Seventy-six percent of S&P 500 companies added or expanded AI risk disclosures in their 2025 annual filings, according to an Autonomy Institute report cited by Goodwin Law. Most of them added generic language. Most of that language will not survive an SEC comment letter.
The SEC's Division of Corporation Finance reviewed a sample of AI-related disclosures by S&P 500 companies and determined that most were not tailored to an individual company or its business. That finding, delivered publicly by SEC Division Deputy Director Cicely LaMothe at the 2024 AICPA Conference and confirmed in subsequent comment letters, defines the problem your Q2 2026 10-Q needs to solve: AI disclosures that could apply to any company in any industry are inadequate. AI disclosures tied to how this company uses or is affected by AI, in specific ways, with specific risk or opportunity quantification where available, are what the staff expects.
For Q2 2026, most controllers are reviewing their risk factors and MD&A for the first time since the annual filing. Many will carry forward the same AI boilerplate. This post explains what the comment letter record tells us about what the staff actually wants, where AI disclosure belongs in the 10-Q, how the disclosure differs depending on whether AI is a risk to your business or a tool you use to run it, and what a practical Q2 AI disclosure framework looks like.
Why AI Disclosure Has Gone From Optional to Expected in SEC Filings
The shift from optional to expected happened in stages, and the stage we are in now is the highest-scrutiny one.
The Orrick analysis of 92 SEC AI-related comment letters sent to 56 companies between 2021 and October 2024 is the most comprehensive public dataset on this question. The comment letters span five categories of concern: materiality assessment, specificity and tailoring, accuracy and substantiation, governance disclosure, and consistency across filings and earnings calls.
The Nasdaq data confirms that AI rose to the seventh most commented area in SEC comment letters in 2025, up from a lower position in prior years. The trajectory is consistent with other disclosure topics the SEC elevated through comment letters before eventually formalising: cybersecurity in 2018, climate in 2021-2022, and now AI.
What changed in the last twelve months is the enforcement dimension. In March 2024, the SEC charged Delphia USA Inc. and Global Predictions Inc. with making false and misleading statements about their use of AI, marking the first AI-specific securities fraud enforcement actions. The SEC's enforcement posture signals that AI disclosure is not just a disclosure quality question. It is a fraud-prevention question. Companies that claim to use AI they do not actually use, and companies that fail to disclose material AI-related risks that investors would consider important, both face enforcement risk.
The D&O Diary analysis from February 2026 captures the regulatory posture precisely: as the SEC itself builds and deploys AI-enabled tools internally, its expectations for how registrants manage analogous risks, including data provenance, human oversight, testing and validation, vendor management, and documentation, are becoming more concrete in comment letters and in examinations.
The practical implication for Q2 2026: the question is not whether your company needs to address AI in the 10-Q. The question is whether your current AI disclosure accurately and specifically describes how AI affects your specific business, and whether it would survive a comment letter asking you to explain why the language is not tailored to your company and circumstances.
What Does the SEC Mean by "Generic" AI Disclosure and What Does Adequate Look Like?
The SEC's definition of generic is clearest in the comment letters themselves. The most common comment on AI risk factors is a direct quote of the boilerplate language, followed by a request to revise to ensure that the risk factor is tailored to the company and not applicable to any issuer in any industry.
Item 105 of Regulation S-K requires that risk factors be organised logically, concisely, and adequately describe the risks that make a particular investment risky, given the company's specific circumstances. The SEC staff has applied this standard to AI disclosure with the same specificity it applies to cybersecurity, environmental, and regulatory risk disclosures.
The Orrick analysis identifies the specific question the staff asks when reviewing AI risk disclosures: is the disclosure tied to this company's actual use of AI or actual exposure to AI risk? A risk factor that says "we face risks from the rapid development and adoption of artificial intelligence technologies, including risks related to data privacy, algorithmic bias, regulatory uncertainty, and competitive disruption" is generic because every company in every industry faces exactly those risks in exactly the form described. The disclosure tells an investor nothing about how AI specifically affects this company.
