In 2023, just 12% of S&P 500 companies disclosed AI as a material business risk in their annual filings. By 2025, that number had reached 83%.
From disclosure lag to disclosure surge
That sharp rise captures how quickly artificial intelligence has migrated from pilot projects to enterprise core processes. The Conference Board's Governance and Sustainability Center combined S&P 500 disclosure data with a survey of 130 senior executives to underpin its findings. Alongside the rise in risk disclosures, executives expressed simultaneous hope and concern: 80% expect AI to drive productivity gains, while 75% anticipate significant workforce disruption.
Andrew Jones, principal researcher at The Conference Board and the author of the report, framed the shift plainly: "In the space of a couple of years, we've moved from experimentation and early-stage thinking to really starting to see integration of AI into the business," and with that, he said, comes "growing recognition of the very real risks."
CIOs, CISOs and the redistribution of responsibilities
The report presents a changed operational map for technology leaders. Many organizations are moving from ad hoc deployments toward formal structures: 70% of companies now include AI in risk inventories or heat maps, 63% have established enterprise-wide AI principles, and 52% have created centralized AI councils to coordinate governance and cross-functional oversight.
Jones describes a notable role-shift. "The CIO isn't just helping the enterprise deploy AI," he said. "The CIO is increasingly helping the enterprise govern AI - which is a huge, significant shift." At the same time, cybersecurity concerns have surged. "When we talk to CISOs now, it feels like everything is just AI," Jones said. "The attack surface has evolved, and it's definitely keeping them awake at night."
The report underscores that the CISO and CIO must align tightly: the CISO should "own the whole piece around managing the attack surface, managing the defenses," while the CIO's remit "leans more toward enterprise AI visibility, data governance and risk tiering." Both roles, the report implies, are essential to avoid governance gaps.
Boards are interested — but not fluent
Despite expanded board attention to AI, the report finds limited AI-specific expertise at the director level. Only 23% of governance leaders say their boards have high AI fluency. AI-specific expertise among S&P 500 independent directors rose only from 1.5% to 2.7% between 2021 and 2025, even as broader technology expertise climbed from 20% to 51% over the same period.
That gap creates a new challenge for CIOs charged with board reporting. Jones lays out what boards need: "The board needs a clear line of sight into what's actually happening within the company. Where is AI being used? Which use cases carry the highest risk? What data are these systems touching? What controls exist? And if there is an incident, is it being captured and escalated?"
He also stressed that the objective is not to turn boards into engineering teams: "I don't think anyone expects the board to be a board of AI engineers and data scientists," he said, "But they need sufficient fluency to ask the right questions and know what a good answer looks like."
Data governance as the foundation
Executives in the report placed data governance at the center of AI risk management. Seventy-four percent cited data governance and controls as their top AI governance priority, followed by regulatory readiness at 47% and third-party risk management at 30%. Jones called this "the core, fundamental work - the solid foundation of clean, well-governed data with clear provenance and audit trails."
The report also records a practical turn: organizations are using AI tools to improve their own data foundations. Jones noted that companies have been "using AI to better clean their data, improve tagging and metadata, and create a stronger foundation for more sophisticated use cases." Yet he warned that perfect data remains elusive and that AI’s promise depends on getting the basics right.
How CIOs should build and sustain governance
Jones offers a clear sequence for building governance: start with a comprehensive inventory of AI use cases that includes internal tools, vendor products, APIs and employee-driven usages; evaluate that inventory and create risk tiers, flagging systems that touch sensitive data, affect employment decisions or interact with customers; link AI governance to existing cybersecurity governance; and build board reporting from that foundation with metrics on use cases, risk tiers, control ownership and incidents.
He emphasized that governance must be dynamic. "Some companies that had a good AI governance program six months ago don't necessarily have one today, because the technology and the landscape have evolved so quickly," Jones said. "It's not just about building governance. It's about being able to constantly evolve it."
The report makes a simple, practical case: AI is now embedded in enterprise operations, and governance must evolve at enterprise speed — grounded on data hygiene, shared ownership between CIOs and CISOs, and board reporting that gives directors a clear line of sight without asking them to become technicians. How firms translate those principles into durable processes will determine whether the recent surge in disclosure yields safer, more accountable adoption — or merely louder warnings on tomorrow's 10‑Ks.
