Three-quarters of Fortune 500 CEOs have used generative AI for board-related work in the past six months, yet more than half of their companies lack any internal guidance on what directors should keep out of these tools. That gap, uncovered by a CEOWORLD magazine survey, leaves individual executives making judgment calls under time pressure - often without realizing those decisions carry legal weight. For boards, the absence of a defined exclusion list means the most sensitive corporate information may already be exposed.
The Risk That Governance Frameworks Overlook
Risk classification systems and documentation trails, the typical components of AI governance, only work if there is a clear baseline of what never enters the system. Without an exclusion list, even well-designed oversight can't stop material non-public information (MNPI) from landing in an AI tool. Unreleased earnings figures, forecast revisions, and pending guidance changes can create disclosure risk under securities law and insider-trading exposure if retained or processed outside the company's controlled environment.
The challenge is that MNPI isn't always labeled. A draft slide summarizing quarterly trends or a working note on a forecast revision can qualify, even when it looks like routine drafting. This ambiguity is precisely why the category requires an explicit rule, not individual discretion.
M&A, Litigation, and Other High-Risk Data
M&A activity carries outsized risk because the data is not just confidential - it's time-sensitive. Acquisition targets, valuation models, and due diligence findings can move markets or compromise negotiations if leaked. For deal teams, a default-deny posture for AI tools not explicitly cleared for deal work is the only approach that holds up under pressure.
Litigation strategy and privileged communications present a different danger. Attorney-client privilege and work-product protection can be jeopardized the moment content is shared with a third-party AI platform, depending on its data retention and access practices. For boards handling active or potential litigation, general counsel should answer how those protections are preserved before AI-assisted drafting begins. The same applies to regulatory inquiry responses and internal investigation findings.
Executive compensation data and succession timelines sit at the intersection of confidentiality and personnel law. Mishandling this information through ungoverned AI tools can raise employment-law and privacy exposure, especially when linked to identifiable individuals. Succession plans carry the added risk that premature signals about leadership transitions will affect investor confidence and internal morale.
Making the Exclusion List Operational
A policy that merely names categories in the abstract won't work. An effective exclusion list specifies:
- Which information categories are excluded outright, regardless of the platform
- Which platforms, if any, meet the data-handling standard for sensitive-but-necessary use
- Who can approve an exception and under what conditions
- How suspected breaches get reported and reviewed
This list is the connective tissue between high-level risk tiers and daily practice. Risk tiers describe how much scrutiny to apply; the exclusion list stops certain information from reaching that scrutiny at all. Without it, governance frameworks are unenforceable.
Why This Matters for Executives and Strategy
Boards often assume common sense will keep sensitive material out of AI tools, but the survey data shows that assumption is failing - quietly, across most major companies. An explicit exclusion list removes the judgment call from executives at the moments they're most likely to misjudge: under deadline, mid-deal, or in a developing crisis. For leaders building AI governance, resources that focus on strategic implementation, like the AI Learning Path for CEOs, can help translate policy into practice. And the broader AI for Executives & Strategy guidance offers a starting point for crafting the architecture that makes exclusion lists and oversight actually defensible. The foundation is not the framework itself - it's getting clear on what was never meant to enter the system in the first place.
Your membership also unlocks: