Analysis

AI is everywhere these days—and that means so is AI risk. Among S&P 500 companies, 72% mentioned AI as a material risk on their Form 10-Ks this year, the Conference Board found, up from 58% last year and 12% in 2023. The shift is reflective of how AI use within business has matured from the experimental to the widespread, the organization wrote in a report. (The Conference Board’s report defines “AI” broadly, including not only LLMs but also robotics, automation, machine learning, and other types of AI.) The companies most likely to disclose AI risk were those in “frontline adopter” industries, such as the finance, healthcare, industrial, IT, and consumer discretionary sectors. S&P companies were most concerned about the reputational risks of AI, the Conference Board reported; 38% of them disclosed potential reputational threats from AI on their 10-Ks. Forty-five companies mentioned “implementation and adoption” risks, such as overpromising on AI projects or AI not meeting expectations, while 42 stated that consumer-facing AI was a risk. Other reputational risks companies mentioned included privacy and data risks, hallucinations, competitive threats, and issues with bias and fairness. One in five S&P companies mentioned AI-related threats to cybersecurity as a risk on annual filings. While 40 companies simply stated that cybersecurity in general was a risk, 18 called out third party or vendor risks, and 17 said data breaches were a risk. Companies also foresaw potential compliance risks from AI. Forty-one listed “evolving regulation and uncertainty” as a risk area, and some specifically referred to the EU AI Act, which has steep penalties for noncompliance. This report was originally published by CFO Brew. A significant 72% of S&P 500 companies now disclose AI as a material risk in their 10-K filings, a substantial increase from 12% in 2023, according to The Conference Board. This surge indicates AI's transition from experimental to widespread integration across businesses, with 'frontline adopter' industries like finance, healthcare, and IT showing the highest levels of concern. The Conference Board's broad definition of AI includes LLMs, robotics, and machine learning, underscoring the comprehensive nature of these reported risks. Reputational risk is the primary concern, cited by 38% of companies, encompassing issues such as privacy, data risks, hallucinations, and competitive threats. Additionally, 45 companies highlighted 'implementation and adoption' risks, including overpromising AI capabilities, while 42 expressed concerns about consumer-facing AI. One in five S&P companies also mentioned AI-related cybersecurity threats, specifically third-party risks and data breaches. Furthermore, 41 companies identified compliance risks stemming from 'evolving regulation and uncertainty,' with some explicitly referencing the EU AI Act and its potential steep penalties. This widespread disclosure reflects a growing recognition of the complex legal, ethical, and operational challenges associated with AI adoption, aligning with a 'strongly negative' sentiment and 'cautious' tone surrounding current AI developments.