The question boards face now isn't whether AI warrants director-level attention. That debate is over. The question is whether the governance structures currently in place — or absent — would hold up under investor scrutiny, regulatory inquiry, or a Delaware courtroom. For most companies, the honest answer is no.
This post covers the latest data on where corporate boards actually stand, what investors and regulators are demanding, and what functional AI oversight requires — without inflating the challenge or pretending simple answers exist.
TL;DR
- AI governance is now a fiduciary responsibility, not a technology management issue
- Only 28% of S&P 100 companies disclose both board AI oversight and a formal AI policy
- Investor pressure is escalating: AI-related shareholder proposals jumped from 4 in 2023 to 19 in 2024
- Boards need clear oversight structures, defined decision rights, and reporting they can actually inspect — not a resident AI expert
- The gap between AI adoption pace and governance maturity is where the real liability lives
AI Governance Just Became Fiduciary: Why Now
AI has crossed from productivity tool to strategic actor. It now influences hiring decisions, customer interactions, credit determinations, fraud detection, and brand reputation — sometimes without any human review in the loop. That's the inflection point. When AI outcomes carry material financial, legal, and reputational consequences, board accountability follows.
The Regulatory Signal Boards Cannot Ignore
The accountability principle is already showing up in formal channels. On December 4, 2025, the SEC Investor Advisory Committee approved AI disclosure recommendations stating that issuers should define "Artificial Intelligence" in their disclosures, describe board oversight mechanisms, and report on material AI effects — both on internal operations and consumer-facing matters. This is an IAC recommendation, not an SEC rule. But proxy advisors and institutional investors are already treating it as a disclosure benchmark.
Shareholder proposals tell the same story. ISS-Corporate reported AI-related proposals rose from 4 in 2023 to 19 in 2024 — covering bias, data usage oversight, and deepfake risk. Glass Lewis found that 9 of 36 technology-related proposals in 2024 explicitly addressed company AI use. That number held at 9 of 29 in 2025. Investors are not backing off.
State Laws and Delaware Standards
In the absence of a comprehensive federal AI framework, states are moving independently. Colorado SB24-205, signed in 2024, requires developers of high-risk AI systems to use reasonable care to protect consumers from algorithmic discrimination — with obligations effective February 1, 2026. Other states are following. Boards operating nationally face an expanding patchwork of obligations that require active monitoring, not reactive compliance.
Delaware's oversight standards — already applied to cybersecurity through Caremark — will apply to AI the same way. Legal commentary from Oxford's Business Law Blog and Akin Gump has made this explicit: AI does not change the Caremark standard, but it does change the evidentiary context for demonstrating good-faith oversight.
That evidentiary context now includes concrete board-level requirements:
- Defined AI scope in corporate disclosures
- Documented committee responsibility for AI risk
- Evidence of recurring management reporting on material AI use
- Established escalation thresholds for AI-driven decisions
Boards that cannot produce these artifacts on demand face exposure — not because a new rule mandates them, but because the existing duty of oversight already does.
What the Data Shows: Where Corporate Boards Stand Today
The numbers are straightforward and sobering.
Glass Lewis found that among S&P 100 companies — the largest, most-scrutinized public companies in the country:
- 54% disclose board-level AI oversight
- 28% disclose both board oversight and a formal AI policy
- Of those that do disclose oversight, 63% assign it to a specific committee; 37% assign it to the full board
ISS-Corporate's analysis of the broader S&P 500 found 31.6% disclose some level of board AI oversight as of 2024. One in three. At a moment when AI is embedded in core business operations across nearly every sector.
How Oversight Is Being Assigned — and What It Signals
Among companies that have structured AI oversight, audit and technology committees are the most common assignments. Neither is inherently wrong: the right answer depends on where AI risk actually concentrates in a given business. What matters more is that the assignment is explicit, the committee has sufficient information, and management is reporting against it consistently.
The contrast between disclosure approaches is instructive. Lockheed Martin's 2026 proxy discloses full-board oversight of AI strategy, Audit Committee oversight of AI in finance, Classified Business and Security Committee review of AI in classified programs, and Nominating Committee oversight of ethical AI training goals, with director skills matrices identifying specific technology competencies.
Meta, despite deep AI integration across its products, provided minimal proxy disclosure and no director skills matrix tied to AI. Both approaches reflect choices. Only one holds up under investor or regulatory scrutiny.
The disclosure gap doesn't necessarily mean companies lack internal AI governance. What it signals is that they can't yet tell a defensible story about it — not to investors, not to regulators, and not in litigation.
The AI Risks Boards Can No Longer Deprioritize
AI risk doesn't behave like most operational risk. It compounds — and accelerates — as AI embeds itself across core business operations. The risk categories already creating board exposure include:
- Bias and discriminatory outputs — consequential in hiring, lending, and consumer-facing decisions; increasingly a legal exposure as state laws tighten
- Copyright and training data exposure — case law on IP infringement tied to AI training is developing rapidly
- Cybersecurity and data leakage — AI tools introduce new data exfiltration vectors, particularly through cloud-based AI services
- Output quality failures — hallucinations and unpredictable results create liability when AI outputs are acted upon without verification
- Fraud and deepfakes — FinCEN's November 2024 alert documented GenAI-enabled fraud including AI-generated synthetic identities used to open accounts and bypass financial institution verification
- Reputational harm — incorrect, biased, or unpredictable AI behavior in customer-facing applications damages brand trust in ways that are difficult to reverse
AI failures rarely expose purely technical problems. They expose gaps in governance structure, decision rights, and escalation discipline. That's the board's terrain — and where the absence of oversight becomes a liability, not just an oversight gap.
