Navigating AI Risks in SEC Filings: Essential Compliance Tips for 2026

If your company uses AI operationally and your next 10-K doesn't say so specifically, you may already have a disclosure problem. The SEC has issued 92 separate AI-related comment letters to 56 companies since 2021, charged two firms under AI washing enforcement actions, and received a formal petition for mandatory AI governance disclosure rules in February 2026. This is not a theoretical risk anymore.

This guide is for CFOs, SEC reporting managers, and legal teams deciding what to disclose about AI in their next 10-K, 10-Q, or proxy statement. It covers exactly what language triggers SEC scrutiny, what the enforcement record looks like, and how to build disclosures that hold up.

Key takeaway: The SEC doesn't have a dedicated AI disclosure rule yet. But it doesn't need one. Existing anti-fraud provisions apply fully to AI capability claims, and the comment letter record shows precisely what the staff is looking for.

How Fast AI Risk Disclosure Has Grown

The numbers are striking. Just 12% of S&P 500 companies disclosed at least one material AI risk in 2023. By 2025, that figure had reached 72%, a six-fold increase in two years. Seventy-six percent of S&P 500 companies added or expanded AI as a material risk description in their 2025 annual filings, according to an Autonomy Institute report cited by Goodwin Law.

That growth is partly voluntary and partly coerced. The SEC's Division of Corporation Finance has been sending comment letters on AI disclosures since 2021, and the message is consistent: generic language won't pass.

As Goodwin partner Kaitlin Betancourt put it: "Companies risk being the outlier if not mentioning AI in filings." That cuts both ways. Companies that use AI and don't disclose it face scrutiny. Companies that disclose AI capabilities they don't actually have face enforcement.

What the SEC's 92 Comment Letters Actually Say

The most useful dataset for any company drafting AI disclosures is the Orrick analysis of 92 SEC AI-related comment letters sent to 56 companies between 2021 and October 2024. The patterns are clear:

Comment TypeShare of AI CommentsDemand for greater specificity about how AI is or will be used~61%Unsupported or unqualified AI capability claims~30%Materiality threshold questions~10%

The dominant issue, by a wide margin, is vagueness. Phrases like "extensive AI skill sets and machine learning capabilities" get flagged. The SEC wants to know what the AI actually does, in what business process, and with what effect.

The Three Questions the SEC Keeps Asking

1. How is AI actually used?The staff has asked companies to "describe the scope of the current capabilities" and to explain specifically how AI is integrated into disclosed initiatives. A risk factor that says a company "uses AI across its operations" without identifying which operations, what decisions AI influences, or what the failure modes are will draw a comment letter.

2. Is this current or aspirational?The SEC has explicitly asked companies to "clearly distinguish current technological capabilities from future aspirational capabilities" and to "describe any material steps that will need to be taken to fully develop" AI platforms. This applies to proxy statements too: the staff has asked companies to revise proxy bullet points to clarify "if true, that these are not yet products or services the company provides, and are instead areas of research or are aspirational."

3. What liability does the company assume?For customer-facing AI, the SEC has specifically asked companies to disclose "the liability that you assume, if any, if your AI technology incorrectly evaluates" outcomes such as creditworthiness. This is a specific disclosure item, not a general prompt.

Drafting note: Before filing, run your AI risk factors against these three questions. If you can't answer each one specifically, the SEC staff probably will ask you to.

The Seven AI Legal Risk Categories You Must Address

The Conference Board/ESGAUGE analysis of S&P 500 filings identifies the risk categories that sophisticated companies are disclosing. Each carries distinct legal exposure:

1. AI washing and misleading capability claims. Overstating what your AI does, or claiming AI capabilities you don't have, exposes you to SEC enforcement under existing anti-fraud provisions. The Delphia and Global Predictions enforcement actions (see below) are the template.

