SEC AI Financial Reporting Guidance 2026: The Practitioner's Compliance Map
If your SEC reporting team is searching for the official SEC AI disclosure rulebook, stop. It does not exist. That is not a research failure; it is the regulatory reality of mid-2026, and misreading it creates real compliance risk in both directions.
This guide is for controllers, SEC reporting teams, and general counsel who need a precise answer: what does the SEC actually require companies to disclose about AI in 2026, and how do you build a defensible position for your next 10-K or 10-Q?
Key takeaway: The SEC has issued no standalone AI disclosure rule or formal guidance document for registrants as of July 2026. The governing framework is the existing materiality standard, Reg S-K, and anti-fraud provisions, applied to AI exactly as they apply to any other material development. The enforcement risk is not a new rule. It is the existing rules applied to false or exaggerated AI claims.
Has the SEC Issued a Formal AI Disclosure Rule for Financial Reporting in 2026?
No. The SEC's rulemaking activity index lists no AI-specific disclosure rulemaking as a current proposed or final rule. The 2026 agenda is dominated by capital formation, registered offering reform, and filer status changes.
This surprises practitioners who tracked the Gensler-era push for prescriptive AI disclosure requirements. That push is over. Chairman Paul Atkins stated the SEC's position plainly at the FSOC AI Innovation Series Roundtable on March 4, 2026:
"Prescriptive mandates are not the answer to every emerging technology. And disclosure 'checklists' are no substitute for materiality-based transparency that offers meaningful disclosure under established principles. If the advent of each new technology becomes a pretext for new line items, then disclosure swiftly loses its discipline."
The Investor Advisory Committee voted in December 2025 to recommend that the SEC issue AI disclosure guidance, calling current disclosures "uneven and inconsistent." Atkins responded by urging the Commission to resist prescriptive requirements for every new development affecting a business. That recommendation has gone nowhere as formal rulemaking.
What Governs AI Disclosure Right Now: The Materiality Standard
The operative standard is the TSC Industries v. Northway materiality test: whether there is a substantial likelihood that a reasonable shareholder would consider the information important in making an investment decision. No new AI-specific threshold has been created.
Atkins confirmed this explicitly in March 2026:
"The SEC's best historical regulatory approach has hewn to principles-based rules rooted in materiality. This time-tested approach should inform how a public company today ought to disclose developments concerning AI, just as it guides disclosures about any other development."
For your disclosure team, this translates into one concrete analytical question for each AI-related item: does this information meet the TSC Industries threshold for this company, at this stage of AI deployment, in this reporting period? If yes, it goes in. If not, boilerplate language does not satisfy the standard and may invite scrutiny for vagueness.
The practical implication: AI risk identification should be embedded in your disclosure controls and procedures evaluation under Exchange Act Rule 13a-15, not added as a legal-team afterthought during the close. Skadden's January 2026 Harvard Law Forum memo frames this as a DC&P issue, not just a risk factor drafting exercise.
The SEC's AI Task Force: Internal Governance, Not Registrant Rules
One of the most persistent sources of confusion in 2026 is conflating the SEC's internal AI governance with what the agency expects from registrants. They are entirely separate.
The SEC's AI Task Force, established in August 2025, has a mandate focused entirely inward:
- Centralizing AI efforts across the agency
- Removing internal barriers to AI adoption
- Focusing on AI applications that maximize mission benefits
- Maintaining internal governance
Chief AI Officer Valerie Szczepanik leads this effort. Her role is to promote AI innovation and adoption within the SEC and implement OMB AI guidance. This is not a registrant-oversight role.
The SEC's Draft Strategic Plan FY2026-2030, published June 2026, commits to "responsible use of artificial intelligence and blockchain technologies" to improve oversight and unlock efficiencies, and names EDGAR modernization as a priority. It contains no registrant disclosure mandates.
The bottom line: the Task Force, the CAIO, the 2025 AI Compliance Plan, and the published AI use-case inventories govern the SEC's own operations. They signal the agency's direction and sophistication, but they do not create obligations for registrants.
The SEC Is Now Reading Your Filings with AI Tools
Here is the development that almost no practitioner-facing coverage has addressed: the SEC is using AI to review your disclosures right now.