Do Boards Need a Dedicated AI Expert?
Recruiting a dedicated AI expert onto the board feels like a logical response to AI risk. For most companies, it isn't the right one.
The pool of genuinely qualified candidates is limited. More practically, concentrating AI knowledge in a single director creates a dynamic where other directors defer rather than challenge — and that deference is exactly what governance is supposed to prevent. When one person becomes the AI voice in the room, the board loses the constructive friction that makes oversight meaningful.
The Legally Grounded Alternative
Under Delaware law, boards can rely on management experts — the CTO, CDO, or an external advisor — provided that reliance is in good faith and those experts were selected with reasonable care. This is a well-established and defensible path.
The SolarWinds cybersecurity case illustrates the point: Delaware's Court of Chancery dismissed Caremark claims specifically because reporting systems existed, even where a breach had occurred. A credible oversight structure is what courts look for.
What boards should require instead of a single AI expert:
- Baseline AI literacy across all directors — enough to ask informed questions and evaluate management's answers, not full technical fluency
- Structured reporting from the CTO or CDO on a recurring cadence — not status updates, but a stable format that shows trend, flags risk, and prompts decisions
- Formal oversight allocation — a named committee, with a named responsibility, in the committee charter
- Director education through credible sources — NACD's "Director Essentials: AI and Board Governance" resource was built specifically for this gap
ISS-Corporate found that 20% of S&P 500 companies disclosed at least one director with AI expertise in 2024, up from under 14% in 2023. That growth signals awareness — but a single named expert doesn't constitute oversight. The board as a whole needs enough literacy to challenge management's AI decisions, not just enough cover to claim the issue is assigned.
Building AI Governance That Holds Up Under Pressure
Governance that works under pressure looks different from governance that works on paper. The foundation requires four elements, in sequence:
- Organization-wide AI use assessment — you cannot govern what you haven't inventoried. This means mapping every material AI application across the business, including third-party tools.
- Defined oversight structures — named committee responsibility, reflected in the charter, with clear scope boundaries.
- **Risk management protocols aligned to recognized frameworks** — NIST AI RMF 1.0 and ISO/IEC 42001:2023 both provide actionable structures. Organizations with existing cyber governance frameworks can extend them to AI using the same control architecture — no parallel build required.
- Empowerment mechanisms — management teams need defined guardrails that allow them to act decisively within set boundaries, without escalating every AI decision to the board.
What Board-Grade AI Reporting Actually Looks Like
The standard for board AI reporting should be higher than "here's where the pilots stand." Effective reporting provides a stable, consistent dashboard that directors can interrogate over time — not a presentation optimized for the moment.
That dashboard should include:
- Use-case inventory with materiality indicators
- Risk register with ownership and trend direction
- Incident log with escalation history
- Control effectiveness signals and drift indicators
- Upcoming regulatory obligations or threshold changes
The format matters. Two to four slides or one to two pages, consistent month to month, so the board can track drift rather than absorb new context every cycle.
Decision Rights and Escalation Thresholds
Boards need to define explicitly where AI can advise, where it can act, and where a human must decide. That framework needs to exist in writing and be tested through tabletop exercises before an incident. Decision rights that live only in a document won't survive contact with a real scenario.
For boards building or strengthening AI governance — whether due to new leadership, an acquisition, or a gap that's become visible — outside perspective can close the distance quickly. Tyson Martin works with boards and committees in these situations: structuring committee charters, setting reporting cadences, and establishing the decision rights framework that makes AI oversight inspectable and defensible.
Frequently Asked Questions
What is board-level AI oversight and why does it matter?
Board-level AI oversight means formally assigning responsibility for AI risk and governance to the full board or a designated committee. It matters because AI now creates material financial, legal, and reputational risks that fall squarely within directors' fiduciary obligations — and proxy advisors, institutional investors, and regulators are actively evaluating whether those structures exist.
Do boards need a dedicated AI expert to oversee AI risks?
No. Corporate law allows boards to rely on management and outside advisors, provided that reliance is reasonable and in good faith. What's required is baseline AI literacy across all directors, formal oversight allocation, and structured reporting — not a single designated expert.
Which board committee should be responsible for AI oversight?
Most companies assign AI oversight to audit or technology committees; some split responsibility across committees by risk type. The right structure depends on the company's AI integration level and existing governance architecture — the key requirement is that the assignment is explicit and documented.
What should a board demand in AI risk reporting from management?
Effective AI reporting goes well beyond status updates. Boards should require a stable, recurring dashboard covering a risk register, incident log, use-case inventory, and control effectiveness indicators — in a format that shows trend over time and can be interrogated.
How does AI governance relate to cybersecurity oversight?
AI expands the attack surface, enables new fraud vectors, and introduces model risk that overlaps directly with cyber risk. Organizations with strong existing cyber governance are well-positioned to extend those frameworks to AI — using NIST AI RMF or ISO 42001 — rather than building separate structures from scratch.
What are the SEC's current expectations for AI disclosure?
The SEC Investor Advisory Committee recommended in December 2025 that companies define AI in their disclosures, describe board oversight mechanisms, and report on material AI effects on operations and consumers. These are IAC recommendations, not mandatory rules — but they are shaping investor expectations and proxy advisor evaluation criteria heading into the 2026 proxy season.
