Where every Mycelium engagement begins. A diagnostic, a workshop, an assessment — for boards now formally accountable for AI.
The Australian Institute of Company Directors and the UTS Human Technology Institute have, between them, published five major pieces of guidance on AI governance and director duties in the last twelve months. APRA CPS 230 came into force. AS ISO/IEC 42001 was adopted as an Australian standard. The Victorian AI Strategy was released.
The cumulative effect is simple: boards of Australian organisations — APRA-regulated, critical-infrastructure, NFP, public sector, listed and unlisted — are now formally accountable for AI in a way they were not eighteen months ago. Director duties of care and diligence have been explicitly extended to AI literacy, AI oversight, and the board's own use of AI tools.
Yet most boards we encounter cannot answer the basic questions: where AI is being used in their organisation today, who is accountable for it, whether their risk appetite covers it, and what protocol governs the board's own use of generative AI on board papers.
This is the gap Mycelium closes — before the AI Security Health Check, before any AI Agents work, and as a standalone engagement for boards who want defensible answers without organisational disruption.
"Boards have governance strategies for the organisation's use of AI. They rarely have one for their own. The new AICD guidance has made that gap a director-duty question, not a hypothetical." The pattern across Australian mid-market boards, 2026
The next risk committee meeting has AI on the agenda for the first time. The chair has read the AICD guidance. The CRO has produced a paper that covers cyber and IT risk well — and barely mentions AI risk in any defensible way. The chair knows the paper isn't enough, but cannot articulate exactly what's missing.
The Mycelium Board AI Diagnostic gives the chair a 10-question test to run against the paper before the meeting. The questions surface what isn't being asked. The chair walks into the committee with the right questions ready — and the CRO's next paper looks materially different.
Outcome: the board steps into AI oversight with a structured frame rather than a blank one. The diagnostic becomes the basis for the agenda for the next four risk committee meetings.
An exec team confidently reports to the board that "we're not really using AI yet." A week later, a director discovers their finance team has been running ChatGPT on management accounts, marketing is paying for three AI copywriting tools, and a customer service vendor recently added an AI co-pilot to their platform without notifying procurement.
The Mycelium Board AI Readiness Workshop runs over half a day. The board, the company secretary and the head of risk walk through the 10 diagnostic questions live. By the end of the session, shadow AI is no longer invisible — it has a name, an owner, a risk classification, and a remediation pathway. The Board AI Position Report lands five working days later.
Outcome: the board has a defensible AI inventory, a single accountable owner, and a documented decision about what good looks like — before the next regulator interaction and before the next vendor procurement.
A new NED joins a mid-market mutual or energy operator board. They've read the AICD director's guide. They expect AI to be a recurring committee topic. It isn't. The chair acknowledges the gap; the company secretary doesn't know where to start.
The Mycelium Board AI Readiness Assessment is commissioned as a 3-week project. Structured interviews with all directors. Document review of board papers and committee charters. The deliverable: a Board AI Protocol Charter the board can formally adopt, a Director AI Literacy Roadmap the chair can run twice a year, and a Board AI Position Report the new NED can use to brief peers.
Outcome: the board moves from "we'll get to AI" to "we have a documented AI governance position" inside one quarter. The new director's first contribution is a strategic one.
Board AI Readiness is structured as a deliberate ladder of value. Boards enter at the lightest rung — the free diagnostic — and decide whether to step up to the next based on what the previous rung surfaces. No board engages without prior signal that the work is worth doing.
A typical board does not need to go past rung two. Some boards never go past rung one. Both are valid.
Board AI Readiness is, by design, a board-led engagement. Mycelium facilitates. The board decides.
This is what separates this work from an audit or a vendor risk review. The board owns the outcome, the artefacts, and the protocols. Mycelium provides the diagnostic frame and the disciplined facilitation — but never makes governance decisions on behalf of the directors who hold them.
Every workshop and assessment is led by the board chair, with Mycelium providing structure, questions, and challenge. The board does not delegate the conversation to Mycelium — Mycelium runs the diagnostic, the board runs the discussion.
The Board AI Position Report and the Board AI Protocol Charter are board documents, not consulting deliverables. The IP is yours. Mycelium retains no rights, no usage claims, and no marketing case-study material without your explicit written permission.
Board AI Readiness is a bounded engagement. If the findings point to a need for organisational work — an AI Security Health Check, an Agent build — Mycelium will say so, and quote separately. The readiness work does not extend itself.
Request the 2-page Boardroom AI Diagnostic. Run it on your board in 30 minutes. If the conversation it surfaces is worth taking further, we'll talk. If not, you've still gained something useful.