Beyond the algorithm

The SEC is not waiting for industry consensus on what AI governance looks like. It is writing comment letters, opening investigations and refining disclosure expectations in real time. Public companies that treat AI adoption as a technology decision rather than a legal and regulatory one are building exposure they have not yet accounted for.

AI has moved faster than the frameworks designed to govern it. That gap is closing – but not in the direction most boards and CFOs expect. The Securities and Exchange Commission (SEC) and the Public Company Accounting Oversight Board (PCAOB) are not issuing comprehensive AI regulations. Instead, they are applying existing authority — disclosure rules, audit standards, fraud statutes – to AI-related conduct with increasing specificity and speed. The companies caught flat-footed are not the ones that ignored AI. They are the ones that deployed it without understanding how the regulatory environment had already shifted around them.

The cybersecurity rule has an AI problem hiding in it

The SEC's cybersecurity disclosure rules, effective December 2023, require public companies to report material cybersecurity incidents on Form 8-K within four business days of determining materiality, and to describe their cybersecurity risk management, strategy, and governance annually in their 10-K. Most boards reviewed these requirements through the lens of traditional IT risk. That framing is now inadequate.

AI systems introduce cybersecurity exposures that are structurally different from conventional enterprise software. Large language models trained on proprietary data can be manipulated through prompt injection attacks — inputs crafted to override a model's intended behavior and extract or corrupt information. AI systems connected to financial databases or used in reporting workflows create data exfiltration vectors that standard security controls were not designed to address. Third-party AI vendors, whose infrastructure your systems depend on, sit largely outside your cybersecurity perimeter and your disclosure controls simultaneously.

The practical implication: if your company uses AI in any workflow that touches financial data, customer data, or internal communications, the cybersecurity rule requires a level of disclosure specificity that most current 10-K filings do not achieve. The SEC's comment letter practice on cybersecurity disclosures is already producing pushback on vague risk factor language. Companies describing AI-related cybersecurity risk in generic terms — without addressing how AI systems are inventoried, monitored, and secured – are increasingly receiving SEC staff follow-up. The next step in that progression is enforcement.