An officer's nameplate sits under a spotlight beside a dark, unmonitored control panel, the visual argument for the gap between a named AI owner and a documented, tested oversight architecture.

Delaware settled a question in 2023 that most corporate officers have not yet noticed applies to them. In In re McDonald’s Corporation Stockholder Derivative Litigation (Del. Ch., January 26, 2023), the Court of Chancery extended the fiduciary duty of oversight, the Caremark doctrine, from directors to corporate officers directly. For most of the following three years, that extension sat as a doctrinal footnote. It described a duty without yet describing the fact pattern that would test it.

In 2025 and 2026, that fact pattern arrived. Enforcers, plaintiffs’ counsel, and proxy advisors began applying the officer-oversight standard, for the first time, against systems that make decisions on their own authority, inside mission-critical operations, without a human sign-off. The doctrine did not change. What changed is that agentic AI created exactly the condition Caremark was written to police: a decision made inside the company that no single human directly made, reviewed, or can fully explain after the fact. An officer who delegates a decision to an autonomous agent has not escaped the duty to oversee it. The officer has walked directly into the version of that duty with the fewest available defenses, because the agent cannot be deposed, and the officer who failed to architect its oversight can be.

This distinction, between an operational AI failure and a fiduciary one, is the argument this piece develops. It is drawn from a broader body of research on officer-level Caremark exposure under agentic systems, developed in the Agentic AI Governance Executive Leadership Playbook and its function-by-function research.

The doctrine officers are already living under

Caremark liability has never depended on whether a system, human or algorithmic, made an error. Since the original 1996 Caremark decision, and confirmed for officers specifically in McDonald’s, the standard has turned on one question: did the officer make a good faith effort to implement and monitor a reporting system reasonably designed to surface material risk. An AI agent that errs inside a documented, monitored, appropriately bounded oversight architecture is a technology problem, the kind every operating executive has managed before. The identical error inside an undocumented architecture, with no officer named as accountable and no defined threshold for escalation, is a fiduciary problem, and McDonald’s put a specific officer’s name on it.

This reframing matters because it changes what solving the problem actually requires. It is not a model accuracy exercise, and it is not a vendor selection exercise. It is an accountability architecture, built and documented before a court or a regulator asks for it, not after.

Why the traditional defense fails against a black box

The Caremark defense that has protected officers for three decades rests on red flags: evidence that a risk was visible and a reasonable officer would have noticed it. Frontier AI systems, agentic systems in particular, do not reliably produce red flags a human would recognize before a failure compounds. An agent can execute thousands of individually unremarkable decisions that aggregate into material harm with no single decision looking, in isolation, like something worth raising.

That means “no one raised it with me” is a materially weaker defense for an officer overseeing an agentic system than it has ever been for one overseeing a human team. The defense that holds now is architectural rather than evidentiary: a working, documented oversight system that surfaces risk on a defined, mechanical trigger, built to find the problem regardless of whether any human happened to be watching, rather than one that depends on a person noticing.

Two live signals show this shift is not theoretical. The U.S. Securities and Exchange Commission’s April 2025 fraud charges against Albert Saniger, founder of Nate, Inc. (SEC v. Saniger, charges filed April 9, 2025), allege that Saniger raised more than $42 million from investors by materially overstating the company’s AI automation rate, claiming automation above 90 percent against an actual rate near zero. The case is not a story about one founder’s dishonesty. It is the enforcement pattern the SEC has signaled it will apply broadly: the gap between what an officer represents about an AI system’s capability and what the system actually does is a chargeable offense, not a disclosure nuance. Separately, plaintiffs’ counsel in emerging Caremark-adjacent matters are now seeking discovery of agent prompt logs, model version histories, and system architecture diagrams, not to prove the AI erred, but to prove the officer had the means to know what the system was doing and did not build a system that would tell them. A board minute stating that “AI governance was discussed” does not survive that kind of discovery. A document naming a specific officer, a documented decision boundary, and a record of at least one intervention does.

The government’s own inventory shows the pattern at scale

The clearest evidence that this gap is common, not exceptional, comes from inside government itself. The U.S. Government Accountability Office’s March 2026 report, GAO-26-107522, Artificial Intelligence: IRS Actions Needed to Address Skills Gaps, Information Quality, and Strategic Management, examined 126 active AI use cases in the IRS inventory as of June 2025 and found that more than 25 percent lacked a documented benefit rationale. GAO issued eight recommendations, and the IRS agreed to all eight.

