With the news that over 70% of S&P 500 companies provide some sort of AI-related risk factors in their SEC disclosures, it’s a good time to review the type of risk factors that you might want to consider – of course, tailoring the decision to include a particular risk factor and what is drafted about it to your own circumstances.
If you’re using AI in key business operations (product development, customer service, analytics), don’t forget to explicitly link the risks of that usage back to your business model and financial condition. And if your company uses external AI tools, you need to consider vendor risk, contractual safeguards, and oversight in your risk management framework.
And in some cases, it’s not enough to list risks. You may want to consider discussing how the company is managing or mitigating AI risks to add transparency and enhance disclosure quality.
Here are the most common AI “risk factor” categories:
- Cybersecurity / Data Privacy / IT Risk
– Example: “The integration of AI models and large data sets heightens our exposure to cybersecurity attacks, data breaches or misuse of data.”
– Why it matters: AI systems often rely on large volumes of data, complex models, and computer infrastructure. More entry points = more risk.
– Key issues: data integrity, unauthorized access, adversarial attacks on models, regulatory obligations around data. - Regulatory / Legal / Compliance Risk
– Example: “Emerging regulatory frameworks for AI (domestic and global) may impose additional compliance burdens or expose us to liability if our AI-driven products/services fail to comply.”
– Why it matters: AI is evolving fast but laws and regulations are catching up. A company may face material risk if its AI practices are non-compliant or the law changes.
– Key issues: privacy laws, algorithmic bias/discrimination, financial regulation, governance of AI models. - Operational / Implementation Risk
– Example: “Our ability to integrate AI into our operations, product development or internal processes may not succeed, which could result in delays, increased costs or failures.”
– Why it matters: Even if the technology is promising, execution matters. Consider poor data quality, misspecification of models, lack of skilled personnel.
– Key issues: model training/validation failure, scalability, alignment with business processes, cost overruns. - Competitive / Innovation Risk
– Example: “If our competitors are able to deploy AI technologies more effectively or faster, we may lose competitive advantage or market share.”
– Why it matters: AI can be a differentiator. Falling behind may have material consequences.
– Key issues: speed of change, disruptive entrants, cost of staying current, loss of customer sentiment. - Ethical / Reputation Risk
– Example: “If our AI systems produce biased or unfair outcomes (or are perceived to do so), our reputation could be harmed, or we may face litigation or regulatory scrutiny.”
– Why it matters: Even without a direct legal consequence, the reputational hit – and the associated business impact – can be significant.
– Key issues: bias/discrimination, transparency, public perception of AI misuse, social responsibility. - Third?Party / Vendor Risk
– Example: “We rely on third-party vendors/suppliers for AI components, and if they fail or the vendor’s model is flawed, this may have adverse effects.”
– Why it matters: Many companies don’t build their entire AI stack in-house. They rely on external models, services, data. That raises additional layers of risk.
– Key issues: vendor management, outsourcing of key AI functions, dependency risk, data sharing with vendors. - Technical Limitations / Model Risk
– Example: “AI systems may not perform as expected, may produce inaccurate or inappropriate outputs, or may fail when new/unanticipated conditions arise.”
– Why it matters: Even the best algorithms have limits. Unexpected inputs, drift, lack of interpretability can lead to undesired or harmful outcomes.
– Key issues: model bias, overfitting, “black box” governance, validation and monitoring of AI performance.
Authored by
Broc Romanek