2. Cybersecurity and data privacy. Twenty percent of S&P 500 companies cited cybersecurity as an AI concern in 2025 filings. AI expands attack surfaces and enables more sophisticated threats. Note that an AI-enabled cyberattack may trigger both your cybersecurity incident disclosure obligations under Form 8-K Item 1.05 and your AI risk factor simultaneously.

3. Intellectual property and copyright. Shareholders are already filing proposals demanding reports on risks from unauthorized use of copyrighted content in AI training data. The 2025 NLPC shareholder proposal to Apple cited risks that "Apple's AI development may violate data privacy laws, infringe on intellectual property rights, or utilize personal information without consent."

4. Algorithmic bias and fairness liability. ML-based decisioning tools in credit, hiring, and healthcare face regulatory scrutiny over bias and opacity. Reputational risk is the most frequently cited AI concern in S&P 500 filings at 38%, and bias-driven reputational damage is a central component.

5. Regulatory fragmentation. Companies operating across jurisdictions face the EU AI Act, GDPR, emerging U.S. state AI laws, and SEC disclosure requirements simultaneously. Disclosures that address only domestic regulatory risk are increasingly incomplete for multinational filers.

6. Third-party AI vendor concentration risk. Companies using foundation models from OpenAI, Anthropic, or Google face supplier concentration risk, IP indemnification gaps, and model change risk that is distinct from internally developed AI. If a vendor changes a model's behavior or discontinues a service, your AI-dependent operations are affected. This risk is underaddressed in most current filings, and the SEC's comment letters have not yet fully caught up to it.

7. Board-level governance gaps. Only 54% of S&P 100 companies disclosed board-level AI oversight in their 2025 proxy statements, and only 28% disclosed both board oversight and a formal AI policy. That 72% gap is visible to sophisticated investors and the SEC alike.

AI Washing: What the Enforcement Record Actually Shows

In March 2024, the SEC charged Delphia (USA) Inc. and Global Predictions Inc. with making false and misleading statements about their AI capabilities. Delphia paid $225,000 in civil penalties; Global Predictions paid $175,000. Delphia had claimed AI capabilities it did not possess from 2019 to 2023, a four-year period of misleading disclosures before enforcement caught up.

The cases proceeded under the Investment Advisers Act and the Marketing Rule. But the SEC's enforcement director made the broader implication explicit:

"Public issuers making claims about their AI adoption must also remain vigilant about similar misstatements that may be material to individuals' investing decisions." -- Gurbir S. Grewal, Director, SEC Division of Enforcement

This is the point most coverage misses. The Delphia and Global Predictions enforcement used the Advisers Act because those were registered investment advisers. For public issuers generally, the same conduct is reachable under existing anti-fraud and material misstatement provisions. No new AI-specific rule is needed to bring an enforcement action against a company that overstates its AI capabilities in a 10-K or earnings call.

Former SEC Chair Gary Gensler was direct: "Investment advisers should not mislead the public by saying they are using an AI model when they are not. Such AI washing hurts investors." The current enforcement posture, under the SEC's "Innovation Commission" framing, is more industry-friendly on rulemaking. But enforcement of existing anti-fraud provisions for material misstatements has not been dialed back.

The Earnings Call Problem: Consistency Is Now a Compliance Obligation

One of the most actionable and underreported findings from the SEC comment letter record: the staff explicitly looks for gaps between what executives say about AI on earnings calls and what appears in formal filings.

The SEC has warned that companies must assess whether AI discussions in board meetings, earnings calls, and investor presentations suggest materiality. If they do, corollary disclosures in SEC filings are required. This creates a direct consistency obligation.

The practical implication for IR and legal teams:

• If your CEO tells analysts on a quarterly call that AI is "central to our competitive strategy" or "driving significant efficiency gains," that statement is now a disclosure trigger.
• If the 10-K filed that same quarter describes AI only in a generic boilerplate risk factor, the SEC can and does flag the inconsistency.
• The fix is not to say less on earnings calls. It's to ensure filings are specific enough to match what executives are actually saying.

This is a coordination problem that lives at the intersection of IR, legal, and finance. Solving it requires a pre-filing review process that compares recent public AI statements against draft disclosure language.

Board Governance Disclosures: The Proxy Statement Gap

The governance numbers reveal a significant inconsistency problem. Among S&P 100 companies:

• 54% disclosed board-level AI oversight in 2025 proxy statements
• 45% maintained a disclosed AI policy
• Only 28% disclosed both

Meanwhile, 65% of U.S. investors believe all companies should provide clear disclosure of the board's oversight of AI governance issues and AI ethics, and 49% say that oversight should be codified in a committee charter or governing documents.

Among companies that do disclose board-level AI oversight, 63% designated it to a specific committee (most commonly audit or technology) while 37% designated full-board oversight. The audit committee is emerging as the default home for AI risk oversight, which makes sense given its existing mandate over internal controls and financial reporting risk.

Glass Lewis Lead Analyst Sarah Wenger framed the trajectory clearly: "In the absence of comprehensive regulatory guardrails, evolving SEC recommendations and shareholder expectations are likely to drive more robust AI governance frameworks and enhanced disclosure practices in upcoming proxy seasons."

Shareholder pressure is already materializing. In the 2025 proxy season, 9 of 29 technology-related shareholder proposals explicitly dealt with companies' use of AI, covering bias, data ethics, copyright, and governance accountability.

Key takeaway: A company that discloses AI risk factors in its 10-K but has no disclosed AI oversight structure in its proxy statement has a visible inconsistency. Sophisticated investors and proxy advisors are now looking for exactly that gap.

The February 2026 Rulemaking Petition: What Mandatory Disclosure Could Look Like

In February 2026, a formal petition for rulemaking (File No. 4-882) was submitted to the SEC requesting mandatory standardized AI governance and risk management disclosures in public filings. This is a significant escalation from the current comment-letter-driven, voluntary disclosure environment.

The SEC's current posture, as articulated in a February 2026 speech by the Division of Investment Management Director, is to engage with industry rather than issue prescriptive rules quickly. The "Innovation Commission" framing suggests deliberate rulemaking rather than rapid mandates.

But the same speech acknowledged the fundamental challenge: "AI is different -- the goal of AI is to take the human out of the loop. At least out of the real-time response loop... they are going to be in a more remote and supervisory role. That will present new challenges."

The SEC also identified liability concerns as "the greatest impediment to more widespread adoption of AI" among investment advisers. That acknowledgment suggests the Commission understands the tension between encouraging AI adoption and requiring disclosure of its risks.

For planning purposes: mandatory AI governance disclosure rules are not imminent, but the petition is on the docket and the direction of travel is clear. Companies that build disclosure-ready AI governance programs now will not need to scramble when rules arrive.

How to Build a Disclosure That Survives Comment Letter Review

The practical gap in most companies' current approach is that disclosure is treated as a legal exercise rather than a governance output. As Goodwin's Betancourt observed: "If the proper infrastructure is put around AI usage and there are processes and checks and balances, then issues are more likely to be flagged for a risk factor and fleshed out." Disclosure without governance infrastructure creates legal exposure, not protection.

Here is what a disclosure-ready AI governance program needs to produce before the next filing cycle:

1. An AI use inventory. Map every material AI application across the business. The SEC's comment letters ask specifically how AI is used. You can't answer that without knowing.

2. A current-vs-aspirational distinction. For each AI application, document whether it is in production, in development, or aspirational. This distinction must flow directly into filing language.

3. A "reasonable basis" file for capability claims. Any affirmative AI capability claim in a filing, business section, or earnings call needs internal documentation to support it: testing results, performance metrics, validation records. This is the evidentiary standard the SEC applies to AI capability statements.

