Finrep at Society for Corporate Governance National Conference
Gana Misra
By Gana MisraCEO, Finrep
Wed Jul 08 2026

SEC AI Financial Reporting Guidance 2026: What the Rules Actually Say

Share
SEC AI Financial Reporting Guidance 2026: What the Rules Actually Say

SEC AI Financial Reporting Guidance 2026: What the Rules Actually Say

If you're drafting a 10-K or 10-Q and searching for the SEC's official AI disclosure rulebook, you won't find one. That's not a gap in your research. It's the regulatory reality of mid-2026, and misunderstanding it is where real compliance risk lives.

This article is for CFOs, controllers, and SEC reporting teams who need a precise answer to one question: what does the SEC actually require companies to disclose about AI, and how do you avoid a comment letter?

Key takeaway: The SEC has not issued a standalone AI disclosure rule or formal guidance document for registrants as of mid-2026. The governing framework is the existing materiality standard under Securities Act Rule 408 and Exchange Act Rule 12b-20, applied to AI exactly as it applies to any other material development. The enforcement mechanism is the comment letter program, not a new rule.

Has the SEC Issued Formal AI Disclosure Rules for Financial Reporting in 2026?

No. As of mid-2026, no standalone SEC AI disclosure rule or formal guidance document exists for public company registrants. The SEC's rulemaking activity index lists no AI-specific disclosure rulemaking as a current proposed or final rule. The 2026 agenda is dominated by capital formation, registered offering reform, and filer status changes.

This surprises practitioners who followed the Gensler-era push for prescriptive AI disclosure requirements. That push is effectively over. The SEC under Chairman Paul Atkins has taken a sharply different posture, and understanding that shift is the starting point for any disclosure analysis.

The Investor Advisory Committee did vote in December 2025 to recommend that the SEC issue AI disclosure guidance, calling current disclosures "uneven and inconsistent" and noting that only 40% of S&P 500 companies provide AI-related disclosures at all. Atkins responded by urging the Commission to "resist the temptation to adopt prescriptive disclosure requirements for every 'new thing' that affects a business." The IAC recommendation has gone nowhere as formal rulemaking.

The Atkins Materiality Doctrine: What It Means for Your 10-K

The operative standard is the classic TSC Industries materiality test: whether there is a substantial likelihood that a reasonable shareholder would consider the information important in making an investment decision. No new AI-specific threshold has been created.

Atkins stated this explicitly at the FSOC AI Innovation Series Roundtable on March 4, 2026:

"Prescriptive mandates are not the answer to every emerging technology. And disclosure 'checklists' are no substitute for materiality-based transparency that offers meaningful disclosure under established principles. If the advent of each new technology becomes a pretext for new line items, then disclosure swiftly loses its discipline."

And on the governing standard:

"The SEC's best historical regulatory approach has hewn to principles-based rules rooted in materiality. This time-tested approach should inform how a public company today ought to disclose developments concerning AI, just as it guides disclosures about any other development."

For your disclosure team, this translates into a concrete analytical question for each AI-related item: does this information meet the TSC Industries threshold for this company, at this stage of AI deployment, in this reporting period? If yes, it goes in. If not, adding boilerplate language does not satisfy the standard and may actually invite scrutiny.

Skadden's January 2026 Harvard Law Forum memo frames this as a disclosure controls and procedures issue, not just a risk factor drafting exercise. AI risk identification should be embedded in your DC&P evaluation under Exchange Act Rule 13a-15, so that material AI risks flow through the same process as any other material development, rather than being added as an afterthought by the legal team during the close.

Three Distinct AI Disclosure Problems (Most Teams Conflate Them)

One of the most common mistakes in practice is treating "AI disclosure" as a single question. It's three separate problems with different governing frameworks:

Disclosure typeGoverning frameworkWhere it appears
AI as a business risk or opportunityMateriality standard, Reg S-K Items 101, 103, 106, 303Risk factors, MD&A, business description
AI use in the financial reporting process itselfICFR/DC&P (SOX 302, 404), OCA reminders (forthcoming)Controls disclosures, potentially MD&A
AI-related capital expenditures (data centers, model licensing)Existing GAAP (ASC 842 leases, consolidation, derivatives)Financial statement footnotes, MD&A

Confusing these leads to two failure modes: over-disclosing generic AI risk language that invites comment letter scrutiny for vagueness, or under-disclosing material AI-related commitments buried across multiple footnotes where investors can't connect the dots.

