Somewhere in the slide deck sits a confident line. AI has cut our response times. AI is driving efficiency across the operation. AI is now embedded in how we work. It reads well, and the board nods, because it is the progress they were hoping to hear. Then the quiet question lands, from a cautious investor, a lawyer reviewing the disclosure, or your own gut at eleven at night. If someone asked us to evidence that, could we? Often the honest answer is no. No one wrote down which decisions the AI actually made, on what data, with what oversight. The claim is real-sounding and unprovable, and that combination is what creates exposure.
You have been handed the AI mandate, often without a compliance department behind you. So the claims made upward, to the board and to investors, end up resting on you. This post is about that slice only, the personal risk in the AI line itself, not the governance system around it. It is not legal advice, and where the exposure is real you should take proper counsel. But the discipline that protects you is small.
What is AI washing, and why do regulators treat it as fraud?
AI washing is exaggerating what your AI actually does to investors, claiming capability you cannot back up. In the United States the SEC has brought enforcement actions for exactly this, treating it as a matter for securities law rather than marketing puffery. The mechanism is existing antifraud provisions, including Rule 10b-5. A stretched AI claim then sits in the same legal category as any other material misstatement.
The regulator has been blunt about the standard it expects. As the SEC’s position is summarised in the Harvard Law analysis, if a public company is using AI, that company has to be honest about the role AI plays in its business and not exaggerate it to the point of AI washing. Around 61% of the SEC’s comments on AI disclosures asked companies to clarify how the AI is used and what risks attend it. The message to anyone signing off an AI claim is to have a reasonable basis for it, and to be ready to show that basis.
This detail is US-anchored, and the specific regulator differs for a UK owner-managed business. The principle does not. Any claim about AI, in any market, should rest on evidence the person making it can produce. A UK firm raising investment, reporting to a board, or pitching to an acquirer faces the same logic, whatever the named law on the page.
Why does this land on directors personally?
Director and officer exposure has moved from theoretical to live, driven by how much money now rides on AI. Spending reached $644 billion in 2025, up 76% on the year before, on Gartner figures cited in legal analysis of D&O risk. When that much spend is justified upward with confident claims, the claims themselves become a risk surface, and the insurance behind a director has not yet caught up.
That insurance gap is real and current. The 2026 D&O market is working through AI-related securities suits and AI-washing exposures, with insurers still deciding where these claims belong. As Holland & Knight partner Thomas Bentz put it, there is a lot of confusion and growth in this area because where these claims fit is still being figured out. For a director in an owner-managed business, the cover you assume protects you may have a hole in it precisely where an AI claim goes wrong. Worth checking your own policy wording.
There is a further, sharper argument forming, worth flagging honestly as direction of travel rather than settled law. Legal commentators argue that when an AI system makes a decision, the board is treated as having made it, and that a director cannot defend themselves by pleading they did not understand the technology. A Harvard Law Review analysis raises the prospect of boards being held accountable where insufficient oversight lets AI cause harm. This is emerging argument, not established UK case law, so calibrate accordingly. The defensible position either way is the same, show that appropriate oversight was in place.
What does an audit trail for an AI claim actually look like?
An audit trail for an AI claim is a dated, tamper-evident record of what the system did, on what input, with which version, and what human review sat over it. One vendor working definition calls it an immutable record of AI decisions, inputs, outputs and changes. Stripped of jargon, it answers the question a regulator or buyer will eventually ask. Show me how this decision was reached and who was watching.
The useful components are concrete. The input that went in, the output the system produced, the timestamp, the model version, and whether a human reviewed or overrode the result. None of this is exotic, it is the kind of logging many AI tools can produce if you turn it on and keep it. The discipline is keeping it deliberately, not assuming it exists somewhere by default.
Retention matters, and varies by sector. The same vendor guidance points to financial services typically keeping records for seven years or more and healthcare for a minimum of six, with the firm caveat to check the rules for your own sector rather than guessing. Recognised frameworks help too. The NIST AI Risk Management Framework, with its four functions of map, measure, manage and govern, gives a board a reference point to align oversight to, which strengthens the case that oversight was real.
What should you put in place if you have no compliance function?
If you carry the mandate without a compliance team, the protection is a small discipline rather than a department. Keep a simple record of which AI claims rest on which evidence, so any line in a board paper traces back to something real. Where the AI is making or shaping decisions that matter, note what it did, on what input, and who reviewed it. A maintained document and a habit go a long way.
The single most useful rule is a gate on what goes upward. No AI claim enters a board paper, an investor update, or an annual report unless someone can stand behind it with evidence to hand. That one habit removes the worst of the exposure, because the dangerous claim is the confident, unprovable one, and this gate stops it at the door. It also sharpens the writing, since a line you can evidence is usually more specific than the vague one it replaces.
The payoff is more than defensive. Firms that keep good audit trails save meaningful time when an audit or dispute arrives, and cut the arguments over what an AI-driven decision actually did, because the record settles it. Precise figures get quoted for this, but they trace to single vendor blogs, so treat the gain qualitatively rather than as a promised number. Good records cost a little discipline now and save a lot of scrambling later.
What is well-evidenced here, and what is still forming?
Some of this is solid and some is still forming, and saying which is which is part of being credible in the room. The securities-fraud angle is well-grounded. The SEC has brought real enforcement actions, AI washing is enforced under existing antifraud law, and the honesty standard is on the record. The audit-trail discipline is equally sound. Present both with confidence.
The personal-liability case against directors is the part to handle carefully. It is an emerging line of analysis, argued by legal commentators and explored in law-review work, not a settled body of UK case law you can point to. Presenting it as established precedent would be the same mistake as AI washing, a confident claim the evidence does not yet support. So frame it as direction of travel. The exposure is plausibly growing, the prudent response is to act as though it is real, and where it bites, take advice.
That calibration is itself the move. Distinguishing the well-evidenced from the still-forming is the discipline that keeps an AI claim defensible, and it is how you earn trust with a board that has heard plenty of confident AI talk already. If you want a second pair of eyes on where your own AI claims and oversight stand before the next board paper, book a conversation.
