The Statute Was the Scaffolding. The Duty Was Always the Building.

When Colorado repealed the duty of care in its AI Act on May 14, boards read it as a reprieve. It is not. The Caremark oversight duty was never the statute's to grant or revoke.

On May 14, a state legislature did something that looked, on its surface, like a reprieve for boards. Colorado repealed and replaced the law it had spent two years building. The Colorado Artificial Intelligence Act, the first comprehensive state framework in the country to impose a documented duty of care on the companies deploying high-risk AI, was stripped of that duty before it ever took effect. The risk-management programs, the impact assessments, the obligation to guard against algorithmic discrimination: gone, or narrowed into a thinner set of disclosure rules, with the effective date pushed from June 30 of this year to January 1 of next.

A general counsel reading that news could be forgiven for exhaling. The deadline that had been circled on the calendar moved. The framework that had been keeping risk committees up at night softened. For a board that had been treating June 30 as the moment its AI exposure became real, the obvious conclusion is that the moment receded.

That conclusion is wrong, and the reason it is wrong is the most useful thing a director can understand about governance right now.

The statute was never the source of the obligation. It was the scaffolding around it. Scaffolding makes a building easier to see while it goes up. It is not the building. When the scaffolding comes down, the structure it surrounded is still standing, and in this case the structure is thirty years old.

In 1996, Chancellor William Allen of the Delaware Court of Chancery decided a case about a healthcare company that had run afoul of federal law while its board looked elsewhere. The holding in In re Caremark was not that directors must guarantee compliance. No board can guarantee that. The holding was narrower and more durable: a board must make a good-faith effort to ensure that information and reporting systems exist, sufficient to bring the corporation's most serious risks to the board's attention in time to do something about them. A decade later, in Stone v. Ritter, the Delaware Supreme Court confirmed that this was not a procedural nicety. It was a fiduciary duty. A director who utterly fails to put oversight in place where the risk is genuinely mission-critical can be held personally liable for the failure.

Notice what that doctrine does and does not require. It does not require a statute. It does not wait for a legislature to name a risk before the duty to monitor it attaches. The duty attaches when the risk becomes central to the enterprise. The question Caremark asks is never "did a law tell you to watch this?" The question is "was this important enough that a reasonable board would have built a way to see it, and did you?"

This is where the Colorado news inverts on itself. Most observers read the repeal as the removal of an obligation. Read it again. What the legislature removed was the part that was doing the board's thinking for it. The Colorado Act, in its original form, had been quietly convenient for directors. It told them exactly which AI systems counted as high-risk, exactly what documentation satisfied the requirement, exactly when the clock started. It converted a judgment call into a checklist. And a checklist, whatever else it does, gives a board somewhere to hide. You can point to the statute and say the statute did not yet apply.

Take the statute away and the hiding place goes with it. The board is left alone with the underlying question, which was always the harder one. Is the AI system this company has put in front of its hiring decisions, its credit decisions, its clinical triage, its insurance underwriting, a mission-critical risk to the enterprise? If the honest answer is yes, then Caremark already requires the board to have built a way to monitor it. No Colorado statute made that true. No Colorado repeal makes it false.

There is a pattern here that recurs in governance often enough to deserve a name, and we have given it one. We call it the Declarative Board Failure Pattern. It describes boards that believe their duty is discharged by declaration: by adopting the AI ethics policy, by passing the resolution, by announcing the principle. Declaration feels like governance because it produces a document and a date. But a declared value with no monitoring system behind it is precisely the posture Caremark was written to catch. The board that announced its commitment to responsible AI in a press release, and built nothing underneath it, has not protected itself. It has documented the gap between what it said and what it did, which is the most dangerous record a fiduciary can leave.

The companies that spent the last year preparing for Colorado now face a choice that reveals which kind of board they are. The compliance-minded board treats the repeal as permission to stand down. It shelves the work, returns the budget, and waits to see whether January 2027 brings something it actually has to comply with. The governance-minded board does the opposite. It recognizes that the work it was doing was never really about Colorado. It was about building the board's capacity to see a risk it had delegated into the operational core of the business. That capacity is worth having whether or not any statute requires it, because the exposure it addresses does not require a statute either. It requires only a plaintiff, a harm, and a board that cannot produce the records showing it was watching.

The federal track makes this even clearer. The SEC's guidance on AI-related disclosure in proxy filings is a federal instrument. It is not subject to a state legislature's change of heart. Boards that must describe their AI oversight architecture in their filings cannot describe what they have not built. The disclosure obligation does not soften because Colorado softened. If anything, the contrast sharpens it: the states may reverse themselves, but the federal disclosure expectation and the Delaware fiduciary duty both sit upstream of any single statehouse.

So the right way to read May 14 is not as a deadline that moved. It is as a test of whether a board understood why it was doing the work in the first place. The deadline was always a proxy. The real obligation was never the Colorado Act's, and never any legislature's to grant or revoke. It belonged to the board the moment the company pointed an algorithm at a decision that could harm someone and could not afterward explain itself.

A board that builds its AI oversight architecture now, while there is no statute forcing its hand and no litigation yet at its door, is doing the one thing the Legacy Test asks of any governance body. It is building something that holds when the person who built it is gone and the conditions that prompted it have changed. The architecture built this way is not built in response to a deadline or a derivative suit. It is built because the risk was real before anyone outside the boardroom said so. That distinction is the whole inheritance. The board that built its oversight because a statute made it does not pass the test, because the first time the statute moves, its governance moves with it. The board that built oversight because the risk demanded it leaves its successors something durable: a way of seeing that does not depend on anyone outside the boardroom keeping the scaffolding in place, and that was never assembled in a panic after the harm was already done.

The scaffolding came down in Colorado last month. Look at what your board has standing behind it. If the answer is nothing, the statute was never your problem.