AI as a Business Risk: Four Categories to Address

Skadden identifies four specific AI risk categories that SEC staff expects companies to address where material:

  1. Regulatory and legal compliance evolution (changing AI laws, liability exposure)
  2. Operational and strategic risks (model error, vendor dependency, competitive disruption)
  3. Reputational and ethical risks (bias, fairness, public trust)
  4. Intellectual property risks (training data ownership, output IP, third-party claims)

The SEC's Division of Examinations has confirmed that AI is a standing 2026 examination priority, with staff specifically reviewing "for accuracy registrant representations regarding their AI capabilities." Generic risk factor language that doesn't reflect how the company actually uses AI is a known comment letter trigger.

AI in the Financial Reporting Process

The SEC's Office of the Chief Accountant is actively monitoring AI use in the financial reporting ecosystem. At the SEC and Financial Reporting Conference on June 4, 2026, OCA Deputy Chief Accountant Michal Dusza flagged three specific concerns that will likely appear in forthcoming OCA reminders:

  • Third-party service providers: Does management understand which financial reporting systems embed AI, and what assurance do they get from those providers?
  • Data quality: What controls govern the data fed into AI tools used in the close or reporting process?
  • Management's risk assessment: Is management staying on top of AI deployment across the organization, including citizen-led AI adoption at lower levels?

Dusza signaled that OCA will issue formal reminders "in the next few months" rather than prescriptive rules, noting that "the pace of change" makes definitive guidance difficult. The practical implication: if your team uses AI tools in the financial close, disclosure drafting, or audit support, document the controls and human review steps now, before those reminders arrive.

On the liability question, Skadden is direct: "AI-generated outputs should never be relied upon without human review. Companies remain liable for any misrepresentations or inaccuracies in public disclosures, regardless of whether the inaccuracies originated from AI tools."

FASB's Financial Accounting Standards Advisory Council addressed this directly at its March 10, 2026 meeting. The headline finding: "urgent standard setting activity by the Board is not needed" because "current GAAP provides a robust framework for accounting for these macroeconomic trends."

But FASAC members added a pointed qualifier: "Council members questioned whether current disclosures are sufficient to capture those uncertainties."

The specific concern is data center investments driven by AI development. These arrangements typically span multiple GAAP areas simultaneously: consolidation (ASC 810), leases (ASC 842), and derivatives (ASC 815). Investors struggle to connect information disclosed in different footnotes. FASAC's investor members stated that "disclosures could be more decision-useful if related information was disclosed together in the financial statements to help investors understand the full context of the transaction."

The practical drafting signal: if your company has significant AI infrastructure commitments, consider whether a single integrated disclosure section, cross-referencing the relevant lease, consolidation, and derivative footnotes, would give investors a clearer picture than siloed treatment across multiple notes. This is not a GAAP requirement yet, but it is a live FASAC concern and a likely comment letter target.

The Real Enforcement Mechanism: Comment Letters

The absence of a formal AI rule does not mean the absence of enforcement risk. SEC comment letters are the de facto mechanism through which staff signals what it considers inadequate AI disclosure, and they are searchable on EDGAR.

The feedback loop matters here. The SEC's AI Task Force, created in August 2025, has confirmed that its use cases include reviewing disclosures "with greater speed and efficiency." Valerie Szczepanik, the SEC's designated Chief AI Officer, leads this effort. If the SEC is using AI-assisted tools to flag disclosure deficiencies in 10-Ks and 10-Qs, the practical implication is that boilerplate AI risk factors are more likely to generate comment letters, not less. AI reviewing AI disclosures is not a hypothetical.

Comment letter patterns from 2025 show staff asking companies to:

  • Expand and operationalize AI-related discussions beyond generic risk acknowledgment
  • Describe governance policies around AI use, including board oversight
  • Revise business and risk factor disclosures to more fully address the state of AI adoption
  • Clarify the actual operational role of AI versus marketing language

For a practitioner-level guide to responding once a comment letter arrives, see Finrep's SEC Comment Letter Response Best Practices: 2026 Playbook.

AI Washing: A Separate and Active Enforcement Theory

Distinct from disclosure adequacy risk is AI washing: affirmative misrepresentations about AI capabilities. Atkins confirmed at the March 2026 FSOC roundtable that "the Commission has brought actions against bad actors for deception that involves false, misleading, or exaggerated claims about the use of AI in their products and services."

