AI Oversight Creates Fresh Governance Pressure for Directors and Officers
Boards face growing disclosure, compliance, and litigation risks as AI adoption accelerates. Directors and officers are now exposed to a familiar mix of securities class actions, derivative litigation, and regulatory investigations - but with an unfamiliar technology at the center.
Lawrence Fine, management liability coverage leader at WTW, said the core exposures tied to AI resemble earlier waves of securities and governance litigation. What makes the current environment more difficult is the speed of adoption, fragmented regulatory rules, and the reality that many directors lack detailed understanding of how AI systems function.
AI litigation follows traditional patterns - for now
Courts are largely treating AI-related securities disputes like conventional disclosure cases. Early analysis of emerging AI-related securities class actions shows cases progressing in typical fashion, Fine said.
The practical challenge for corporate defendants is different. Directors and officers frequently struggle to explain how AI technology operates or why problems occur. That gap becomes particularly acute during litigation, regulatory inquiries, or disclosure disputes.
"Most directors and officers won't understand the nuts and bolts of AI," Fine said. "There's a real potential black box problem when it comes to explaining what went wrong."
Early disputes have centered on "AI washing," where companies overstate capabilities or exaggerate AI's role in operations. More recent litigation focuses on whether companies adequately disclose AI-related risks, including risks tied to adoption decisions or failures to adopt.
What has not fully emerged yet are large-scale claims from operational failures involving AI itself. Fine said those disputes will likely appear as organizations become increasingly dependent on automated systems. "What we haven't seen yet - but will - are cases arising from actual improper use of AI, or malfunctions, hallucinations and/or underperformance of AI that lead to dangerous or expensive situations," he said.
Future claims could stem from events involving physical harm, major compliance failures, or substantial financial penalties - similar to how operational failures historically generated securities and derivative litigation.
Coverage gaps emerge around fines and penalties
Broad AI exclusions have not become widespread in the D&O market. One carrier considered introducing a broad exclusion for private company D&O coverage before stepping back from the approach.
On the public company side, the market has shown little appetite for AI-specific exclusions because D&O coverage remains heavily tied to securities litigation. Policyholders and brokers would likely insist on carve-backs preserving securities claims coverage anyway.
Fines and penalties represent the most significant emerging coverage gap, particularly under the EU AI Act. Standard D&O policies generally do not cover many forms of regulatory fines, creating concern for multinational companies navigating multiple jurisdictions.
Some insurers have started developing AI-specific primary and umbrella products to address portions of that exposure. Cyber insurance faces even greater challenges because many policies depend on specific coverage triggers tied to security breaches or improper data collection.
"While cyber policies will still cover claims arising from security breaches and improper data collection, regardless of whether or not AI was involved, there is now the possibility of claims that arise simply from how a company is using AI or what it's using AI for," Fine said.
Regulators, particularly in Europe, impose restrictions on certain AI uses while subjecting other applications to heightened compliance obligations. Many existing cyber policies are not designed to respond to those types of regulatory or operational disputes that go beyond privacy-related situations.
Boards must navigate conflicting regulatory approaches
Lawmakers are pursuing different approaches to AI oversight, creating governance pressure for boards. Fine pointed to tensions between the federal government's relatively pro-development stance and more aggressive state-level regulatory efforts.
"There's a philosophical disconnect between the federal government's position and some states," Fine said. "That creates a potential whipsaw for companies trying to figure out how to comply with multiple, sometimes conflicting rules and regulations."
Multinational companies need to monitor the EU, which currently has the most evolved body of AI regulations in the world.
Boards cannot treat AI oversight as solely a technology issue. Fine recommended that companies add directors with meaningful technical expertise and maintain close relationships with outside advisers capable of monitoring rapid legal and regulatory developments.
Disclosure controls deserve separate scrutiny from operational AI governance. Companies need to focus not only on how they use AI systems, but also on whether investor communications accurately reflect those practices and risks.
"Are you accurately disclosing all of the foregoing?" Fine said. "The disclosure risk is distinct from the substantive risk of what you're doing with AI."
For insurance professionals, this means D&O and cyber policies will require closer examination as AI adoption spreads. Coverage gaps around regulatory fines, operational failures, and non-breach AI claims are likely to widen before policy language catches up to business reality.
Your membership also unlocks:
