The Impact of AI on Corporate Risk Reporting

According to a recent analysis by The Conference Board, a non-profit think tank, ESGAUGE, a data analytics firm, and Ernst & Young, as of August 2025, nearly three quarters of the S&P 500 flagged AI as a material risk in their Form 10-Ks. Among the Fortune 100, this statistic was even higher, with 85% including AI in their risk factors. This is a significant increase in just two years, consistent with the public’s increased awareness and use of AI services in the same time period. It also signals that public companies expect heightened scrutiny from investors about AI implementation strategies.

The Securities and Exchange Commission has not adopted specific AI disclosure rules. Indeed, SEC Chair Paul Atkins started his tenure by rescinding proposed disclosure rules. Given the Trump administration’s support for AI innovation, it is unlikely that specific disclosure rules are forthcoming. Still, every public filer is obligated to disclose the most significant risks that could materially affect its business, financial condition or operating results. AI risks certainly meet this criteria, and the increase in the number of large companies disclosing such risks is both expected and a positive development for investors.

Companies are increasingly warning about myriad risks arising from AI. Among the most common are risks related to AI heightening the potential for cybersecurity attacks, both internally and through third-party vendors, legal and regulatory risks arising from government response to this rapidly evolving technology, concerns about intellectual property disputes, and threats related to customer privacy breaches (particularly in the health-care and financials space). However, the most prevalent concern is the impact of AI on corporate reputation. Those risks included fallout from publicly announced AI projects failing to deliver promised outcomes, or a company failing to successfully integrate or operate AI effectively. Reputational risks also included warnings that consumers may not want the promised AI improvements, in either the products themselves or consumer-facing uses such as a customer service chatbot.

Companies including reputational risk disclosures appear to understand that this technology is new and somewhat unpredictable and could therefore impact business in unexpected ways. Hallucinations and factual errors in AI responses generate a lot of media coverage, but only a handful of companies have specifically addressed the concerns associated with unreliable or erroneous AI-generated content undermining trust or drawing regulatory consequences. While the analysis focused on S&P 500 companies, these types of reputational risk disclosures are sure to be even more important for newer technology firms and any mid or small-cap firms hoping for an AI boom to bridge the gap with more entrenched  competition.

Even minor AI glitches could significantly affect a firm’s reputation, particularly if its value proposition relies on AI implementation. Though not a dominant consideration, some companies have disclosed risks concerning competitors’ aggressive or effective use of AI as a potential drag on their own performance and reputation.

Examples of recent AI-related disclosures demonstrate the various strategies companies are employing to manage reputational risks:

1. In the Walt Disney Company’s (DIS) Form 10-K for the fiscal year ended September 27, 2025, the company identified a few AI-related It warned investors about risks to the business if Disney is not able to successfully adapt to new technologies, if such new technologies affect the demand for Disney’s products and services. Disney also recognized as a risk-factor that generative AI tools could be used to create competing low-cost content which would undermine its own offerings.
2. In the Microsoft Corporation’s (MSFT) Form 10-K for the fiscal year ended June 30, 2025, the company identified the execution and competition risks associated with its offering of AI services to the public, including a risk that its AI services do not maintain utility or performance across an array of computing devices (like PCs and smartphones). The company acknowledged that if it is ineffective in executing AI-related technical changes, it could adversely impact Microsoft’s operations and results. Microsoft also noted many instances where its AI systems could be “used in ways that are unintended or inappropriate,” that some AI-users could engage in fraud using Microsoft’s services, and that AI-features were susceptible to security threats, all of which could cause reputational damage.
3. In Take-Two Interactive Software, ’s (TTWO) Form 10-K for the fiscal year ended March 31, 2025, the company identified several risks related to the development and use of AI in its products, causing reputational concerns. Take-Two specified ethical concerns and negative user perceptions arising from AI integration into its products and services, which could affect the business’s reputation. Take-Two also noted the risk that its competitors successfully implement AI technologies while Take-Two fails to do so, which could impact the company’s long-term growth.
4. In Visa ’s (V) Form 10-K for the fiscal year ended September 30, 2025, the company identified that its “development, deployment and use of AI and machine learning is subject to various risks at each stage of use,” which could lead to additional regulatory scrutiny. Visa also noted its failure to keep up with competitors’ AI offerings could lead it to fall behind technological developments and evolving industry standards, potentially harming its reputation.
5. Finally, Tempus AI, (TEM), an AI-driven healthcare company, in its Form 10-K for the fiscal year ended December 31, 2025, identified problems with AI-generated output that could affect its business, including “accuracy, bias, toxicity, intellectual property infringement or misappropriation, data privacy and cybersecurity and data provenance.” In addition to increased regulatory scrutiny from the use and deployment of AI in the healthcare space, Tempus AI also recognized a risk to its business and operations of the output of its algorithms.

Perhaps not surprisingly, companies have been slow to dis-close risks about labor relations related to AI implementation. Public fears about AI replacing workers, particularly in knowledge management and technology companies, have been well-documented. The Writers Guild of America made headlines in 2023 with a five-month strike, driven in part by AI use in writing scripts. As implementation ramps up and causes labor displacements, companies may consider specific disclosures if employee reactions to AI implementation start affecting their business. The recent trend suggests that as AI implementation accelerates, AI-related risk warnings will proliferate and will likely be tailored to more specifically identifiable risks.

Risk disclosures in Form 10-Ks can insulate public filers from securities fraud complaints based on forward-looking statements under the PSLRA safe-harbor provision if the disclosures are meaningful and they identify important factors that could cause actual results to differ materially from those in the projections. Boilerplate risk warnings do not suffice; the risk warnings must be specific. The Conference Board analysis noted that 11 S&P 500 companies cited reputational risks from AI in broad terms without detailing underlying causes. Broad disclosures about the risks of AI generally may be the kinds of “boilerplate” risk warnings courts do not credit.

Even specific AI risk warnings may not protect forward-looking statements about AI implementation if they are not tailored to the actual risks facing companies. Investors bringing future Section 10(b) claims related to AI implementation will need to scrutinize the AI-related risk disclosures and their timing. Some AI-related risks will be vague or boilerplate. Even more specific disclosures may not adequately address actual risk appropriately, especially in a rapidly evolving sector like AI. If disclosures remain unchanged from year to year, it may suggest the company is actually cautioning against risks that have already materialized. None of which will shield securities fraud defendants from liability.