Corporate boards now carry a legal duty to oversee artificial intelligence, and the time to demonstrate that oversight is running short. On August 2, 2026, the high-risk provisions of the European Union AI Act become enforceable, and any company that deploys a covered system faces penalties of up to 15 million euros or three percent of global annual turnover, whichever is greater. In parallel, Delaware courts have started to fold algorithmic risk into the oversight obligations directors already owe under the Caremark line of cases. The question in front of every board is no longer whether AI belongs on the agenda. It is whether the board can prove it was watching.
This matters now because two enforcement timelines are arriving in the same quarter. The European deadline is fixed and less than two months away. The American exposure is quieter but more personal, because it reaches the directors themselves rather than the corporate balance sheet. A board that treats AI as a management problem to be reported on once a year is exposed on both fronts. The defensible position requires a documented system of oversight that existed before any incident, not a narrative assembled after one.
The August 2 Deadline Is Closer Than Most Boardrooms Assume
The EU AI Act’s obligations for high-risk systems take effect on August 2, 2026, and they apply to systems already in service, not only to new deployments. Compliance is not a policy statement. It requires a functioning risk management system, a data governance framework, finalized technical documentation, demonstrable human oversight, conformity assessment, CE marking where applicable, and registration in the EU database before the system operates. Each of these is an artifact that must exist and be producible on demand.
The reach extends well beyond companies headquartered in Europe. Any organization whose AI output is used inside the European Union can fall within scope, which captures a large share of multinational employers, lenders, insurers, and software vendors. The financial penalties are severe, and in several member states the consequences may extend to criminal liability for the individuals responsible. Spain has already signaled personal accountability for directors who allow non-compliant systems to operate. A board that has not asked management which of its systems are classified as high-risk under the Act has not started the work.
Delaware Has Quietly Folded AI Into the Duty of Oversight
The Caremark standard has long required directors to build and monitor systems that address mission-critical risks. For most of its history, the bar for liability was high, reachable only where a board utterly failed to implement any reporting system or consciously ignored the one it had. That bar has been moving. Recent Delaware opinions have pressed directors to actively detect and obtain information about material risks rather than wait for problems to surface on their own.
Algorithmic risk fits this framework with uncomfortable precision. Model bias, safety failures, and dependence on third-party systems are exactly the kind of mission-critical exposures that courts, regulators, and plaintiffs now expect directors to monitor. When an AI system makes or shapes decisions about credit, hiring, pricing, or safety, a failure is not an operational footnote. It is the type of harm that invites a breach-of-fiduciary-duty claim, and the duty of oversight has recently been extended to corporate officers as well as directors. The practical lesson is that good intentions do not satisfy Caremark. A documented information system does.
The SEC Has Made Oversight a Disclosure Obligation
The third pressure comes from disclosure. The Securities and Exchange Commission’s cybersecurity rules already require public companies to describe, in their annual filings, the processes they use to identify and manage material technology risks and the board’s specific role in overseeing them. The same logic is migrating toward AI. Once a company is required to describe its board’s oversight role in a public filing, the gap between what the company claims and what it can actually demonstrate becomes a securities risk in its own right.
This converts governance from a private matter into a published representation. A board that asserts robust AI oversight in a filing, then cannot produce minutes, reporting cadences, or risk assessments to support the claim, has created a second liability on top of the underlying operational one. Surveys continue to show that only a minority of boards have adopted a formal AI governance framework or established clear oversight metrics. That gap between practice and representation is where enforcement and litigation will concentrate.
What the Board Must Establish Before the Deadline
The board’s task is not to manage AI. It is to ensure that management has built the right systems and then to verify that work through structured reporting and independent assessment. That verification has to be documented, because in every one of these regimes the defense is the record. A board that can show a dated framework, a regular reporting rhythm, and a clear assignment of accountability is in a fundamentally stronger position than one relying on memory and good faith.
Three steps deserve immediate attention. First, the board should require management to complete an organization-wide inventory of AI systems and to flag which ones fall under the EU AI Act’s high-risk category, with a status report against the August 2 deadline. Second, the board should adopt a written AI governance framework calibrated to the company’s risk profile, anchored to a recognized standard such as the NIST AI Risk Management Framework or ISO/IEC 42001, so that the oversight record is defensible against an external benchmark. Third, the board should establish a fixed reporting cadence that produces minutes and metrics, creating the contemporaneous evidence that Caremark, the SEC, and European regulators all expect.
The convergence of these deadlines is not a reason for alarm. It is a reason for discipline. Directors who treat AI oversight as a core fiduciary responsibility, document the systems that support it, and verify management’s work before August 2 will have met the standard. Those who wait for an incident to define their duty will discover that the record they needed was the one they failed to build. The board’s imperative this quarter is simple to state and demanding to execute. Establish the oversight system now, and make it provable.