An adequate AI risk factor, by contrast, ties the risk to something specific about the company. White and Case's 2026 reporting season guide is explicit: the SEC has consistently stressed that companies should customise risk factor disclosures to reflect their unique facts and circumstances, steering clear of generic and boilerplate language, in line with Item 105's requirement to avoid risks applicable to any issuer or any offering.
What specificity looks like in practice, based on the Orrick comment letter analysis:
A company that uses AI in its customer service function should describe the specific AI tools used, the customer-facing functions they support, and the specific risks associated with those tools in that context, including error rates, bias concerns, and vendor dependency.
A company whose revenue is materially affected by AI-driven competitive dynamics in its market should describe which specific products or services face AI-enabled competition, from which competitors, and how the competitive threat has been or may be quantified.
A company that uses AI-driven underwriting, credit decisions, or other regulated financial activities should describe the specific regulatory risk under the specific regulations applicable to AI in those activities.
What Has the Corp Finance Comment Letter Record Said About AI Disclosure?
The Orrick analysis of 92 comment letters between 2021 and October 2024, published by the Harvard Law School Forum on Corporate Governance in January 2025, is the best public synthesis of what the staff has actually asked.
The comment letters cluster around five recurring issues.
Materiality threshold. The staff asks companies to explain how they determined that AI use or AI risk is or is not material. If a company mentions AI in its earnings call, investor presentation, or board materials but does not disclose it in its SEC filings, the staff views that discrepancy as a signal of potential materiality that was not properly assessed. The Harvard Law Forum post confirms: the SEC has advised companies to assess if discussions about AI in board meetings, earnings calls, and investor presentations suggest materiality and, if so, to provide corollary disclosures in SEC filings.
Tailoring and specificity. The most common comment is a request to revise generic AI risk language to describe the specific risks facing this company based on its specific AI use. The Deloitte comment letter roadmap confirms the standard boilerplate comment: "The risk factors you present appear to apply to nearly any issuer in any industry. Please significantly revise the risk factors to ensure that they are tailored to your business."
Accuracy and substantiation. The staff has asked companies to explain the basis for affirmative claims about AI's contribution to their business. If a company's 10-K states that AI has improved its customer engagement or reduced its operating costs, the staff may ask how that improvement was measured, what the methodology was, and whether the claim is accurate.
Governance disclosure. Where AI is identified as a material risk, the staff has asked companies to describe their AI governance policies, including board-level oversight. The SEC Division official who flagged generic AI disclosures at the AICPA Conference also encouraged companies that identified material AI risks to disclose their AI risk management and corporate governance policies and the oversight of those risks by the board of directors.
Consistency across disclosure vehicles. The staff specifically reviews whether AI claims made in earnings calls, press releases, and investor presentations are consistent with what the company discloses in its SEC filings. An AI-related claim in an earnings call that does not appear in the 10-Q, or that contradicts what the 10-Q says, is a comment trigger.
Where in the Q2 10-Q Does AI Disclosure Belong: Risk Factors, MD&A, or Both?
The Q2 10-Q has three locations where AI disclosure may be required, and the content and standard differ for each.
Risk Factors (Part II, Item 1A). The Q2 risk factor section covers material changes to the risk factors previously disclosed in the annual report. If there has been a material development in AI-related risk since the 10-K was filed, including a new regulatory action, a material incident involving an AI system the company uses, a significant competitive development, or a significant change in the company's AI governance or use, the risk factor section should be updated to reflect it.
If the 10-K's AI risk factors were generic, the Q2 10-Q is the opportunity to revise them before receiving a comment letter that demands the revision. Updating a generic AI risk factor in Q2 is preferable to receiving a comment letter that asks for the revision during the Q3 or year-end filing.
MD&A Results of Operations (Part I, Item 2). If AI has materially affected the company's revenue, cost structure, or operational results in Q2 2026, that effect belongs in the results of operations discussion. The Item 303 standard applies: material factors that caused period-over-period changes in results must be described and, where possible, quantified.
