In just two years, the conversation around AI risk has shifted dramatically. What once felt like speculative boardroom chatter is now firmly anchored in corporate disclosures. The latest study from The Conference Board shows that in 2025, nearly 72 percent of S&P 500 companies now name at least one material AI risk, up sharply from just 12 percent in 2023.
This leap in transparency signals something deeper: boards and executives are growing uneasy about how AI can ripple across reputation, security, and regulation.
Reputation risk tops the list
Across sectors, companies now openly warn that a single AI misstep can undermine customer trust or draw intense scrutiny. In fact, 38 percent of firms flagged reputational risks in 2025 filings. Many disclosures speak of implementation failures, hallucinations, or data misuse as threats that transcend internal error and go straight to how stakeholders perceive the firm.
Cybersecurity in the AI era
The same intelligence that powers innovation also upgrades threats. AI expands attack surfaces, speeds adversary automation, and makes vendor ecosystems more perilous. Twenty percent of S&P 500 firms cite AI-driven cybersecurity risk in their 2025 annual reports. Companies warn of breaches, ransomware, and third-party vendor risk as attack vectors intensified by generative tools.
Regulation: the ever moving target
Perhaps the trickiest frontier is regulation. Firms repeatedly point to fragmented global rules, shifting jurisdictional demands, and legal ambiguity, especially as the EU’s AI Act comes online and U.S. agencies adapt existing laws to AI. Some disclosures cautiously predict enforcement, fines, or litigation. That means companies must now engineer governance that can flex across borders, adapt to new rules, and document oversight.
Looking ahead, companies are already hinting at what’s next. Watermarking, bias audits, independent attestations, and post-deployment monitoring are emerging in disclosures. Agentic autonomous AI systems, still rarely mentioned, loom as a future stress point for boards.
For leaders, the mandate is clear: do not relegate AI to technical teams alone. Treat it as a core governance discipline. Embed it in risk frameworks, demand clear metrics, and frame transparency as trust capital.
