The Finding

The SEC’s Cyber and Emerging Technologies Unit (CETU) established a five-stage AI washing enforcement template in its first year of operation. That template — visible in the Presto Automation settlement of January 2025 and the Nate Inc. parallel civil and criminal prosecution of April 2025 — is now the operating framework every board chair needs to understand before their next investor communication that references AI capabilities.

The template is not theoretical. CETU is a standing enforcement unit, not a temporary priority. Its first-year docket will expand. The organizations that understand the template will have the governance documentation to answer it. The organizations that do not will encounter it as a surprise.

This analysis was developed in the Ethics as an Advantage: Why Trust Will Be the Most Valuable Currency in the 2026 Economy Executive Leadership Playbook, which includes functional white papers for the board chair, CFO, COO, CHRO, CRO, and CIO/CTO perspectives.


The CETU Enforcement Template — Five Stages

Stage 1: Signal acquisition. CETU identifies potential targets through three documented channels: investor complaints about product capability discrepancies, whistleblower submissions from current or former employees, and direct monitoring of public investor communications compared against observable product performance. The third channel is the most significant operationally: CETU does not wait for complaints. It monitors investor communications and compares them against what organizations actually do.

Stage 2: Document comparison. CETU compares the investor-facing claims — in presentations, offering documents, marketing materials, website content — against technical evidence, often obtained through subpoena or produced by cooperating employees. The Presto Automation investigation followed this pattern: the investor communications described an AI-powered ordering system; internal operational records showed that human agents completed the majority of transactions the system initiated. The gap between the claim and the technical evidence was the primary enforcement package.

In the Nate Inc. case (SEC and DOJ SDNY, April 9, 2025), the gap was more stark: $42 million had been raised from investors on the basis of AI capability claims that internal records, engineering logs, and executive communications demonstrated were inaccurate. The organization described an AI-driven order processing system. The operational reality was that human agents performed most of the processing the system was described as automating.

Stage 3: Timeline construction. CETU reconstructs the timeline of executive knowledge. The critical determination is not whether the claims were inaccurate — Stage 2 establishes that. Stage 3 determines whether decision-makers knew, or should have known, that the claims were inaccurate when they made or approved them. This is the mens rea determination that separates civil enforcement from criminal referral.

The executive who signed off on investor materials describing “fully AI-powered” operations while internal reports showed 90% human intervention has both knowledge and authority. Both are present in the Nate Inc. record.

Stage 4: Civil or parallel criminal action. Civil enforcement (Presto Automation — settlement with monetary penalties, officer bars, and remediation requirements) and parallel criminal action (Nate Inc. — both SEC civil complaint and DOJ criminal prosecution) reflect different assessments of investor harm, executive knowledge, and the quality of the timeline evidence. Both outcomes are on the table for any organization whose investor-facing AI claims cannot be substantiated by current technical evidence.

Stage 5: Settlement or prosecution. Either outcome generates organizational disruption, leadership impact, legal costs, and reputational damage that substantially exceed the monetary penalty in most cases. The DWS ESG washing case — EUR 25 million fine from Frankfurt prosecutors in April 2025, following a three-year investigation — generated estimated total organizational costs of 10 to 20 times the fine when legal fees, leadership turnover, AUM impact, and management attention diversion are accounted for.


Why the Template Reaches Every Board Chair

The template reaches the board chair through two distinct legal pathways that intersect at the same governance gap.

The Caremark pathway. The Delaware Court of Chancery’s September 2025 ruling in Giuliano v. Grenfell-Gardner (the Teligent case, C.A. No. 2021-0452-KSJM, Chancellor McCormick) reaffirmed that Caremark requires boards to maintain documented oversight systems for the regulatory obligations most central to the organization’s business model. The court found that Teligent’s board — of a generic pharmaceutical manufacturer — never built systems to track FDA decisions affecting production, despite FDA compliance being existential to its business. The principle applies to AI governance by the same logic: where AI capability claims to investors are central to an organization’s value proposition, the board that does not maintain documented oversight of those claims has the same exposure. A derivative plaintiff can pursue this Caremark claim immediately following any AI-related regulatory or enforcement event.