For companies that have deployed AI tools that have materially reduced operating costs (for example, AI-driven automation that reduced headcount or vendor spend), the cost reduction should appear in the MD&A as a quantified contributing factor, not a generic reference to efficiency improvements from technology investments.
For companies whose revenue has been materially affected by AI-driven competitive pressure (for example, a company whose customers have shifted to AI-powered alternatives), the revenue impact should appear in the results of operations discussion with the same specificity required for any other material revenue driver.
MD&A Known Trends and Uncertainties (Part I, Item 2, Item 303(b)(2)(ii)). If AI-related developments represent a known trend or uncertainty that the company reasonably expects will have a material effect on future revenues or income, that forward-looking AI discussion belongs in the known trends section.
What If AI Is a Risk to Your Business vs. a Tool You're Using to Run Your Business?
This distinction is the most important structural question in drafting Q2 AI disclosure, and the comment letter record treats the two categories differently.
AI as a risk to your business means your business faces competitive, operational, regulatory, or financial risk from the development and deployment of AI by others or from the AI-related risks inherent in your own operations. A company that faces AI-driven competitive disruption from new entrants using AI to undercut its pricing, or a company that uses AI in a regulated activity and faces regulatory risk from AI-specific regulations, is disclosing AI as an external risk factor.
AI as a tool you use to run your business means your company deploys AI systems internally or in customer-facing activities. A company that uses an AI chatbot for customer service, an AI-driven forecasting model for inventory planning, or an AI-assisted fraud detection system for financial monitoring is using AI operationally. The risk disclosure obligation for this category goes to what can go wrong with those systems and what the company is doing to manage those risks.
The SEC comment letter pattern is different for each category.
For AI as a risk to your business, the staff asks whether the risk is specific enough. A generic reference to competitive disruption from AI applies to every company. A specific description of which products or services face AI-enabled competition, from what type of competing product or service, and over what timeline, is what the staff wants.
For AI as a tool you use, the staff asks whether the company has disclosed the specific AI systems it relies on, the specific risks associated with those systems (accuracy, bias, vendor dependency, regulatory compliance), and the governance framework in place to manage those risks. Companies that describe AI broadly as a tool they are "exploring" or "piloting" when they are in fact using AI in production operations face a substantiation risk: the description understates the actual use and may be inconsistent with what the company says in earnings calls.
The academic analysis of AI disclosures in 10-K filings through 2024 confirms a persistent gap: 26% of all companies mention AI in their risk factors but not in their business description section. That gap suggests those companies view AI solely as a risk to which they are exposed rather than as a tool they are actively using. For companies in that 26%, a staff reviewer reading the filing has reason to ask whether the business description section is complete.
How Do You Quantify an AI Disclosure Without Speculating?
The quantification question for AI disclosure is genuinely difficult because most companies are not yet at a point where they can measure AI's contribution to revenue or costs with the same precision they can measure, for example, a tariff's contribution to cost of goods sold.
The Orrick and SEC guidance together suggest a practical middle path: the company should disclose what it knows, acknowledge what it does not know, and avoid claiming certainty it does not have.
What the company typically can quantify: the number of customer interactions handled by AI systems (if the AI is customer-facing and the volume is tracked), the approximate percentage of a specific operational function performed by AI versus humans, the cost of AI vendor contracts as a line item in operating expenses, and the approximate headcount reduction or avoidance attributable to AI-driven automation.
What the company typically cannot quantify with precision: the revenue contribution of AI features embedded in products, the long-term competitive advantage or disadvantage created by the company's AI investments relative to peers, and the probability or magnitude of harm from AI system failures.
The standard for disclosure in the risk factor section is not quantification. It is specificity. The staff does not ask companies to put a dollar figure on every AI risk. It asks companies to describe the risk in a way that is specific to their business, their AI systems, and their circumstances, not in a way that could have been cut and pasted from a trade publication about AI risks generally.
