements for that as well. So I'm conscious you're very busy, so I'm just going to ask you one final question.

Advice for leaders on future proofing their organization

So if you have to give one piece of advice for leaders and board members for public facing boards for how they could go about future proofing their organization against all this uncertainty, operational risk, what would that one piece of advice be, Kristy?

Kristy Grant-Hart: I think it's to expect change. Humans are very uncomfortable as a group with uncertainty. We don't like it.

I don't like it. And I think that if you expect change and that it's a helpful mindset, because it doesn't say we finished this, we finished our AI governance policy, we finished our educational protection, we've done the thing. You haven't, because you've done it for now and expecting those changes to come, I think is the only way to operate successfully in this day and age.

Jill Holtz: I love that. Thank you. That's really great advice, Kristy.

Thank you so much for taking the time to talk to me today. I really appreciate it. It's been a pleasure.

Thank you. Thanks for tuning into Leading with Purpose today. I really hope you found today's discussion useful, interesting and insightful.

This series supports our public sector 2026 regulations outlook, a concise guide to the mandates and trends shaping the year ahead with practical steps that boards can act on now. To learn more, you can download our guide and other resources at www.dilligent.com forward slash leading with purpose. That's www.dilligent.com forward slash leading with purpose. And we will put that in the show notes. For more boardroom intelligence, do check out our sister diligent podcast, the Corporate Director podcast, the voice of modern governance, where directors and experts share practical insights on governance, strategy, risk and digital transformation. Finally, I wanted to ask you a big favour.

If you enjoyed this episode, then I'd really appreciate if you would please take a moment to rate and review our podcast. It helps other people find it. And please share this episode with any colleagues who are planning their 2026 agendas with regulation and compliance and training.

I look forward to bringing you more practical advice for purpose driven work next time.