Atkins confirmed it in March 2026: the agency is using AI "to review disclosures with greater speed and efficiency." The SEC's published 2025 AI use-case inventory lists specific applications, including risk assessments for potential examination, detection of market misconduct, and disclosure review.
What this means in practice:
- Cross-document consistency checks that a human reviewer might miss are now automated. If your risk factors describe AI as peripheral but your MD&A attributes margin expansion to AI-driven efficiencies, that inconsistency is more likely to surface.
- Boilerplate detection is easier at scale. Generic AI risk language that does not reflect your actual operations is a known comment letter trigger, and AI-assisted review makes pattern-matching across thousands of filings faster.
- XBRL tagging quality matters more. The SEC's December 2025 FDTA report explicitly connects machine-readable disclosure data to AI analysis, noting that structured data reduces error rates in LLM processing. How your filing is tagged increasingly affects how it is understood by AI-powered tools, including the SEC's own. For a deeper look at tagging obligations, see XBRL Tagging Requirements for AI-Assisted SEC Filings: 2026 Compliance Guide.
Three Distinct AI Disclosure Problems (Most Teams Conflate Them)
Treating "AI disclosure" as a single question is the most common mistake. There are three separate problems with different governing frameworks:
| Problem | Governing Framework | Where It Lives in the 10-K |
|---|---|---|
| AI as a business risk | Reg S-K Item 105 (risk factors), Item 303 (MD&A) | Risk Factors, MD&A |
| AI as a cybersecurity risk | SEC cybersecurity rules (adopted 2023, effective 2024) | Item 1C (cybersecurity), Form 8-K Item 1.05 |
| AI in the financial reporting process | Anti-fraud provisions, ICFR (SOX 404), DC&P | MD&A controls discussion, auditor communications |
Confusing these leads to two failure modes: over-disclosing generic AI risk language that invites comment letter scrutiny for vagueness, or under-disclosing material AI-related commitments buried across multiple footnotes where investors cannot connect the dots.
Which AI Risks Must Appear in Your Risk Factors?
Disclose AI risks that are material to your specific company. Skadden's January 2026 memo identifies five categories SEC staff expects companies to address where material, and maps directly to comment letter focus areas:
- Cybersecurity threats from AI actors: use of AI by threat actors for deepfakes, social engineering, and polymorphic malware. This sits at the intersection of AI risk and the 2023 cybersecurity disclosure rules.
- Regulatory and legal compliance evolution: uncertainty regarding evolving AI regulations at federal, state, and international levels. State-level AI laws (California, Colorado, and others) create a patchwork that Skadden flags as a distinct risk category, separate from federal SEC requirements.
- Operational and strategic risks: challenges executing AI initiatives, potential defects or vulnerabilities in AI tools, risk of falling behind competitors.
- Reputational and ethical risks: potential for biased or erroneous AI outputs, misuse of AI by employees or third parties, public backlash.
- Intellectual property risks: infringement claims from AI-generated content or use of third-party data in AI models.
The SEC's Division of Examinations has confirmed AI as a standing 2026 examination priority, with staff specifically reviewing "for accuracy registrant representations regarding their AI capabilities." Generic risk factor language that does not reflect how the company actually uses AI is a known trigger.
How to Disclose AI in MD&A vs. the Cybersecurity Section
MD&A (Item 303): Discuss AI where it materially affects results of operations, liquidity, or capital resources. If AI-driven efficiencies contributed to margin expansion, say so specifically. If AI investment is a material capital allocation decision, quantify it. Vague references to "leveraging AI" without operational grounding are exactly what comment letters target.
Cybersecurity section (Item 1C of Form 10-K): AI-related cybersecurity risks, including AI-enabled attacks, fall within the existing cybersecurity disclosure framework adopted in 2023, not a new AI-specific rule. Among Fortune 500 companies, 67% describe the cybersecurity frameworks (NIST CSF, ISO 27001) used to assess and manage risks, 65% reference incident response plans, and 64% disclose employee training efforts. These benchmarks apply to AI-related cybersecurity risk disclosure as well.
Material cybersecurity incidents involving AI (for example, a deepfake-enabled fraud that causes material harm) require Form 8-K disclosure under Item 1.05 within four business days of determining materiality.
AI in the Financial Reporting Process: What Human Oversight Actually Means
Using AI tools to draft or assist with 10-K and 10-Q filings does not itself require disclosure. But it creates a liability exposure that many teams underestimate.
Skadden is direct on this point: "Companies remain liable for any misrepresentations or inaccuracies in public disclosures, regardless of whether the inaccuracies originated from AI tools. Human oversight is critical, particularly for legally sensitive statements or disclosures that could impact the company's risk profile or reputation."
The AI tool is not a defense. A defensible human-review process for AI-assisted drafting should include:
- Designated reviewer sign-off on every AI-generated section before it enters the filing draft, with documentation of who reviewed and when.
- Enterprise-approved tools only. Only secure, vetted AI platforms should be used. Confidential data, including material nonpublic information, must never enter unvetted platforms. The MNPI risk here is real: inputting draft financial results or deal terms into a consumer AI tool could constitute an inadvertent disclosure.
- Accuracy validation for industry-specific content. AI outputs must be validated against primary sources, especially for regulatory thresholds, financial figures, and legal citations.
- Records retention compliance. AI-generated records, including meeting transcriptions and drafting logs, must comply with your data retention policies. For broker-dealers, Rule 17a-4 applies. For other registrants, the equivalent obligation under Exchange Act Rule 17a-3 and your own document retention program governs.
- Version control. Maintain a clear audit trail showing the human editing process from AI-generated draft to filed document.
The SEC's OCA Deputy Chief Accountant Michal Dusza flagged three specific concerns at the SEC and Financial Reporting Conference on June 4, 2026, that will likely appear in forthcoming OCA reminders: whether management understands which financial reporting systems embed AI, what controls govern data fed into AI tools, and whether management's risk assessment keeps pace with AI proliferating through the organization at the employee level.
For a broader look at audit committee obligations in this area, see AI in Financial Reporting Audit Risk: The 2026 Compliance Map for CFOs and Audit Committees.
The AI-Washing Enforcement Risk: Deregulatory Posture Does Not Mean No Enforcement
This is the asymmetry that creates the most dangerous blind spot in 2026. The SEC under Atkins is deregulatory on disclosure mandates. It is not deregulatory on fraud.
Atkins confirmed the enforcement posture in March 2026: "Just as we are using AI technology to detect and address fraudulent and manipulative conduct, we will seek to hold those accountable that misuse AI technologies to further those fraudulent and manipulative schemes. We have also brought actions against bad actors for deception that involves false, misleading, or exaggerated claims about the use of AI in their products and services."
The enforcement risk surfaces in specific places:
- Business descriptions that portray AI as core to differentiation without describing the actual state of deployment
- Risk factors that acknowledge generic AI risks but do not align with how the company actually uses data, models, or vendors
- MD&A narratives that attribute efficiencies or margin expansion to AI without a clear basis
- Forward-looking claims about AI roadmaps that are inconsistent with budget, staffing, vendor contracts, or product readiness
Companies that under-disclose thinking the SEC is backing off may find that existing anti-fraud provisions, applied to AI-washing, are the enforcement mechanism they face.
Will FASB Issue New Accounting Standards for AI? The Short Answer Is No, Not Soon.
Do not wait for new GAAP before addressing AI accounting in your filings.
FASAC's March 10, 2026 meeting discussed the growing use of AI tools in financial reporting and AI-driven data center investment. The Council's conclusion was unambiguous: "urgent standard-setting activity by the Board is not needed."
FASAC did flag a real disclosure challenge: AI-driven data center investments implicate consolidations, leases, and derivatives guidance simultaneously, and investors report difficulty connecting commitments and contingencies disclosed across different financial statement areas. FASAC members suggested that "disclosures could be more decision-useful if related information was disclosed together in the financial statements to help investors understand the full context of the transaction."
The practical implication: current GAAP applies, judgment is required, and the disclosure presentation challenge is yours to solve now, not after a new standard arrives. If your company has material AI infrastructure commitments spanning multiple GAAP areas, consider whether a consolidated discussion in the notes or MD&A would give investors a clearer picture than scattered footnotes.
For a full map of FASB's current project activity, see FASB June 2026 Meeting Outcomes: Every Decision, Mapped for Preparers.
How the Proposed Filer-Status Changes Interact with AI Disclosure
The SEC's May 2026 proposed rulemaking would raise the large accelerated filer threshold from $700 million to $2 billion in public float, extending disclosure scaling accommodations to approximately 81% of all current public companies.
