The enforcement template is set.
The SEC’s Corporate Enforcement and Technology Unit has already demonstrated, with precision, exactly how it will build its next AI washing case. Presto Automation (January 2025, the first public company AI washing settlement, brought by the SEC Division of Enforcement before CETU was formed on February 20, 2025) and Nate Inc. (April 9, 2025, the first documented CETU action) are not cautionary outliers from an agency still developing its theory of the case. They are the finished template, established and then deepened, ready to be applied again to the next organization that claims AI capabilities in investor communications without the documentation to verify them.
Every AI capability claim in your investor materials, analyst presentations, marketing website, and press releases now operates inside the securities fraud perimeter. Your marketing department may not know this. Your legal counsel may not have told your board. Your board almost certainly has not approved a verification protocol for the claims your marketing team releases on a quarterly basis.
The question is not whether the SEC will use this template again. The question is whether your organization will be the next case study.
The Declarative Board Failure Pattern in Action
The Declarative Board Failure Pattern, a four-step sequence that produces both regulatory exposure and personal director liability, describes exactly what happened in both landmark cases.
Step one: the organization declares AI capabilities. In investor materials, analyst briefings, product launches, and marketing collateral, the organization claims that its AI does specific things that produce specific competitive advantages. These claims are often accurate in aspiration. They are frequently unverifiable at the time they are made.
Step two: the organization fails to verify. No internal verification protocol confirms that the claimed capabilities match the system’s actual performance. No board approval process reviews the claims before release. No independent review documents that the stated AI functionality produces the described outcomes.
Step three: regulators arrive. The SEC’s CETU, formed February 20, 2025, was built precisely for this sequence. Its investigators know what AI capability claims look like in investor materials. They know how to test whether the underlying systems can support those claims. They know how to trace the chain of approval from the marketing department through legal review to board awareness.
Step four: criminal exposure. The parallel DOJ enforcement in the Nate Inc. case (April 9, 2025, $42 million settlement) is the clearest signal that AI washing is not being treated as a civil disclosure failure with a fine attached. It is being treated as fraud. The distinction matters enormously for board directors who believed their oversight obligation ended at reviewing the marketing budget.
Presto Automation’s January 2025 settlement, handled by the SEC Division of Enforcement before CETU’s formation, produced the first public-company AI washing settlement and informed the mandate CETU was built to fulfill. Nate Inc.’s April 2025 settlement added DOJ parallel action as the first CETU enforcement action. CETU is not running a single-case experiment. It is building a body of precedent that will govern the next ten years of AI enforcement.
What “AI Washing” Means Legally
The term “AI washing” entered regulatory language as a description of a specific enforcement theory: an organization makes materially false or misleading statements about its AI capabilities in communications that reach investors or influence investor decisions.
The specific triggers in the Nate Inc. case center on investor materials that described AI-driven capabilities in terms the underlying system could not support. The materials implied automation, intelligence, and reliability that the system’s actual performance did not match. When CETU investigators reviewed the gap between the stated capabilities and the documented system performance, the enforcement referral was straightforward.
“Materially false or misleading” is the operative standard under Securities Exchange Act Rule 10b-5. A claim is material if a reasonable investor would consider it important in making an investment decision. AI capability claims, in the current competitive environment, are almost universally material. Investors price AI capability into valuations. Analysts ask about AI integration in every earnings call. The investor who allocated capital partly because of an AI capability claim that could not be verified has a securities fraud claim the moment CETU opens the file.
The enforcement perimeter extends beyond the CFO’s quarterly letter. It covers the investor relations website, the product marketing materials that reach institutional investors through third-party analyst summaries, the conference presentations where executives describe AI roadmaps, and the press releases that move into analyst models within hours of release. CETU does not limit its review to documents marked “investor communications.” It reviews everything that touches the investor information chain.
The Governance Boundary and the Board That Approved the Marketing
The Governance Boundary Principle distinguishes between two board functions: governing the accountability architecture and executing within it. A board that approves marketing spend without approving the verification protocol that governs AI capability claims has crossed the GBP line in the wrong direction. It has taken on execution responsibility, through approval of the outputs, while abandoning its governance responsibility by failing to require the verification architecture that makes those outputs defensible.
