|
In this article |
Companies adopting artificial intelligence are navigating a genuinely new kind of disclosure environment — and it cuts in two directions at once. On one side AI tools are changing how investors and analysts read and process external communications. On the other side, companies that use AI in their own business operations face a growing obligation to disclose that use clearly, accurately, and with enough specificity to satisfy both the SEC and their investors.
These two dynamics are related but distinct, and conflating them is a common mistake. The question of how to structure your disclosures for an AI-assisted readership is primarily a communication and drafting discipline. The question of what to say about your company's own AI capabilities — in your 10-K, your earnings calls, your proxy, and your investor presentations — is a disclosure accuracy and governance obligation.
This piece focuses on the second question. And the short version is this: the SEC is watching, the enforcement actions are real, and the threshold for what constitutes adequate AI disclosure is higher than most companies currently meet.
What the SEC actually wants to know
The SEC has been issuing AI-related comment letters since 2021, and the volume and specificity of those comments has accelerated materially. Based on a review of comment letters issued through October 2024, over 90 separate AI-related disclosure comments were issued to over 50 different companies. That's not a theoretical risk — it's an active and growing part of the SEC's disclosure review process.
The comments cluster into three categories, each reflecting a different kind of disclosure failure:
Materiality. Has the company adequately assessed whether its AI use is material to investors? The SEC has raised concerns in both directions — challenging companies that don't disclose AI use that appears to be driving financial performance, and questioning companies that include AI-related disclosures that don't appear to meet the materiality threshold. The assessment itself, not just the conclusion, needs to be documented.
Unsupported claims. Roughly 30% of reviewed comments addressed claims about AI capabilities, products, or strategies that lack a reasonable, disclosed basis. The SEC is looking for companies to distinguish current AI capabilities from future aspirational ones, to provide the basis for forward-looking statements about AI, and to clarify the development status of AI initiatives that are still in progress.
Specificity and balance. The most common comment is a request for more specific and balanced disclosure about how AI is actually used — and what risks it creates. Generic boilerplate language that could apply to any company in any industry is not adequate disclosure.
The SEC wants to understand your AI use case, the operational risks it creates, and the regulatory and competitive environment in which it operates.AI washing: the cost of overclaiming
The term "AI washing" — using AI-related language in marketing, earnings calls, and investor materials to enhance perceived value without substantiating the underlying capabilities — has moved from industry jargon into SEC enforcement territory.
In early 2024, the SEC settled charges against two investment advisers for falsely claiming that AI informed their investment decisions when, in fact, it did not. The enforcement actions were grounded in straightforward anti-fraud principles: making materially false statements to investors in connection with the offer or sale of securities. The novelty was the subject matter, not the legal theory.
The practical lesson extends beyond investment advisers to any company that incorporates AI-related language into its investor-facing communications. Earnings call comments about being "AI-driven" or "powered by AI," investor presentation slides describing AI capabilities, and risk factor language describing AI as a key growth driver — all of it is subject to the same standard that applies to any other material statement to investors.
The question isn't whether to talk about AI. For most companies, the use and strategic importance of AI is genuinely material, and the disclosure obligation is real. The question is whether the claims you're making are accurate, substantiated, and presented with the kind of balance and specificity the SEC expects.
ICFR and the human oversight imperative
The governance question underlying both the SEC's disclosure expectations and the AI washing risk is fundamentally about internal control. Who in your organization is accountable for the accuracy of AI-related statements? What controls exist to ensure that claims made about AI capabilities are reviewed and substantiated before they reach investors? And if AI tools are involved in drafting disclosures themselves, what human oversight exists to catch errors, hallucinations, or overstatements before they're filed?
For public companies, these questions connect directly to their ICFR framework. The CEO and CFO certifications required under Sections 302 and 906 of Sarbanes-Oxley attest to the effectiveness of internal controls and the accuracy of the company's disclosures — including disclosures about AI. An AI-related misstatement in a 10-K is, among other things, an ICFR failure.
For PE-backed companies, the stakes are different but no less real. Audit readiness, lender reporting covenants, and preparation for a future capital markets event all require that management's representations about the business — including representations about technology capabilities and AI strategy — are accurate and supportable. The absence of a SOX certification doesn't reduce the underlying accountability.

The ICFR-relevant questions for any company using AI in its disclosure process or marketing AI capabilities to investors include:
Scoping: which AI tools in your environment have any connection to financial reporting, disclosure drafting, or investor-facing communications? This inventory is the starting point for any meaningful control assessment.
Control design: who reviews AI-generated content before it appears in an external document? Is that review documented? Is there a clear escalation path when the reviewer has questions about accuracy?
Testing and evidence: if your ICFR or SOX assessment methodology doesn't currently address AI-assisted drafting workflows, it may need to be updated. The operative question is whether the controls that existed before AI was introduced remain adequate in a world where AI touches the disclosure process.