The Boeing derivative litigation is the instructive precedent: board members who received safety reports without adversarially interrogating them did not satisfy Caremark. The same logic applies to AI governance reports. Board members who receive AI governance updates at quarterly meetings without documented adversarial questioning — specifically about the verification status of investor-facing claims — have the same exposure pattern.

The SOX pathway. SEC enforcement has established that AI capability claims in investor communications are material information subject to disclosure standards. CFOs who sign SOX Section 302 certifications attesting that disclosure controls are effective have a specific exposure if those disclosure controls do not include a process for verifying AI capability claims before publication. The gap between the standard financial disclosure control environment and the one that includes AI claims verification is not theoretical. It is the gap that CETU’s Stage 2 document comparison is designed to find.


The Five Board Questions That Constitute Adequate Oversight

The Caremark standard requires boards to ask adversarial questions — not receive management summaries. Based on the CETU enforcement template, five specific questions constitute the minimum oversight posture:

Question 1: What is the complete inventory of AI capability claims currently in our investor-facing materials? Who maintains it, and how current is it?

Question 2: For each claim in that inventory, what technical evidence currently exists that the claim is accurate? Not the policy. The evidence.

Question 3: What is the human intervention rate for every process we describe to investors as AI-powered or AI-driven? Has that rate changed in the past 90 days?

Question 4: Who has the authority to halt publication of an AI capability claim that is not currently verified? Does that authority exist in writing, and has it ever been exercised?

Question 5: If CETU requested our claims documentation today, how long would it take to produce a complete package? What would be in it?

These questions should appear in board meeting minutes, not just in management’s preparatory materials. The documentation of the question is the Caremark evidence. The quality of the answer determines the risk posture.


The Enforcement Environment Forward

SEC FY2025 enforcement produced 456 actions and $17.9 billion in monetary relief — of which $14.9 billion reflects a single legacy judgment in the Robert Allen Stanford Ponzi scheme — confirming the Division of Enforcement’s institutional commitment and active docket (SEC Press Release 2026-34, April 7, 2026). CETU’s investigative capacity is building, not contracting. The agency’s May 2025 public statements at the Securities Enforcement Forum West reiterated that rooting out AI washing schemes is an “immediate priority.” The Presto Automation and Nate Inc. cases are the first entries in a docket that will grow as CETU scales its monitoring and investigative operations.

The organization that builds its AI claims verification infrastructure now — the AI Claims Register, the Technical Verification Certificate process, the performance monitoring architecture, the board-level oversight documentation — will have the governance record CETU is looking for. The organization that waits will be building it during an investigation.

The board chair who treats this as a future problem has already made the risk decision. The correct time to build the governance architecture is before the enforcement template is applied to this organization’s investor communications.


Research Citations

  1. U.S. Securities and Exchange Commission. In re Presto Automation Inc. Settlement. January 2025.
  2. U.S. Securities and Exchange Commission / DOJ SDNY. SEC v. Albert Saniger / Nate Inc. April 9, 2025.
  3. SEC Cyber and Emerging Technologies Unit. Established February 20, 2025.
  4. SEC. Enforcement Results FY2025. Press Release 2026-34. April 7, 2026.
  5. Delaware Court of Chancery. Giuliano v. Grenfell-Gardner et al. C.A. No. 2021-0452-KSJM. September 2, 2025. (Teligent, Inc. — Caremark claims addressing board-level oversight of FDA regulatory compliance. General Caremark principle applies to AI governance oversight by extension.)
  6. Frankfurt Public Prosecutor’s Office. Fine against DWS Group GmbH. EUR 25 million. April 2025.
  7. Holland & Knight. “2025 Cybersecurity and AI Year in Review.” December 2025.
  8. White & Case. “Evolution of AI Washing Enforcement: DOJ Enters the Picture.” 2025.

Touch Stone Publishers Limited | 2026 | touchstonepublishers.com