AI Governance in the Boardroom: Latest News & Insights

Introduction

Boards are being asked to govern AI systems they didn't design, don't fully understand, and are legally accountable for — and the clock is running.

In the past 12 months, the SEC created a dedicated enforcement unit for AI-related fraud, the EU AI Act moved from legislation to active enforcement timelines, AI-related securities class actions jumped from 7 filings in 2023 to 15 in 2024, and all 50 US states introduced AI legislation in the 2025 session. That is not a technology trend. That is a liability landscape.

This post is written for board directors, audit and risk committee members, CEOs, General Counsel, and CISOs who need a clear-eyed read on where AI governance stands today. It covers:

  • The enforcement and regulatory developments boards cannot afford to miss
  • The governance gaps creating real exposure right now
  • What actionable board-level AI oversight actually looks like in practice

TLDR: Key Takeaways for Time-Pressed Directors

  • AI governance is a board-level fiduciary responsibility — the SEC, DOJ, and FTC have all taken enforcement action
  • Only 11% of S&P 500 companies disclose specific full-board or committee AI oversight details, despite widespread AI deployment
  • "AI washing" — overstating AI capabilities in filings or marketing — now exposes directors to personal liability
  • State-level AI legislation passed in 38 states in 2025; boards cannot wait for federal clarity
  • Boards with documented AI oversight in committee charters today have a measurable legal and competitive edge over those waiting for federal mandates

Why AI Governance Became a Boardroom Imperative

AI stopped being a productivity experiment and became an enterprise actor. It now touches employee decisions, customer interactions, regulatory filings, and strategic planning — the exact categories boards are already accountable for.

The shift happened fast. JPMorgan Chase's 2026 proxy statement confirms the full board oversees both cybersecurity risk and AI matters, with additional oversight delegated to board committees. When AI systems operate at a scale that can materially affect financial outcomes or regulatory standing, informal management oversight is no longer sufficient. JPMorgan's structure is a direct acknowledgment of that reality.

The Information Asymmetry Problem

Audit committees can verify financial misstatements through established procedures. AI capabilities resist that kind of verification — and that gap is what makes AI governance structurally harder than financial oversight.

Most boards face three compounding gaps:

  • Technical opacity — AI models produce outputs that are difficult to audit through traditional review processes
  • Claim verification — marketing and investor communications routinely describe AI capabilities that technical teams struggle to substantiate on demand
  • Accountability diffusion — legal understands disclosure requirements but not model behavior; IT understands the systems but not securities law; marketing crafts public messages without knowing technical limitations

No single function owns the full picture — and that fragmentation is where AI governance failures, and legal exposure, actually originate.

According to a Harvard Law School Forum analysis of the S&P 500, only 20% of S&P 500 companies had at least one director with AI expertise in 2024 — up from 11% in 2022, but still not majority practice. Boards are governing AI systems while operating with a significant competency gap.

The Enforcement Landscape Boards Must Understand

The SEC's Posture Has Hardened

On February 20, 2025, the SEC announced the Cyber and Emerging Technologies Unit (CETU) — approximately 30 fraud specialists replacing the prior Crypto Assets and Cyber Unit. CETU's stated priorities include fraud committed using AI and machine learning, and fraudulent issuer disclosures related to cybersecurity and AI.

The SEC's Fiscal Year 2026 Examination Priorities go further, explicitly flagging the accuracy of registrant representations about AI capabilities for review. That is an examination checklist, not aspirational guidance.

AI Washing: A Real and Expanding Liability Category

"AI washing" (false or exaggerated claims about AI capabilities in filings, investor communications, or marketing materials) has moved from a reputational concern to a prosecuted offense.

Recent enforcement actions illustrate the stakes:

Case Date Conduct Outcome
Delphia (USA) Inc. Mar. 2024 False claims about AI use in investment process $225,000 civil penalty
Global Predictions Inc. Mar. 2024 Misrepresented itself as first regulated AI financial adviser $175,000 civil penalty
Presto Automation Jan. 2025 Implied own AI powered product while relying on human agents Cease-and-desist order
Nate / Albert Saniger Apr. 2025 Raised $42M+ claiming AI completed purchases; workers did it manually SEC + DOJ charges, criminal fraud
Joonko / Ilit Raz 2024 Defrauded investors of $21M+ through misrepresented AI capabilities SEC + DOJ criminal proceedings

Five AI washing SEC enforcement cases with penalties and outcomes comparison

The pattern across these cases: public companies are not exempt. Operating-company boards (not just investment advisers) face direct exposure when management overstates what their AI actually does.

EU AI Act and State-Level Acceleration

That exposure doesn't stop at US borders. Any company with EU market exposure faces binding obligations under the EU AI Act, which entered into force August 1, 2024, with prohibited practices effective February 2, 2025 and broader high-risk system obligations phasing in through 2026–2027.

Noncompliance with high-risk system requirements carries fines of up to €15 million or 3% of global annual turnover, whichever is higher. Violations of prohibited practices reach 7%.

Domestically, NCSL reports that in the 2025 legislative session, all 50 states, Puerto Rico, the Virgin Islands, and D.C. introduced AI legislation, with 38 states adopting or enacting approximately 100 measures.

Colorado, Texas, and California each have active AI governance requirements in effect or imminent. Waiting for federal clarity is not a strategy.

Private Litigation Is Climbing

AI-related securities class action filings have risen from 7 filings in 2023 to 15 in 2024, per Cooley's securities litigation trend report. Stanford's Securities Class Action Clearinghouse tracked 53 AI-related filings through June 2025. High-profile targets have included C3.ai, Upstart, and ODDITY Tech. The theory is consistent: companies exaggerated AI capabilities, investors relied on those representations, and the shortfall caused losses.

The Governance Gap Hiding in Plain Sight

The headline number from the Harvard Law School Forum's S&P 500 analysis: only 11% of S&P 500 companies disclose specific full-board or committee AI oversight details, while **31% disclose some level of board AI oversight** — up more than 84% year over year but still representing a significant structural gap.

S&P 500 board AI oversight disclosure gap statistics comparison infographic

That gap is the core governance exposure. Organizations are deploying AI at operational scale while board oversight structures lag well behind.

Where the Accountability Breaks Down

Ask most boards a direct question: when an AI system causes harm or regulatory exposure, who is accountable? The honest answer is usually unclear. Here is why:

  • Legal teams understand disclosure requirements but lack technical depth
  • IT teams understand model behavior but may not grasp securities law implications
  • Marketing crafts public claims without knowing what the technical team can substantiate
  • No single function owns the full picture from system behavior through public representation

That fragmentation is the origin point. AI washing, liability exposure, and governance failures trace back to the same broken handoff between functions.

The Director Literacy Problem

Spencer Stuart's 2025 U.S. Technology Board Index found that science and technology committees in large technology companies increased from only 9% to 14% — still a small minority. Among the broader S&P 500, only 20% of companies had even one director with AI expertise.

Periodic briefings are not sufficient. A one-time technology update leaves directors without the vocabulary or frameworks to ask pointed questions during the other 11 months of the year. Structured, ongoing education — the kind that builds a working question library and governance fluency — is now a board governance requirement.

Shadow AI: The Risk Inside the Boardroom

One governance exposure most frameworks have not yet addressed: directors and executives using unapproved consumer AI tools to process confidential board materials. Consider what that looks like in practice:

  • Drafting responses to sensitive strategy documents in a consumer chatbot
  • Running financial projections through a public AI interface
  • Summarizing M&A materials using an unapproved tool

Each creates direct data governance and confidentiality exposure. Most AI governance policies apply to operational deployments and never address the people sitting in the boardroom itself.

What Good Board-Level AI Oversight Looks Like

Structure: Assign It, Don't Assume It

Leading boards are making four structural moves:

  1. Explicit charter assignment — AI oversight formally added to audit, risk, or technology committee charters, not left to informal discussion
  2. Standing agenda item — AI appears every meeting cycle, not as a periodic technology update
  3. Cross-committee coordination — audit covers disclosure integrity, risk covers model behavior and liability, compensation covers executive accountability tied to AI outcomes
  4. Full-board escalation path — documented triggers that bring AI incidents to the full board, not just the relevant committee

Four structural board AI oversight moves from charter assignment to escalation path

Board-Grade AI Reporting

Effective AI reporting for directors is not a technical briefing. It answers four specific questions in plain language:

  • What AI systems are we running and what are they being used for?
  • What public claims are we making about those systems — in filings, marketing, investor communications?
  • What substantiates those claims — what testing, evidence, or documentation supports each assertion?
  • What has changed since the last cycle — new deployments, changed capabilities, new risks, or unresolved incidents?

