Corporate boardrooms at the nation’s largest companies are rapidly fortifying their oversight of AI as the deployment of the fast-moving technology shifts from an experimental tool into a core enterprise risk and strategic priority.
Nearly half of the nation’s largest companies now explicitly cite AI risk as part of the board’s oversight responsibilities, triple the level reported a year earlier, according to an EY study that analyzed 80 of Fortune 100 companies’ proxy statements and 10-K filings as of July 31, 2025.
Companies are also highlighting AI expertise in director biographies – 44% mention it when they describe director qualifications – and 40% assigned at least one board-level committee to oversee AI, usually the audit committee. That’s up nearly four-fold from 2024. Also, 36% now list AI as a standalone risk factor in their 10-K filings, rising from 14% just a year ago.
“Boards and audit committees are more focused on AI than ever, and it’s only increasing as we go,” Pat Niemann, leader of the EY Americas Center for Board Matters and Audit Committee Forum, said in an interview with The AI Innovator.
The changes mark one of the fastest shifts in corporate governance priorities since cybersecurity emerged as a board-level issue more than a decade ago. AI is no longer viewed simply as a tool managed by the CIO or IT department. It is increasingly treated as a force capable of reshaping business models, workforce structures, capital allocation, compliance obligations and enterprise risk.
Audit committees are typically the chosen overseers of AI because of their longstanding role in enterprise risk management, financial controls and compliance.
“There’s certainly intersections with AI and financial reporting, internal controls, accounting and finance in general,” Niemann said. “Audit committee members are well versed in dealing with risk and helping management to oversee risk and govern risk.”
Around 40% of Fortune 100 companies have assigned a board-level committee to oversee AI, up from 11% in 2024, the report said. But with many global risks emerging in recent years – such as tariffs and wars – audit committees have their hands full. AI is now adding another layer of complexity — one that cuts across nearly all existing risk categories.
Hence, a solution for a growing number of companies is to set up separate technology or “innovation” committees, Niemann said.
Board-level tech committees on the rise
According to another EY study, one in seven S&P 500 companies has a separate tech or innovation committee, nearly doubling from 2018. The study analyzed committee charters and proxy statements of S&P 500 companies and included in-depth interviews with directors and executives at 18 companies that are first movers in adopting board changes.
These groups range in flavor from technology committees, temporary task forces, sub-committees, ad hoc groups, advisory groups and working committees focused on AI and digital transformation. Members could include audit committee members, the CIO or CISO of the company, independent directors and others, according to Niemann.
One electric utility board formed a technology committee to dive deeper into industry disruption and technological change, according to EY’s report. It helped the company view AI as not just a tool but as a “strategic differentiator for long-term competitive health.” Another financial services board initially created a small technology task force of three directors that met monthly with the CIO before later converting the group into a formal board committee.
To be sure, setting up another committee could tax people’s workloads and increase the burden of coordinating activities across committees. It could also be a challenge to terminate the group. One board got around this problem by making the committee temporary; it would dissolve after meeting its goals.
But boards are also discovering that AI oversight cannot be treated solely as a compliance exercise.
According to EY’s analysis, companies assigning AI oversight responsibilities to such non-audit committees often provide more detailed disclosures around responsible AI development, ethical oversight and AI governance practices.
Some boards are creating technology committees or AI-focused working groups specifically because traditional committee structures are struggling to absorb the expanding oversight burden.
EY’s report on technology governance noted that audit committees already face heavy workloads tied to cybersecurity, regulation, financial reporting and geopolitical risks. Adding AI oversight on top of those responsibilities risks overwhelming committees that are already stretched thin.
“The biggest challenge that I see with audit committees and boards is just, candidly, a limitation of time,” Niemann said. “Boards are not full-time roles.”
AI-savvy directors in demand
EY also found that many companies now disclose AI education and training efforts under board evaluation sections, noting that directors are participating in AI-focused deep dives and governance discussions.
While directors do not need to become engineers or AI developers, Niemann said, they do need enough fluency to challenge assumptions and perform meaningful oversight.
“Are you staying up to speed with current developments that are relevant to your company?” he asked. “Are you pursuing continuing education, to be as well versed as possible on AI trends and the use of AI?”
Boards are confronting emerging AI risks that differ from prior technology cycles. In a third report, EY warned that “unauthorized or informal AI use is a growing and under-recognized risk,” particularly as employees increasingly use generative AI tools that weren’t approved by the company. EY cited research showing 58% of workers admitted providing sensitive company data to large language models.
The report also highlighted growing concerns around accountability for agentic AI, where autonomous systems can make decisions or take actions without direct human involvement. “Clear ownership is becoming harder — but more critical — as AI systems grow more autonomous,” the report said.
Cybersecurity is becoming deeply intertwined with those discussions. EY’s report noted that generative AI is increasingly being used in phishing attacks, deepfakes and other malicious cyber activity.
As such, 86% of Fortune 100 companies seek director expertise in cybersecurity, up 62% from 2019, according to the report. Six out of 10 companies are performing cyber preparedness exercises, up from 3% in 2019. Also, 73% of companies use an external framework such as NIST’s Cybersecurity Framework (CSF) 2.0 to assess their cyber defense and response capabilities.
At the same time, boards themselves are beginning to experiment with AI tools for governance functions, including generating meeting summaries, doing research and creating documentation workflows. Niemann said boards must carefully balance efficiency gains against confidentiality and governance risks, as they juggle to adapt to all the changes AI has sparked.
Despite all the noise, the core mission hasn’t changed. “At the end of the day, it really is to provide governance and oversight and to a great extent help management teams manage risk,” he said.
Be First to Comment