Audit committee visibility: the audit committee's oversight of financial reporting and internal controls should extend to AI-related disclosure risks. That means understanding which AI tools are in use, how they're governed, and whether management has a clear line of accountability for AI-related statements in filings and investor communications.
Aligning with the NIST AI Risk Management Framework
The National Institute of Standards and Technology published its AI Risk Management Framework in January 2023, and it has become the closest thing the U.S. has to a broadly recognized standard for responsible AI governance. The framework is voluntary, technology-agnostic, and designed to be adapted to an organization's specific context — which makes it particularly useful as a reference point for companies navigating the disclosure landscape.
The AI RMF is organized around four core functions: Govern, Map, Measure, and Manage. Finance leaders and audit committees don't need to implement all of them to find the framework useful. What matters for the disclosure and ICFR context is the underlying logic: that responsible AI use requires accountability structures, documented risk assessments, ongoing measurement, and clear response protocols.
Govern is the foundational function, and the most directly relevant to the CFO's world. It asks whether the organization has established clear accountability for AI risk, whether AI use cases are approved through a defined process, and whether oversight extends to third-party AI tools and vendors. For disclosure purposes, Govern addresses the fundamental question of who is responsible for ensuring that AI-related claims in investor materials are accurate.
Map addresses risk identification in context. Applied to the disclosure environment, it asks: what are the potential harms if AI-assisted disclosure drafting produces inaccurate content? What is the blast radius of an AI washing allegation in our investor communications? Organizations with robust Map processes can make better-informed decisions about where AI use in the disclosure process requires the most rigorous human oversight.
Measure and Manage address ongoing monitoring and response. In an ICFR context, these functions map to control testing (are our review workflows operating effectively?) and remediation (what do we do when they don't?). The key principle is that AI governance isn't a one-time assessment — it requires continuous monitoring as tools evolve, use cases expand, and the regulatory environment shifts.
Companies with mature ICFR programs will recognize much of this logic. The NIST framework doesn't require building something entirely new — it requires extending existing governance disciplines into a domain that most internal control frameworks weren't designed to address.
The question isn't whether you need AI governance; it's whether your existing framework can absorb it.
|
Embark insight The NIST AI RMF is not a compliance checklist. It's a vocabulary and structure for thinking about AI risk management in a way that regulators, auditors, and investors increasingly understand. Companies that can articulate their AI governance posture in terms of Govern, Map, Measure, and Manage are better positioned for both SEC scrutiny and investor engagement than those that can only describe their AI tools. |
Practical guidance for CFOs and audit committees
The overlap between AI disclosure obligations and internal control requirements makes this fundamentally a CFO-and-audit-committee topic, not just a legal or IR concern. A few practical considerations worth building into your process:
Conduct an AI disclosure inventory. Before your next filing cycle, map every location in your external communications where AI-related claims appear: SEC filings, earnings call scripts, investor presentations, press releases, IR website content. For each claim, ask whether it is accurate as stated, whether it distinguishes current capabilities from future aspirations, and whether you could defend the basis for it in an SEC comment letter.
Review your risk factors. If your AI-related risk factors are generic, now is the time to revise them. The SEC's high comment rate on specificity is a reliable signal that boilerplate isn't adequate. Your risk factors should describe how AI is actually used in your business, what operational and competitive risks that use creates, and how you're managing them.
Assess your ICFR coverage. Work with your internal audit function or external advisors to determine whether your existing ICFR framework adequately addresses AI-assisted workflows in the disclosure process. If AI tools are involved in drafting or editing disclosures, the human review controls around that process should be documented, tested, and integrated into your SOX assessment.
Bring the audit committee into the conversation. The audit committee's oversight role should extend to AI-related disclosure risks. Briefing the committee on the company's AI use, the governance framework in place, and the SEC's current disclosure expectations is both good governance practice and, increasingly, a baseline investor expectation.
For PE-backed companies, the same disciplines apply in a pre-IPO or transaction context. Investors and transaction counterparties are performing their own diligence on AI claims and governance. Companies that can demonstrate clear accountability, documented controls, and accurate, substantiated AI disclosures will be in a materially stronger position than those that can't.
The bottom line
The SEC's expectations around AI disclosure have moved well past the early-adopter phase. The regulatory environment for AI disclosure is mature enough that companies should be treating it as a standard disclosure discipline — not an emerging issue to be monitored.
The companies that will navigate this environment most effectively are those that approach AI disclosure the same way they approach any other material disclosure: with rigor, specificity, internal accountability, and a clear line between what they know and what they're aspiring to. That's not a different standard for AI. It's the same standard, applied to a new and consequential topic.
The governance structures that support accurate disclosure — ICFR frameworks, audit committee oversight, management certification processes — are the same structures that support accurate AI disclosure. The work isn't starting from scratch. It's extending disciplines that, for well-run finance organizations, are already in place.