A board advisor or independent AI governance resource can help design and put this into practice, particularly for organizations in transition or without a dedicated AI governance lead. Tyson Martin's AI Governance Starter Pack delivers exactly this: an AI risk assessment, a decision-rights map, and a one-page board-level AI policy, delivered as a fixed-fee 30-day sprint.

Accountability and Risk Appetite

Good reporting surfaces what's happening. Accountability structures determine who's responsible when something goes wrong. Boards need to set two boundaries explicitly.

Certify the disclosures. Leading boards require management to certify that AI-related disclosures are factually substantiated — directly analogous to SOX financial certifications. Tying executive compensation to AI governance outcomes, not just AI output, reinforces that accountability.

Tiered AI decision rights model showing management executive and board authority levels

Define where AI can act alone. Boards need a documented, approved answer to: where can AI advise, where can it act autonomously, and where must human judgment stay in the loop? A tiered decision-rights model makes that boundary enforceable: management authority at low risk, executive approval at medium, board escalation at high.

The Questions Your Board Should Be Asking at the Next Meeting

These questions are organized around three areas that carry the most immediate governance and liability exposure. Use them as a diagnostic — if your board can't answer most of these confidently, that gap is worth addressing before a regulator or plaintiff does it for you.

Disclosure Integrity

  • What AI-related claims appear in our public filings, earnings communications, and marketing materials?
  • What documentation substantiates each of those claims — and who owns that documentation?
  • Has anyone outside the team that made the claim reviewed whether the evidence actually supports it?

Oversight Structure

  • Which committee formally owns AI governance oversight, and is that reflected in the committee's charter?
  • Is AI on our standing agenda, or does it only come up when something goes wrong?
  • Does our incident escalation path include a trigger that reaches the full board for AI-related events?

Accountability and Safeguards

  • When an AI system produces a harmful output or triggers a regulatory inquiry, who is named as accountable?
  • Has management implemented structured testing — including third-party assessments — to catch unintended AI behavior before it scales?
  • Is our organization more exposed to the risk of moving too slowly on AI governance, or too quickly without adequate safeguards — and what signals is management tracking to know which way that balance is shifting?

Frequently Asked Questions

What is AI governance in the boardroom, and why does it matter now?

AI governance refers to the structures, policies, and oversight processes boards use to ensure AI is deployed responsibly and represented accurately. It matters now because regulators, investors, and courts are actively holding boards accountable — the SEC has a dedicated enforcement unit, class action filings are rising, and the EU AI Act is in effect.

What are the biggest legal risks boards face from inadequate AI oversight?

Directors face exposure under fiduciary and Caremark-style monitoring duties when AI risks are ignored. AI washing enforcement by the SEC and DOJ creates direct personal liability risk, and private securities class actions targeting AI misrepresentation have grown sharply, reaching 15 filings in 2024 alone.

Which board committee should own AI governance oversight?

Most large companies have expanded existing audit or risk committee charters to include AI oversight, while a growing share have created dedicated technology committees. The critical factor is formal assignment — if it's not in the charter, it's not defensible.

What questions should board directors ask management about AI?

Directors should press management on:

  • What AI claims appear in public disclosures, and what documentation supports them
  • Who is accountable for AI-related outcomes, and how fast issues escalate to the board
  • What safeguards — including third-party testing — exist to catch failures before they scale

How does the EU AI Act affect boards of US-headquartered companies?

Any company with EU market exposure or global operations faces direct compliance obligations for high-risk AI systems, with fines up to 3% of global annual turnover. The Act's transparency and accountability standards are also shaping what regulators, auditors, and institutional investors expect from US boards.

How is AI governance different from cybersecurity governance at the board level?

Cybersecurity governance focuses on protecting systems from external threats. AI governance focuses on ensuring the organization's own AI systems behave reliably, are represented accurately, and are deployed with clear accountability. The two increasingly overlap — particularly around data integrity, bias detection, and incident response — but they require distinct oversight frameworks.