Artificial intelligence has moved from the technology department’s agenda to the audit committee’s agenda. The SEC Investor Advisory Committee voted in December 2025 to recommend formal disclosure requirements covering board oversight of AI deployment. More than 40 percent of S&P 500 companies now assign AI oversight to at least one board committee. Fewer than 25 percent have a board-approved AI policy in place. That gap defines the audit committee’s core obligation in 2026.
Audit committees that managed financial risk and internal controls through prior technology cycles now face a fundamentally different accountability structure. AI systems produce decisions that affect financial reporting, legal exposure, consumer outcomes, and reputational standing simultaneously. The eight checkpoints below translate that accountability into actionable director oversight.
Checkpoint 1: Confirm the Organization Maintains a Current AI Inventory
The audit committee cannot oversee what it cannot see. Request from management a complete inventory of all AI systems in production, in pilot, and under evaluation. The inventory should classify each system by risk tier, business function, data inputs, and the nature of outputs produced. An incomplete or outdated inventory is itself a material governance deficiency.
Checkpoint 2: Assess Whether a Board-Approved AI Risk Policy Exists
NACD survey data confirms that fewer than 25 percent of public companies have a formal, board-approved AI policy in place. The audit committee should determine whether a documented AI risk policy exists, whether it was reviewed and approved at the board level, and when it was last updated. A policy that predates the current generation of generative AI systems requires immediate revision.
Checkpoint 3: Verify Human-in-the-Loop Controls for High-Risk AI Decisions
Regulators, plaintiffs’ counsel, and institutional investors consistently ask the same question: who validates AI outputs before consequential decisions are made? The audit committee should request documentation of human review checkpoints for any AI system producing outputs that affect financial reporting, credit decisions, hiring, pricing, or compliance determinations. The absence of defined human review protocols for high-risk systems is a control deficiency that internal audit must flag.
Checkpoint 4: Examine Third-Party and Vendor AI Governance
Most AI risk enters organizations through third-party platforms, not internally built systems. The audit committee should confirm that vendor contracts include AI transparency requirements, that due diligence procedures for AI vendors have been updated, and that ongoing monitoring of vendor AI systems is assigned to a responsible owner. Vendor AI risk is organizational AI risk.
Checkpoint 5: Review AI-Related Disclosures for Accuracy and Completeness
The SEC has signaled that AI-related disclosures in annual reports and proxy statements are an active examination focus in 2026. The committee should compare the company’s disclosed AI oversight mechanisms against the actual governance structures in place. Disclosures that describe board oversight processes that do not, in practice, exist expose the company to securities litigation and regulatory action. Accuracy in AI disclosure is a board-level responsibility, not a drafting exercise.
Checkpoint 6: Test Internal Audit’s Capacity to Audit AI Systems
Internal audit functions built to assess financial controls and compliance processes may lack the technical competency to evaluate AI systems. The audit committee should ask the Chief Audit Executive directly: does the internal audit function have the skills and tools to audit AI model accuracy, training data quality, output bias, and monitoring controls? If not, the committee should direct investment in that capability or authorize co-sourcing arrangements with qualified external advisors.
Checkpoint 7: Confirm AI Incident Escalation Protocols Are Defined and Tested
A credible AI governance framework specifies what categories of AI incidents require escalation to the audit committee, who triggers escalation, and within what timeframe. The audit committee should request documentation of escalation thresholds and confirm that a tabletop exercise or simulation has tested the escalation path within the past 12 months. An escalation protocol that exists only on paper does not constitute effective oversight.
Checkpoint 8: Assess AI Literacy at the Board Level
Effective AI oversight requires directors who possess sufficient understanding to ask productive questions, evaluate management representations, and recognize when responses are incomplete. The audit committee chair should assess whether current committee members have participated in structured AI education within the past year. Boards that rely entirely on management framing for AI risk assessment have surrendered an essential element of independent oversight.
Implementation: Where to Begin
Committees that are starting from a low baseline should address Checkpoints 1, 2, and 5 in the current quarter. These three areas carry the most immediate regulatory and litigation exposure. Checkpoints 3, 4, and 7 constitute the core control infrastructure and should be completed within six months. Checkpoints 6 and 8 represent the organizational investment required to sustain AI governance over time.
The NIST AI Risk Management Framework provides a voluntary but well-structured foundation for management to build against. The audit committee’s role is not to build that foundation but to confirm it exists, that it is current, and that the people responsible for maintaining it have the resources and authority to do so. Each of the eight checkpoints above converts that responsibility into a direct, answerable question.