Extracted from Law360
Nearly 90% of organizations now use artificial intelligence in some capacity, a reality reflected in public company disclosures, which report both widespread AI saturation and the attendant business impacts and risks.[1] Among S&P 500 companies, 72% identified AI as a material risk in their most recent Form 10-Ks, up 60% since 2023.[2]
AI is now an enterprisewide reality, but board and executive oversight has not kept pace. While companies have overwhelmingly embraced AI, most lack corresponding governance structures and director-level fluency to oversee these programs.[3]
The delta between the corporate adoption and integration of AI and meaningful board supervision widens as AI use expands. Already, AI has spawned a wave of lawsuits alleging companies overstated AI capabilities, understated the risks and costs of AI initiatives, or lacked the internal controls necessary to ensure public disclosures about AI match the operational reality.[4]
The Governance Gap
The data on board oversight of AI tells half the story. A recent Institutional Shareholder Services review of 3,048 U.S. companies across the Russell 3000 and S&P 500 found that only 245 — or roughly 8% — disclosed any board-level AI oversight, and only 9% reported established AI policies.[5]
ISS characterized AI governance at U.S. companies as remaining "at a formative stage," marked by limited transparency and spotty institutionalization, with concentrated leadership among only a small subset of firms.[6] The study is evidence that AI deployment is outpacing governance adoption, thereby creating a structural gap between AI adoption and proper risk oversight.[7]
ISS does not stand alone in these findings. A Society for Corporate Governance survey of public company governance professionals likewise concluded that while a majority of boards discussed AI in some form, only a quarter of them reported any formalized oversight with defined responsibilities and reporting lines.[8] Essentially, most boards fell somewhere between having periodic structured discussions and ad hoc updates incorporated into broader risk or strategy reviews, while some had no meaningful board-level discussions at all.[9]
Director education is similarly uneven. Only about half of boards have held or been offered AI-focused director education sessions, and only 10% report recruiting directors with AI or technology expertise.[10]
This is not for lack of concern by the directors themselves. Indeed, the survey demonstrated that directors identified the rapid pace of technological change, regulatory uncertainty, and their own lack of expertise and confidence as some of the most significant challenges they face.[11]
The nature of AI systems themselves further complicates oversight of AI programs. Many of these AI systems operate as black boxes, making it more difficult to monitor and address issues when they arise. Further complicating matters, many companies outsource AI services through third-party models or platforms that can introduce updates or change policies without prior company approval in certain instances.
For public company boards, this governance gap fuels three converging risks: (1) litigation exposure from securities claims and regulatory enforcement actions; (2) fiduciary concerns related to directors' lack of AI fluency; and (3) potential reputational harm when AI-driven incidents escalate into broader crises.
Litigation Risk: No Longer Hypothetical
Of these emerging risks, exposure to AI-related litigation has the loudest alarm bells ringing. The plaintiffs bar has rushed to bring AI-related lawsuits. According to National Economic Research Associates, there were 17 AI-related putative securities class actions filed last year, representing almost 10% of all federal securities filings, with additional high-profile cases already filed in 2026 against Oracle Corp., Richtech Robotics Inc. and CoreWeave Inc.[12]
The cases generally fall into two camps: AI washing claims that companies overstated their AI capabilities, and claims that companies understated the risks or financial impact of their AI initiatives.
Recent cases illustrate the range of exposure companies now face. Complaints have targeted everything from alleged overstatements about AI-driven products to failures to disclose the financial and operational risks tied to major AI investments.[13] Others focus on the gap between how companies describe their AI capabilities publicly and what is actually happening inside the businesses, including the extent to which outputs depend on human intervention.[14]
In the Barrows v. Oracle litigation, filed on Feb. 3 in the U.S. District Court for the District of Delaware, for example, the plaintiff alleges the company failed to disclose the risks of an aggressive AI infrastructure buildout. The challenged statements include whether AI-driven cloud demand adequately reflected the capital intensity, execution risks and margin pressure associated with rapid expansion.[15]
The CoreWeave securities class action, Masaitis v. CoreWeave, filed on Jan. 12 in the U.S. District Court for the District of New Jersey, likewise questions whether investors received a complete picture of the operational, customer-concentration and capacity risks underlying the company's AI infrastructure growth.[16] The related CoreWeave derivative action — Erez v. Intrator, filed on March 5, also in the District of New Jeresy — pushes those issues squarely into the boardroom, alleging failures of oversight, internal controls and disclosure processes around the company's AI-driven strategy.[17]
Together, these cases show that AI litigation increasingly targets the governance architecture supporting a company's AI narrative. They also highlight how easily disclosure and governance risk can arise when AI adoption outpaces internal understanding and oversight.
Where boards lack visibility into how AI is used, what risks it creates and how it is described externally, companies are more likely to find themselves defending claims that their disclosures did not match reality.
What Boards Should Be Doing Now
With the specter of increasing private securities liability, companies and boards should heed the old adage: The best defense is a good offense. Boards can begin strengthening oversight by focusing on several near-term priorities.