Companies that drop below the new large accelerated filer threshold would lose the SOX 404(b) auditor attestation requirement on internal control over financial reporting. That changes the internal control framework within which AI-assisted reporting processes operate: without an auditor attestation, the discipline of documenting and testing AI-related controls in the ICFR program rests entirely on management.
AI-native companies going public in 2026 would receive a minimum 60-month IPO on-ramp before becoming large accelerated filers, regardless of public float. That is five years of reduced disclosure obligations, but the materiality standard and anti-fraud provisions apply from day one.
A Compliance Checklist for Your Next 10-K or 10-Q
Given the absence of a prescriptive rule, here is a practical materiality-based framework for each filing cycle:
Risk Factors (Item 105)
- Assess each of Skadden's five AI risk categories against your actual operations
- Replace generic AI risk language with company-specific descriptions of how AI is used, what could go wrong, and what the financial impact would be
- Distinguish AI operational risks from AI cybersecurity risks; they belong in different sections
MD&A (Item 303)
- Disclose AI where it materially affects results, liquidity, or capital resources
- If AI investment is material, quantify it and explain the accounting treatment under current GAAP
- For companies with AI infrastructure commitments spanning multiple GAAP areas, consider a consolidated discussion
Cybersecurity (Item 1C)
- Address AI-enabled threats (deepfakes, social engineering, polymorphic malware) within the existing cybersecurity framework
- Reference the frameworks (NIST CSF, ISO 27001) used to assess and manage AI-related cybersecurity risks
- Ensure incident response plans cover AI-specific attack vectors
Disclosure Controls and Procedures (Item 307)
- Update DC&P evaluation under Rule 13a-15 to capture AI risk identification and assessment
- Document human review and sign-off procedures for AI-assisted drafting
- Restrict filing preparation to enterprise-approved AI tools; enforce MNPI controls
Internal Control Over Financial Reporting (Item 308)
- Assess whether AI tools used in the close process are within scope of ICFR
- Document management's risk assessment of AI deployment across the organization, including citizen-led AI adoption
- If dropping below the LAF threshold under the proposed rule, ensure management's ICFR assessment is robust without auditor attestation
FAQ
Is there a specific SEC AI rule I need to follow for my 10-K? No. As of July 2026, no standalone SEC AI disclosure rule exists. The governing framework is the existing materiality standard (TSC Industries), Reg S-K Items 105 and 303, the 2023 cybersecurity disclosure rules, and anti-fraud provisions. Apply these to AI exactly as you would to any other material development.
Do I need to disclose that we used AI tools to draft our SEC filing? Not as a standalone disclosure. But you remain fully liable for every statement in the filing regardless of how it was drafted. The practical requirement is a documented human review and sign-off process, not a disclosure of the tools used.
What is the SEC's AI Task Force, and does it affect registrants? The AI Task Force, established in August 2025, is an internal SEC initiative to accelerate AI adoption within the agency. Chief AI Officer Valerie Szczepanik leads it. It is not a rulemaking body and has produced no registrant-facing guidance.
Will FASB issue new accounting standards for AI investments? FASAC concluded in March 2026 that urgent standard-setting is not needed. Current GAAP applies. Companies with material AI infrastructure commitments should apply existing consolidation, lease, and derivatives guidance and consider whether their disclosures give investors a coherent picture across financial statement areas.
What is the biggest enforcement risk related to AI in 2026? AI-washing: false, misleading, or exaggerated claims about AI capabilities in SEC filings. The SEC has already brought enforcement actions on this basis and confirmed it is using AI tools to detect inconsistencies across filings. The deregulatory posture on disclosure mandates does not extend to fraud.
How does the SEC's AI disclosure approach interact with state AI laws? Skadden identifies regulatory and legal compliance evolution, including state-level AI laws in California, Colorado, and elsewhere, as a distinct AI risk category for federal SEC filings. Companies operating across multiple states face a patchwork of requirements that may be more prescriptive than the SEC's principles-based approach. This risk belongs in your risk factors where material.
The SEC has made its 2026 posture clear: materiality governs, checklists do not, and enforcement of existing rules on false AI claims is active. The compliance burden is on registrants to do the analysis, not wait for a rule that Atkins has explicitly said is not coming.







