The AI Fiduciary Gap and the Board That Cannot Afford to Ignore It
Most boards have adopted AI policies. Few have built the documented oversight architecture that satisfies their fiduciary duty under Delaware corporate law — and the absence of that documentation is the exposure.
What the Research Establishes
The Caremark standard (In re Caremark International, Del. Ch. 1996; affirmed Stone v. Ritter, Del. 2006) requires boards to implement a reasonable information and reporting system for mission-critical risks and to monitor it in good faith. Delaware courts have confirmed that “mission-critical” risk requires heightened board oversight. As AI mediates compliance monitoring, anomaly detection, and financial controls at most public companies, it now meets that threshold — and the board that cannot produce a record of good-faith oversight faces the same derivative liability exposure that Boeing’s board faced for safety system failures.
Sources: In re Caremark Int’l, 698 A.2d 959 (Del. Ch. 1996); Stone v. Ritter, 911 A.2d 362 (Del. 2006); Matera, “Algorithmic Oversight,” Oxford Business Law Blog, March 2026
In re McDonald’s Corp Stockholder Derivative Litigation extended Caremark oversight duties to officers within their delegated domains. Every C-suite executive responsible for AI deployment — the CHRO overseeing AI-assisted hiring, the COO whose operations run on AI-mediated controls, the CIO who owns the systems — now has a personal fiduciary exposure, not merely a board-level one. The governance architecture must name the officer responsible for AI oversight and define what escalation to the board looks like.
Source: In re McDonald’s Corp S’holder Deriv. Litig., Del. Ch. 2023
Colorado’s AI Act (SB 24-205) was repealed and replaced by SB 189 (signed May 14, 2026), which removes the duty of care, risk management programs, and impact assessments in favor of a narrower disclosure framework effective January 1, 2027. This repeal removes the state-statutory argument boards were using to defer governance action. The Caremark duty is independent of any statute. Boards that waited for Colorado have now lost their reason to wait — while the exposure remains.
Sources: Colorado SB 24-205; Colorado SB 26-189, signed 2026-05-14
The SEC’s Investor Advisory Committee voted on December 4, 2025, to recommend that the Commission require disclosure of board oversight mechanisms for AI deployment. Only 15% of S&P 500 companies currently disclose board oversight of AI. The 85% that do not face a material disclosure gap in the 2026 proxy season, independent of whether the IAC recommendation becomes formal guidance.
Source: SEC IAC AI Disclosure Recommendation, December 2025; NACD 2025 Board Practices and Oversight Survey
Only 36% of boards have implemented a formal AI governance framework. Only 6% have established AI-related management reporting metrics. These are not aspirational benchmarks — they are the documented current state of board governance. The gap between what Caremark requires and what most boards have built is the AI fiduciary gap. It is not a future risk. It is the present condition of most boards deploying AI today.
Source: NACD 2025 Board Practices and Oversight Survey (200+ public company directors)
The Governance Architecture, by Role
FREE
The board that has not documented its AI oversight architecture is already exposed under Caremark. The four minimum viable architecture elements that make the board’s governance position defensible before the first derivative claim arrives: committee charter amendment, quarterly AI governance report, impact assessment process, and officer accountability contracts.
The CFO faces the AI fiduciary gap from two directions simultaneously: Caremark exposure in financial decision domains, and SEC disclosure liability if the proxy statement does not accurately reflect AI oversight practices. The three AI domains where CFO exposure is highest, and the four-element accountability contract that makes the governance position defensible before the Q3 2026 proxy season.
Operations is where AI agents are deployed fastest and where the governance documentation gap is widest. The COO’s governance register is the primary defense document in derivative litigation. The three highest-exposure operational AI domains, the triage protocol that makes governance scalable at operational scale, and the 90-day build that closes the gap.
The CHRO faces the most legally dense AI governance obligation in the C-suite: Caremark, Title VII, ADA, ADEA, and EEOC enforcement activity converge in the HR function simultaneously. The five consequential HR AI decision domains, the disparity analysis protocol that satisfies the EEOC technical assistance standard, and the vendor governance requirements that close the third-party liability gap.
An AI system in credit risk that produces discriminatory outcomes is a regulatory enforcement action, a class action, and a Caremark claim simultaneously. The CFPB’s outcome-based enforcement standard does not accept “the model is complex” as an adverse action explanation. The three highest-exposure risk AI domains, the explainability protocol that satisfies ECOA requirements, and the governance register that is the first document regulators will request.
Technical competence does not substitute for documented oversight, and it does not satisfy Caremark. The CIO/CTO owns both the direct governance obligation for technology function AI and the technical foundation that enables every other officer’s governance architecture. The master AI system inventory, the technical impact assessment protocol, model drift monitoring, and vendor governance requirements that make the entire organization’s AI governance defensible.
The Analytical Record
The Board That Has No Answer Has Already Failed
The board that cannot produce a document proving it governs AI is already in the Caremark exposure zone. The difference between the board that declared its AI governance commitment and the board that built the architecture to back it up — and why the first is not a defense a
against a Caremark claim.
The Caremark Standard Now Applies to AI. Here Is the Documentation Your Board Needs.
The Delaware Caremark standard applies to AI oversight. The board that lacks documented governance architecture is already exposed. Four minimum viable architecture elements every board must build before the first claim arrives.
The Board That Declared and the Board That Built
I have watched boards declare their way into crises they could have governed their way out of. The AI governance gap is the same pattern, arriving at a different speed. What the board that builds looks like versus the board that declares.
The AI Fiduciary Gap: Three Governance Signals Boards Cannot Ignore This Quarter
Three governance signals in the past 90 days that close on every board without a documented AI oversight architecture. The governance calendar for Q3 2026 and what each signal requires.
The AI Fiduciary Gap: What the Governance Architecture Looks Like
The four-element AI governance architecture that satisfies the Caremark standard. A board-level visual briefing on what documented oversight looks like before the first claim arrives.
The Board That Governs This Well Builds Something That Outlasts the Crisis
Every board currently operating without a documented AI governance architecture is one Caremark challenge away from a governance failure that cannot be explained to shareholders. The fiduciary exposure is not theoretical. The McDonald’s Corp. ruling extended oversight duties to officers within their delegated domains. The SEC has AI disclosure expectations. The EU AI Act creates board-level attestation obligations for any organization operating in European markets.
The board that builds the governance architecture before the first claim arrives does not just protect its directors. It builds an institutional standard its successors will inherit as organizational strength, not organizational liability.
Touch Stone Publishers does not consult. It does not manage engagements. It does not place advisors inside organizations. It produces the primary research, the analytical framework, and the governing argument that equips boards and executive teams to build the architecture themselves — with their own General Counsel and their own governance committee.
The board that builds the AI fiduciary architecture before litigation arrives has built something its successors will inherit as institutional strength, not institutional liability. That is what governance architecture looks like when it is not built in response to a claim.