The Presto Automation enforcement action (settled early 2025) is the clearest example: the company made materially false statements about the automation level of its AI product. The risk shows up not just in investor presentations but in 10-K business descriptions that portray AI as core to competitive differentiation without describing the actual state of deployment, and in MD&A narratives that attribute margin expansion to AI without a clear basis.

The taxonomy of AI-related SEC enforcement theories is now three-part:

  1. AI washing: False or exaggerated affirmative claims about AI capabilities
  2. Disclosure inadequacy: Failure to disclose material AI risks or developments under the TSC Industries standard
  3. Fraud via AI: Using AI-generated outputs in filings without adequate human review, resulting in material misstatements

These are legally distinct theories with different elements. Your legal and disclosure teams should be analyzing each separately.

Operational Risks Teams Often Miss

Two practical risks are underrepresented in most AI disclosure guidance:

MNPI and data security. Skadden flags that "only enterprise-approved, secure AI tools should be used, and confidential data should never be entered into unvetted platforms." Inputting draft earnings language, non-public financial projections, or deal information into a consumer AI tool is a MNPI and data security issue, not just an accuracy concern.

Data retention. "When using AI for tasks such as meeting transcription or note-taking, companies should adhere to established data retention policies and provide appropriate notice to participants. Storing AI-generated records beyond permitted periods or failing to inform stakeholders of AI use can create legal and compliance risks." This applies directly to disclosure committee meetings and audit committee briefings where AI tools are used.

What the May 2026 Filer Reform Proposal Changes

The SEC's May 19, 2026 registered offering reform proposal raises the large accelerated filer threshold from $700 million to $2 billion in public float. If finalized, approximately 81% of all current public companies would benefit from disclosure scaling accommodations.

For AI disclosure specifically, the most relevant change is the proposed exemption of all non-accelerated filers from the requirement to obtain an auditor's attestation on ICFR under SOX 404(b). Companies using AI in their financial close or reporting processes would lose one layer of external scrutiny of AI-related internal controls. Management's own assessment obligations under Section 302 and 404(a) remain intact.

Smaller companies newly exempt from accelerated filer requirements will face reduced external scrutiny of AI-related control risks, but that does not reduce their obligation to disclose material AI risks. The materiality standard applies regardless of filer category.

For a full analysis of the semiannual reporting optionality in the same proposal, see Finrep's SEC Form 10-S vs 10-Q: 2026 Reporting Options.

FAQ

Do I need to disclose that we use AI internally in our financial reporting process? Not automatically. The materiality standard applies: if AI use in your financial reporting process creates risks (model error, data quality, vendor dependency) that a reasonable shareholder would consider important, those risks should be disclosed. OCA is preparing reminders on this topic. Document your controls and human review steps now.

Does the SEC require a standalone AI section in the 10-K? No. The SEC has not mandated a standalone AI disclosure section. The IAC recommended integrating AI disclosure into existing Reg S-K items (Items 101, 103, 106, and 303) on a materiality basis. Most practitioners are following that approach rather than creating a new section that could invite scrutiny for completeness.

What is "AI washing" and how is it different from inadequate disclosure? AI washing is an affirmative misrepresentation about AI capabilities, for example, claiming a product is fully automated when it relies heavily on human operators. Inadequate disclosure is failing to mention material AI risks at all. Both are enforcement theories, but they have different elements and require different remediation.

Are there new GAAP accounting standards for AI investments? No. FASAC confirmed in March 2026 that current GAAP is adequate for AI accounting. The concern is disclosure sufficiency, not recognition or measurement. Apply existing standards (ASC 842 for leases, ASC 810 for consolidation, ASC 815 for derivatives) and consider integrated cross-referenced disclosure for complex AI infrastructure arrangements.

Can I use AI to draft my SEC filings? Yes, but human review is non-negotiable. Companies remain liable for any inaccuracies in public disclosures regardless of whether they originated from AI tools. Use only enterprise-approved, secure tools, and never input non-public financial data into unvetted platforms.

What's the best way to monitor SEC comment letter signals on AI disclosure? Search EDGAR's full-text search system for comment letters referencing AI, machine learning, or artificial intelligence. Finrep's EDGAR Benchmarking for SEC Disclosures: 2026 Practitioner's Playbook covers the methodology in detail.

The bottom line for your Q2 2026 or FY2026 filing: there is no AI disclosure checklist to complete, but there is a real and active enforcement risk. Run the materiality analysis, document it, and make sure your AI risk identification is embedded in your DC&P process, not bolted on at the end of the drafting cycle.

Run your financial reporting on Finrep