4. A vendor risk assessment. For each third-party AI model or platform, document: what the vendor provides, what happens if the vendor changes the model or exits the market, what IP indemnification the contract provides, and what data the vendor accesses. This feeds directly into third-party concentration risk disclosure.

5. A cross-document consistency review. Before each filing, compare recent earnings call transcripts, investor presentations, and board materials against draft disclosure language. Flag any AI claim in public statements that isn't supported by filing language.

6. Board oversight documentation. Assign AI oversight formally to a committee, document it in the charter, and disclose it in the proxy statement. The 28% of S&P 100 companies that have both oversight and a policy are the benchmark.

For a deeper look at how the SEC uses comment letters as a disclosure audit tool, see our guide on how to use SEC comment letters to audit your own filings. The same methodology applies directly to AI disclosures. And if you're working through M&A-related AI disclosure questions, anticipating SEC comments in M&A disclosure filings covers the comment letter patterns in that context.

The Absence-of-Disclosure Risk

One risk that rarely gets discussed: companies that use AI operationally but make no reference to it in their filings. Over one-quarter of S&P 500 firms still make no explicit reference to AI in their filings, either because exposure is limited, impacts are captured under broader risk categories, or disclosure practices lag behind actual use.

For companies in the last category, the exposure is real. If AI is material to operations and not disclosed, that is a potential material omission. The SEC's comment letter practice already includes questions about whether companies' AI use is material enough to require disclosure. The inverse question, whether non-disclosure of material AI use is itself a violation, is the next logical step in enforcement.

FAQ

Does the SEC have a specific AI disclosure rule?No. As of mid-2026, the SEC has not issued a comprehensive AI-specific disclosure rule. A formal petition for rulemaking (File No. 4-882) was filed in February 2026 requesting mandatory standardized AI governance disclosures, but rulemaking is expected to be deliberate rather than rapid. Existing anti-fraud and material misstatement provisions apply fully to AI-related disclosures in the meantime.

What is AI washing, and does it apply to non-financial companies?AI washing means claiming AI capabilities you don't actually have, or materially overstating what your AI does. The SEC's 2024 enforcement actions against Delphia and Global Predictions used the Investment Advisers Act because those were registered advisers. But the SEC's enforcement director explicitly warned that public issuers face the same exposure under general anti-fraud provisions. It applies to all public companies.

How do we disclose AI risks tied to third-party vendors like OpenAI or Anthropic?Disclose the dependency specifically: name the category of third-party AI (foundation model, ML platform, etc.), describe what business function it supports, and identify the material risks if the vendor changes the model, raises prices, or exits the market. Also address IP indemnification gaps and data access. This is an underdeveloped area in most current filings.

What's the difference between what we disclose in the 10-K versus the proxy statement?The 10-K risk factors address AI as a material business risk. The proxy statement addresses board-level oversight of AI governance. Both are required for a complete picture. Only 28% of S&P 100 companies have both a disclosed AI oversight structure and a formal AI policy. Companies with strong 10-K AI risk factors but no proxy governance disclosure have a visible inconsistency.

Can disclosing AI risks specifically create a roadmap for plaintiffs?This concern is real but often overstated. Specific, accurate risk factor disclosure is a defense in securities litigation, not an invitation to it. Vague or boilerplate disclosure that fails to capture actual risks is far more dangerous: it creates both SEC comment letter exposure and a stronger plaintiff argument that material risks were concealed. The SEC's own comment letters push companies toward specificity precisely because vague disclosures don't protect investors.

How do we handle the gap between earnings call AI statements and filing disclosures?Build a pre-filing review process that compares recent public AI statements (earnings calls, investor days, press releases) against draft filing language. Any AI claim made publicly that isn't supported by filing disclosure is a potential comment letter trigger. The SEC has explicitly flagged this consistency obligation in its comment letter practice.

The companies that get this right aren't just avoiding comment letters. They're building the governance infrastructure that will be required when mandatory AI disclosure rules eventually arrive.