The finding is instructive precisely because it involves no allegation of fraud and no litigation. It is a routine audit of one of the largest, most heavily scrutinized institutions in the country, and it found that a quarter of the AI systems in active use could not produce, on request, a documented reason for existing, let alone a named accountable owner or a tested escalation path. If that gap exists at this rate inside an agency operating under continuous congressional and inspector general oversight, the working assumption for a private company’s agentic deployments should not be optimism. It should be an inventory, taken now, before a regulator or a plaintiff’s expert takes it first.

The market is pricing both sides of this failure at once

Boards and officers sometimes treat governance work as a brake on the speed AI adoption requires. The data does not support that trade-off; it shows two distinct penalties, applied simultaneously, for opposite failures. US venture investors committed $412.7 billion in the first half of 2026, 86 percent of it concentrated in artificial intelligence (PitchBook, 2026 Advanced Software Launch Report, July 2026), a level of concentration that reprices every company competing against an AI-native challenger. Companies that hesitate on adoption do not hold their valuation while they wait. Medallia’s owners absorbed a full $5.1 billion equity write-down in a 2026 recapitalization, and the incoming ownership group immediately committed new capital specifically to accelerate the platform’s agentic AI capabilities, treating agentic capability as the central lever for the company’s next chapter of value, a number large enough to end careers and restructure balance sheets on its own.

At the same time, the proxy advisory market is building toward pricing the opposite failure, ungoverned adoption, directly. ISS’s own 2026 research found that only 22 percent of S&P 500 companies, and just 6 percent of the Russell 3000, disclose board oversight of AI at all, while 58 percent of investors surveyed said companies with significant AI use should already be applying a formal risk framework (ISS-Corporate, Artificial Intelligence and Governance: Is 2026 a Tipping Point for Turning Awareness into Action, 2026), a disclosure gap ISS itself is now positioned to act on in a future benchmark policy. An against-vote recommendation from ISS, once that policy arrives, will not be symbolic. It will move institutional votes, and institutional votes move director elections, say-on-pay outcomes, and, increasingly, the cost and availability of D&O insurance at renewal.

Read together, these are not two separate risks an officer can choose between. They are the same decision measured from opposite sides: adopt without governance and the market prices the ungoverned exposure directly into proxy season and enforcement posture; delay adoption to avoid that exposure and the market prices the hesitation directly into valuation. The only position with no penalty attached is the one most officers have not yet built: adopt at full speed, and document the accountability architecture concurrently, not afterward.

What a defensible architecture actually requires

An officer closes this gap by producing three things on request, without advance preparation. First, the name of the individual accountable for each agentic system operating in a mission-critical function, not a committee, not a working group. McDonald’s imposes the oversight duty on officers individually, and a committee cannot be deposed the way a named Chief Compliance Officer can. Second, a documented boundary stating exactly what that system may decide without a human sign-off, written down and version controlled, not held as institutional memory that functions only until it is tested. Third, a record showing the escalation mechanism has actually surfaced the agent’s behavior to that named officer at least once, and that the officer acted on it. A theoretical capacity to intervene is not a demonstrated one, and the difference is exactly what a plaintiff’s expert will look for first.

None of this requires waiting for a court to rule definitively on how McDonald’s applies to an autonomous agent’s specific decision. No such ruling exists yet, and any adviser who claims otherwise is not being straight with the officer reading this. What is already settled is the officer’s duty itself, established in 2023 and unchanged since. What is unsettled is only how a court will apply that duty to this particular fact pattern, and that uncertainty is the reason to build the defensible architecture now, while the standard is still being formed, rather than after a court defines the floor by ruling against an officer who did not.

The Legacy Test

The measure of the officer who builds this architecture is not whether the agentic systems under their watch performed well while they held the role. It is whether the named accountability, the documented decision boundary, and the tested escalation mechanism they built are still standing and still working for the officer who inherits their seat, governing whatever agent is running the function by then. And the officer who builds it now, in the quiet period before an enforcement action or a derivative suit forces the question, is acting from conviction. The one who builds it afterward is filing an exhibit.