Material by Design: Translating the AI Life Cycle Core Principles into 10-K Risk and Oversight

According to The Autonomy Institute, roughly three in four S&P 500 companies expanded AI-risk language in their 2025 Form 10-Ks. Autonomy’s review of 503 filings found 380 (76%) issuers added or deepened AI risk factors, a clear shift from treating AI as routine technology to treating it, as it very well should be, as a board-level exposure. Independent academic work tracks the same curve: Maastricht University’s 2025 study shows AI-risk mentions in risk factors reached 43% of filers in 2024, a sevenfold jump since 2022. It is not possible to eliminate risk. What is possible is to mitigate it. And what this all boils down to is that alignment with the Governance AI life cycle core principle is critical.

Of the cited risk factors, cybersecurity tops the list. Autonomy’s review shows that one in three S&P 500 companies expanded their discussion of “malicious actors using AI,” acknowledging the bidirectional nature of the threat surface: AI can be compromised and it can be weaponized. The SEC’s own AI plan tells staff to build “adequate safeguards and oversight mechanisms” for generative AI and to address barriers across IT, data, and cybersecurity processes. That pairing explains why generic “we take security seriously” language rings hollow against adaptive AI threats. If anyone was holding out for another reason to implement the NIST AI RMF, the NIST CSF, and/or other similar frameworks, well, here is  a 100% defensible reason to wait no more.

Autonomy’s 10-K study also reveals that bias and fairness risks are no longer niche concerns. Mentions of AI bias doubled year-over-year in S&P 500 filings, from 70 to 146 companies. That growth reflects a practical litigation reality: automated decisions can easily scale exposure from isolated events to thousands of incidents before detection. Maastricht’s analysis shows legal and competitive risks lead the risk factor pack, with social and technical limitations gaining ground as organizations describe dataset quality, model drift, and explainability constraints. This, by the way, is yet another reason for implementing the AI Data Stewardship Framework.

When 76% of S&P 500 companies are expanding AI risk disclosures in their 10-K filings and regulatory bodies are establishing dedicated oversight mechanisms, the business case for implementing comprehensive Governance frameworks is self-evident. As the foundational principle of the AI Life Cycle Core Principles, Governance enables effective implementation of all other principles—from bias mitigation to cybersecurity controls. Organizations that align with these Core Principles and articulate their Governance frameworks clearly in 10-K disclosures position themselves advantageously for regulatory compliance, stakeholder confidence, and favorable cost of capital. Those that continue filing boilerplate risk language face escalating costs and diminished competitive positioning. The quality of AI Governance disclosure in 10-K filings will increasingly distinguish market leaders from market followers in the AI-driven economy.