Sat in on five board IT updates over the last six weeks, in companies ranging from a mid-cap industrial business to a private equity-backed retailer to a not-for-profit health provider. The questions boards are asking in 2026 have shifted in ways CIOs need to keep up with.

The dominant question two years ago was AI strategy — what’s our position, where are we investing, when do we see returns. That question is still being asked, but it’s been narrowed considerably. Boards want specifics now, not strategy. The ones who pushed for AI strategy reports in 2024 have read enough of them. They want to know which projects are running, what they cost, what they delivered, and what the next-quarter commitments look like.

What boards are actually asking

The questions cluster into four areas.

Resilience. Boards have absorbed the message from the major Australian incidents of the last 24 months and want concrete answers about what would happen to the business in a meaningful disruption. Generic disaster recovery slides don’t satisfy this anymore. The question is specific: if our customer database was unavailable for 48 hours, what would we tell customers, what would we tell regulators, and how quickly could we restore service. CIOs who have actually rehearsed these scenarios sound substantially more credible than CIOs who haven’t.

AI risk and AI governance. The flip side of the AI investment conversation. Boards want to understand what controls exist around AI tools that staff are using day-to-day, what data is going into them, and what regulatory exposure exists. The Australian regulatory environment for AI is still in flux, and boards are pricing that uncertainty into their oversight cadence. Concrete answers about data classification, vendor terms, audit logging and human-in-the-loop controls reassure boards. Hand-waving doesn’t.

Cost discipline. The honeymoon for elevated technology spending is over. Boards are asking sharper questions about cloud cost trends, software licence optimisation, and the unit economics of digital products. The “investment narrative” that justified above-trend tech spending in 2022-23 has reverted. CIOs who can show clear unit economics — cost per transaction, cost per customer, cost per employee — are doing better in board engagement than CIOs who can only talk in absolute dollar figures.

Talent and supplier risk. Boards are aware that a lot of critical capability sits with key individuals or single-source suppliers. The questions about succession planning for senior IT roles and contingency planning for critical supplier failures are sharper than they used to be. The right answer involves named individuals, named suppliers, and concrete risk mitigation plans.

What boards aren’t really asking

A few questions that used to dominate board IT reporting have quietly faded.

Cloud migration progress reports are no longer interesting. Most enterprises are far enough through the journey that the binary “are we in the cloud” question has been replaced with the more useful “are we getting value from cloud”. Status updates that focus on workload migration percentages get polite nods. Status updates that focus on cost-to-serve improvements and operational reliability gains get follow-up questions.

Cybersecurity tool inventories are no longer reassuring. Boards have figured out that you can have a long list of tools and a poor security posture, or a short list of tools and a strong one. The questions are now about outcomes — incident response time, patch latency, third-party risk coverage — not about which products are deployed.

Digital transformation strategy at the strategic level has largely been retired. The transformation language is exhausted. Boards want concrete projects, concrete budgets, concrete returns. The strategic narrative is assumed; the execution detail is what gets scrutinised.

What good reporting looks like

The CIOs whose board updates I sat in on with the most engagement shared a few habits.

They led with risk, not with achievements. The first ten minutes was always about what could go wrong and what was being done about it. The achievements followed naturally, in context. Boards trust executives who tell them about problems. They get nervous about executives who only tell them about successes.

They used the same numbers consistently. The metrics in May matched the metrics in February matched the metrics in November. Boards can absorb a lot of detail if it’s consistent over time. They get lost when the dashboard changes every quarter.

They were specific about commitments. “We will deliver X by Y for Z dollars” got more board respect than “we are progressing the X programme”. The CIOs who made specific commitments and met them earned the latitude to make bigger commitments next time. The CIOs who hedged everything got more questions and less trust.

They knew when to stop talking. The best board updates I saw left genuine time for board discussion and questions. The weakest ones used the full slot delivering content. Boards exist to ask questions. Letting them is part of the job.

The job of CIO board reporting in 2026 is harder than it was in 2022. The audience is more sophisticated, the questions are sharper, and the patience for narrative without substance is lower. The CIOs who treat it as a discipline rather than a chore are getting better support for what they need to do.