For the MD&A section, quantification is required where the AI-related effect has been material. If AI drove a material change in operating expenses in Q2 2026, that change should be quantified in the same way any other material cost driver would be quantified. If AI-driven revenue change was immaterial, a qualitative discussion of the trend is sufficient under Item 303.
The SEC Division official's statement at the AICPA Conference is the clearest articulation of the substantiation standard: companies should have a basis for any claims they disclose about how technology may improve their results of operations, financial condition, or future prospects and opportunities. The obligation is to have a basis. It is not to provide a detailed econometric analysis.
What Is the SEC's "Innovation Commission" Signal and What Does It Mean for Future Rules?
The SEC's internal posture on AI is not purely regulatory. The Commission announced in early 2026 that it was deploying AI-enabled tools in its own examination and comment letter processes, including AI-assisted reading of public filings. The D&O Diary analysis characterises this as a signal: the SEC's internal build of AI governance controls, documentation standards, and oversight processes is directly analogous to what it is now expecting registrants to disclose about their own AI governance.
Chairman Atkins's market modernisation agenda includes consideration of how AI affects disclosure adequacy and market integrity, though no formal AI-specific disclosure rulemaking has been announced as of July 2026. The Nasdaq analysis confirms: while the SEC has increased comment letter scrutiny on AI, the underlying disclosure obligation continues to derive from existing standards (Item 105 for risk factors, Item 303 for MD&A) rather than from AI-specific rules.
What this signals for Q2 2026 and beyond: companies that build AI disclosure now around the existing specificity and materiality standards will be better positioned if and when AI-specific disclosure rules are proposed. The SEC's comment letter record on cybersecurity followed a similar path: years of comment letters enforcing specificity under existing standards preceded the eventual 2023 cybersecurity disclosure rules. AI disclosure is on a similar trajectory.
The specific areas where forward-looking AI disclosure rules seem most likely, based on the comment letter record and SEC official statements: board governance of AI risk, third-party AI vendor dependency and concentration risk, AI model testing and validation processes, and the interaction between AI use and existing regulated activities such as financial advice, credit decisions, and healthcare applications.
A Practical AI Disclosure Framework for Your Q2 2026 10-Q
This is a structural framework for building your Q2 AI disclosure, not a template to copy. Every company's disclosure must reflect its specific AI use and risks.
Step 1: Inventory your AI use. Before drafting any disclosure, list every AI system the company uses in production, every AI system in development or pilot, and every third-party AI-powered service the company relies on. For each system, note: what it does, what data it uses, what the output is used for, what goes wrong if it produces incorrect output, and what the regulatory environment is for that activity.
Step 2: Assess materiality for each AI use category. Has any AI system had a material effect on revenue, costs, or operations in Q2 2026? Has any AI-related regulatory development created a new material risk? Has competition from AI-powered alternatives materially affected the company's market position? The answers to these questions determine whether AI disclosure belongs in MD&A (where it materially affected results) or only in risk factors (where the risk exists but has not yet produced a material effect).
Step 3: Update the risk factor for each material AI risk with company-specific detail. For each material AI risk identified, revise the risk factor language to describe: the specific AI system or AI-driven threat, the specific business activity or product line affected, the specific risk or harm that could occur, the magnitude or likelihood where estimable, and the company's current risk management or governance approach for that risk.
Step 4: Add or update the MD&A AI discussion where AI materially affected Q2 results. If an AI-related development materially contributed to a period-over-period change in any income statement line, quantify that contribution using the same specificity standard that applies to tariff impacts, currency effects, or volume/price mix.
Step 5: Confirm consistency with recent earnings call language. Review the Q2 2026 earnings call transcript and any recent investor presentations for AI-related claims. Confirm that the 10-Q disclosure is consistent with or broader than those claims. Any affirmative AI-related claim made publicly that is not supported by the 10-Q disclosure is a comment risk.
