The board reporting pack that worked for IT leaders three or four years ago is largely failing now. Boards have become more sophisticated about technology — not always more knowledgeable, but more demanding. The reports that get nods at the boardroom table in 2026 look different to the project-portfolio-status decks that used to be the default.

After updating my own pack for the third time in 18 months and comparing notes with peers on the CIO Forum, a pattern is forming about what actually works.

What Boards Are Now Asking

A few questions come up in almost every board meeting I attend or hear about:

• What’s our exposure to AI vendor concentration risk?
• How are we tracking against our regulatory obligations on data and AI?
• Where’s our cyber posture relative to our peer group?
• What’s the IT spend trajectory and where’s the spend going?
• Are we behind, level, or ahead of competitors on technology adoption?

The interesting shift is that boards no longer want detailed project status updates. They’ve got past that. They want the underlying risk and capability picture, and they want it presented in a way that lets them ask informed questions.

The Four-Page Format That’s Working

The pack I’ve settled on, and that most of the better-organised CIOs I know are using some variation of, is roughly four pages:

Page one — Tech health snapshot. A single page that shows operational availability, security posture indicator, project portfolio health summary, and major risk indicators. Visual where possible. Numbers where they matter. This is the page the board reads first.

Page two — Strategic initiatives status. Not project status — strategic initiative status. The difference is important. Boards don’t want to know that project X is 60% complete. They want to know whether the strategic outcome the project supports is on track. This requires more thought from the CIO but produces a much more useful conversation.

Page three — Risk and regulatory. Cyber risk, data risk, AI risk, regulatory compliance status, vendor concentration risk. Each with a short narrative and a clear status indicator. The board appetite for this content has grown enormously over the past two years.

Page four — Forward look. What’s coming in the next six to twelve months. What investments are being made. What decisions the board needs to expect to make. What capability gaps are being addressed.

Anything more than four pages and the board doesn’t read it. The detail goes into appendices that nobody reads but that exist for accountability.

What Doesn’t Work Anymore

A few patterns have aged badly:

• Project-by-project RAG status reports. The board doesn’t need them and they bury the strategic picture in operational noise.
• Technology trend slides. Boards don’t want CIOs explaining what AI is. They want CIOs explaining what the company is doing about it.
• Vendor news updates. Boards don’t care that Microsoft announced something. They care whether it affects the company.
• Long executive summaries. The board reads the first page closely and skims everything else. Front-load the message.

The CIOs still presenting these formats in 2026 are usually the ones getting the pointed questions about “what are you actually here to tell us”.

The AI Slot Has Become Permanent

Every board pack now has an AI section. The question isn’t whether to include AI — it’s how to frame it usefully without falling into either over-promise or under-promise.

The framing that’s working is treating AI as a capability area that’s being developed across multiple business units, with specific examples of what’s been deployed, what’s being trialled, and what the risk and governance posture looks like. This is more useful to a board than abstract discussions of AI strategy.

What’s not working is presenting AI as a single transformational initiative. Boards have heard that pitch too many times to take it at face value. They want concrete examples of what’s actually been built, what it’s delivering, and what could go wrong.

For CIOs whose AI capability is still developing, the honest framing — “we’re at this stage, here’s the next step, here’s what we’d need to commit to get to maturity” — lands better than aspirational rhetoric. Boards forgive being behind. They don’t forgive being mislead.

Vendor Risk Has Moved Up

The board attention on vendor concentration risk has increased substantially in the last 18 months. This isn’t just about cloud providers, though that’s part of it. It’s about AI vendor concentration, ERP vendor concentration, communication platform concentration, and the cascading dependencies that aren’t always visible until something breaks.

The CIOs presenting this well show the actual dependency map at a level the board can understand, with mitigation strategies for the highest-risk dependencies. The CIOs who underplay this risk tend to face uncomfortable questions when something goes wrong elsewhere in the market and the board wonders why it wasn’t on the radar.

For organisations doing meaningful AI work, the vendor concentration in the AI model layer specifically has become a real boardroom topic. Several CIOs I know have brought in Team400 or similar advisors specifically to help structure the vendor risk picture for boards in a way that’s honest about constraints without being alarmist.

Cyber Has Become Tactical, Not Aspirational

Cyber reporting has matured beyond the “we’re working on it” phase. Boards now expect specific posture indicators, peer benchmarking where available, incident response readiness metrics, and clear escalation paths.

The shift is from “here’s our cyber strategy” to “here’s our cyber readiness, here’s what we’re investing in, here are the gaps”. The change is welcome but it does require CIOs to be more concrete about where they actually are versus where they’d like the board to think they are.

The Conversation Has Become Two-Way

The biggest change in board reporting is that it’s no longer a one-way information dump. Boards are asking sharper questions. They expect CIOs to be able to articulate trade-offs, defend resource allocations, and explain the implications of strategic decisions.

This requires preparation. The CIOs who walk into board meetings with the four-page pack and a clear sense of which questions are likely and what the answers are tend to leave with more support and fewer follow-up requests. The CIOs who arrive with thicker decks and less rehearsed thinking tend to spend the following week answering questions that could have been pre-empted.

The Honest Reality

Board reporting is one of the things CIOs spend less time on than they should. The temptation is to delegate it to the CFO or to recycle last quarter’s pack with updated numbers. Both approaches produce predictable outcomes.

The CIOs who treat their board pack as a serious communication exercise — drafted personally, reviewed against current board priorities, designed for the actual reading patterns of board members — get more support for their initiatives and face less friction on funding decisions. The investment in doing it well pays back in ways that are hard to attribute but real.

The format isn’t magic. The discipline is what matters. Four pages, clear message, honest framing, concrete examples, willingness to be challenged. The CIOs who can do that consistently are the ones who get to make the technology decisions that actually shape the business.