This distinction is not academic. The Delaware Chancery’s Caremark expansion (Sidley Austin LLP, June 24, 2026) has made board minutes evidentiary in AI governance cases. A board whose minutes show approval of marketing budget allocations, approval of investor relations strategies, and approval of earnings call guidance that includes AI capability claims, but whose minutes show no discussion of verification protocols, has created a documented record of governance failure.
The board chair who reviews the investor materials before they are released and confirms they “look fine” has not fulfilled the board’s governance obligation. Governing the accountability architecture means requiring, before any approval of AI capability claims, that management can demonstrate the verification protocol: what was tested, who tested it, what the independent review found, and how those findings were documented.
The organizations that have built this architecture are not the organizations in CETU’s files. The organizations that have not built it are precisely the ones CETU is designed to find.
This is the dimension where the board-level governance architecture becomes the central variable. The full governance framework for making AI claims verification systematic, rather than ad hoc and dependent on individual legal reviewers who may lack AI technical literacy, was developed in the Accountability Pivot Executive Leadership Playbook. The architecture described there translates the board’s governance obligation into the operational protocols that marketing, legal, and investor relations teams can execute consistently.
What a Defensible AI Marketing Program Looks Like
The organizations that will not appear in CETU’s next round of enforcement actions have built three elements into their AI marketing process.
The first element is a verification protocol. Before any AI capability claim reaches investor communications, marketing materials, or analyst presentations, the protocol requires documented evidence that the stated capability matches the system’s measured performance. The protocol names the internal owner of the verification, specifies the evidence standard, and requires sign-off before release. Claims that cannot be verified are either removed or qualified with explicit limitations.
The second element is board approval of claims categories. The board does not review every marketing sentence. The board approves the categories of claims the organization is authorized to make about its AI systems and the verification standard that must be met before those claims are released. This approval is documented in board minutes. When CETU investigators trace the chain of approval for an AI capability claim, they find a board that required verification before the claim was made, not a board that assumed management had handled it.
The third element is documentation of independent review. The verification protocol is not a management self-certification. It requires an independent review of the capability claim against the system’s documented performance. That review is documented, retained, and producible in response to a regulatory inquiry. When CETU asks “who reviewed this claim before you released it, and what did they find,” the answer is a document, not a conversation.
These three elements do not guarantee that no capability claim will ever be challenged. They guarantee that the organization’s response to a challenge will demonstrate good faith, documented process, and institutional accountability rather than the pattern that produced the DBFP sequence: declaration without verification.
The Consequence of the Template
CETU is not a single-case enforcement unit. It was built to establish and replicate a template across a sector. The Presto Automation and Nate Inc. cases are the template. The next organization that CETU selects will be the proof that the template applies broadly, not as a consequence of unusual misconduct, but as the natural result of the AI claims verification gap that exists in the majority of organizations that make AI capability claims in investor-facing materials.
The ISS and Glass Lewis 2026 proxy season confirmation, that AI governance proposals quadrupled and that votes against risk committee directors increased in cases with inadequate governance records, means the enforcement pressure arrives from two directions simultaneously. An organization facing CETU inquiry that also faces a proxy advisor negative recommendation in the same calendar year is managing a coordinated governance crisis rather than an isolated regulatory event.
The three-element defensible AI marketing program is not a compliance aspiration. It is the minimum governance architecture that separates organizations that will face enforcement from organizations that will not. Building it before CETU’s next case announcement is the only sequencing that is not reactive.
The board that built the verification architecture before CETU selected its next case left its successors something no enforcement action can take away: governance that holds not because a regulator required it, but because the people who built it understood that what they constructed would outlast them. The distinction is not between boards that faced enforcement and boards that did not. It is between boards that governed for the next earnings call and boards that governed for the next generation of leadership.
The full governance framework, including the AI Claims Verification Checklist and Board Accountability Architecture, was developed in the Accountability Pivot Executive Leadership Playbook.