First, establish a baseline understanding of AI tools, uses and nomenclature, as well as guidelines around how board members can use those tools in their role as directors. Before boards can meaningfully oversee AI, directors need foundational fluency in the technology itself, including the distinction between large language models, agentic AI systems and traditional machine learning, in addition to an understanding of how confidentiality and privilege are affected by the use of these tools. Boards should also have their own AI use and adoption guidelines.
Second, establish whether your company is in the 9% that has adopted an AI governance framework or in the 91% that has not.[18] If your company is in the latter group, ask probative questions as to why. Understand what is necessary for the enterprise to conduct an AI audit and create an accountability structure accordingly.
Effective oversight begins with visibility, which requires a comprehensive catalog of what AI tools and systems the organization is using, whether developed internally or provided by third parties. This inventory should also assess how existing contracts permit outside vendors to deploy or train AI using company data, as well as evaluate the privacy and data security risks associated with both the organization's own AI tools and its vendors' use of AI.
Third, consider integrating board-level oversight mechanisms with defined responsibilities and a regular reporting cadence. This could take the form of a dedicated AI or technology subcommittee, or it could involve assigning primary responsibility to an existing committee such as audit or risk, with structured reporting that includes incident updates, third-party risk assessments and data governance metrics.
Fourth, reconsider board composition and your skills matrix. This is a clear opportunity to add directors who bring technical fluency to the boardroom. Director education programs and management briefings help, but they work best alongside directors who already have foundational knowledge in this space and add to the board's ability to provide proper oversight.
AI governance now sits at the intersection of securities law, regulatory enforcement, privacy, cybersecurity, intellectual property and litigation strategy. Companies should build a governance framework that is defensible in litigation, credible to regulators, and durable as the technology and the risks evolve.
Conclusion
More than just risk mitigation, closing the gap offers boards an opportunity to exercise meaningful strategic leadership at a moment of rapid technological transformation. Companies that invest now in thoughtful, informed AI governance will be better positioned to harness its benefits while maintaining the trust of investors, regulators and the public.
[1] Michael Gennaro, AI Is Outpacing the Systems Built to Govern It, Stanford Report Finds, LAW.COM (Apr. 15, 2026).
[2] Courtney Vien, CFO Brew, A whopping 72% of S&P 500 companies disclosed AI as a 'material risk' on their 10-Ks this year. They're most worried about reputational threats, Fortune (Oct. 8, 2025).
[3] Mind the Governance Gap: The State of Board Oversight and AI Policy in U.S. Companies, ISS STOX (Mar. 3, 2026).
[4] Jaeger v. Zillow Grp. Inc. , 644 F. Supp. 3d 857, 872 (W.D. Wash. 2022) (court held plaintiff sufficiently plead company overstated AI capabilities); Barrows v. Oracle Corp. et al. , No. 26-cv-00127, ¶¶ 3-12 (D. Del., filed Feb. 3, 2026) (alleging defendant understated risks of expanding AI data centers); Erez v. Intrator et al. , No. 26-cv-02321, ¶¶ 3-7, 47-52 (D.N.J., filed Mar. 05, 2026) (alleging individual defendants failed to maintain adequate internal controls to ensure statements to the public about AI infrastructure growth were accurate).
[5] Mind the Governance Gap: The State of Board Oversight and AI Policy in U.S. Companies, ISS STOX (Mar. 3, 2026).
[6] Id.
[7] Id.
[8] Board Oversight of AI – Virtual Roundtable, Society for Corporate Governance, p. 3 (Feb. 25, 2026).
[9] Id.
[10] Id. at p. 10.
[11] Id. at p. 4.
[12] Barrows v. Oracle Corp. , No. 26-cv-00127 (D. Del., filed Feb. 3, 2026); Masaitis v. CoreWeave Inc. , No. 26-cv-00355 (D.N.J., filed Jan. 12, 2026); Erez v. Intrator et al. , No. 26-cv-02321 (D.N.J., filed Mar. 05, 2026).
[13] Jaeger v. Zillow Grp. Inc. , 644 F. Supp. 3d 857, 872 (W.D. Wash. 2022) (court held plaintiff sufficiently plead company overstated AI capabilities); Barrows v. Oracle Corp. , No. 26-cv-00127, ¶¶ 3-12 (D. Del., filed Feb. 3, 2026) (alleging defendant understated risks of expanding AI data centers).
[14] In re: Upstart Holdings Inc. Sec. Litig. , No. 2:22-cv-02935, 2023 LX 97454, at *38, n.7 (S.D. Ohio Sep. 29, 2023).
[15] Barrows v. Oracle Corp. , No. 26-cv-00127, ¶¶ 9, 12, 17, 47 (D. Del., filed Feb. 3, 2026).
[16] Masaitis v. CoreWeave Inc. , No. 26-cv-00355, ¶¶ 2-6, 10-13, 19 (D.N.J., filed Jan. 12, 2026).
[17] Erez v. Intrator et al. , No. 26-cv-02321, ¶¶ 3-7, 47-52 (D.N.J., filed Mar. 05, 2026).
[18] See Mind the Governance Gap: The State of Board Oversight and AI Policy in U.S. Companies, ISS STOX (Mar. 3, 2026).