Frequently Asked Questions
Does the SEC require AI disclosure in my Q2 2026 10-Q?
There is no AI-specific disclosure rule requiring companies to disclose AI in their 10-Q. The obligation derives from existing standards: Item 105 of Regulation S-K for risk factors (material risks must be disclosed in a company-specific, non-generic manner) and Item 303 for MD&A (material factors affecting results of operations must be discussed and quantified where possible). If AI is a material risk or has materially affected Q2 results, it must be disclosed under these existing standards.
What makes AI disclosure "generic" vs company-specific?
Generic AI disclosure is language that could apply to any company in any industry: references to risks from AI development, competitive pressure from AI adoption, regulatory uncertainty around AI, or AI-driven data privacy risks without tying any of these to the company's specific AI systems, specific business activities, or specific competitive environment. Company-specific disclosure names the AI systems used, describes the specific functions they perform, identifies the specific risks associated with those systems in that context, and describes the company's governance approach for managing those risks.
What have SEC comment letters said about AI risk disclosures?
Based on the Orrick analysis of 92 comment letters sent to 56 companies between 2021 and October 2024, the most common AI comment is a request to revise generic risk factor language to ensure it is tailored to the company and not applicable to any issuer in any industry. The staff also asks about the basis for materiality determinations, the consistency of SEC disclosures with statements in earnings calls and investor presentations, the accuracy of affirmative AI benefit claims, and the adequacy of AI governance disclosure where AI is identified as material.
Should AI be in the risk factor section, MD&A, or both?
Both, where applicable. The risk factor section covers material AI risks that may affect the company's future results, whether or not they have yet produced a material effect. The MD&A covers AI-related factors that have materially contributed to period-over-period changes in revenue, costs, or other financial metrics in Q2 2026. The known trends and uncertainties discussion covers AI-related developments that management reasonably expects will materially affect future results. A company with material AI exposure may need AI disclosure in all three locations, with different content in each.
Is there a specific SEC rule on AI disclosure?
No. As of July 2026, the SEC has not adopted AI-specific disclosure rules for operating companies. SEC officials have indicated that existing standards, Item 105 for risk factors and Item 303 for MD&A, require adequate and specific AI disclosure where AI is material. Future AI-specific rulemaking has not been formally announced. The comment letter record enforces specificity under the existing standards.
Key Takeaways
- Seventy-six percent of S&P 500 companies added or expanded AI risk disclosures in 2025 annual filings. The SEC reviewed a sample and found most were not tailored to the individual company. The Q2 2026 10-Q is the first opportunity to revise that boilerplate before receiving a comment letter.
- AI disclosure obligations derive from existing standards: Item 105 of Regulation S-K for risk factors and Item 303 for MD&A. No AI-specific disclosure rule exists as of July 2026.
- The Orrick analysis of 92 comment letters (2021-October 2024) identifies five recurring SEC concerns: materiality assessment, specificity and tailoring, accuracy and substantiation of affirmative AI claims, governance disclosure where AI is material, and consistency between SEC filings and public earnings call statements.
- AI disclosure belongs in three places in the 10-Q: risk factors (for material AI risks, updated to reflect Q2 2026 developments), MD&A results of operations (where AI materially affected Q2 financial results), and the known trends discussion (where AI-related developments are expected to materially affect future results).
- The key structural distinction is AI as a risk to your business versus AI as a tool you use. The comment letter standard for each is different: external AI risk requires specificity about the competitive or regulatory threat; internal AI use requires specificity about the systems used, the functions they perform, and the governance in place.
- Companies that made AI-related claims in their Q2 earnings call or investor presentations must confirm those claims are consistent with and supported by the 10-Q disclosure. Inconsistency between public statements and SEC filings is the most common trigger for an AI-related comment letter.
- The SEC's internal deployment of AI tools signals that expectations around AI governance documentation, vendor management, and model validation will become more concrete in comment letters and examinations over time.








