In 2017, almost no public company disclosed cyber risk in their 10-K with any structure. By 2024, every public company had to.

That transition took six years and went through a series of high-profile breaches, a multi-year SEC rulemaking process, and a wholesale reframing of how boards talk about technology risk. AI is now in the position cyber was in around 2015 — visible enough to be a board concern, regulated enough abroad to create disclosure obligations, but unstructured enough in U.S. filings that any individual company can plausibly describe its AI risk in whatever language it wants.

That window is closing.

The Promise

The promise is that organizations have a chance to get ahead of this one. The cyber disclosure transition was painful in part because most organizations did not see it coming until the SEC rule was in active proposal. The AI disclosure transition is happening in slow motion right now, in front of everyone.

There are three signals visible in 2026. SEC enforcement actions on AI representations are establishing that AI claims are subject to securities fraud analysis. The four-day cyber incident disclosure clock is being tested on AI-related events, with companies starting to file 8-Ks for AI failures under the cyber framework. And the EU AI Act is generating disclosure obligations that flow into the 10-Ks of any U.S.-listed company with European deployment. Each of these would individually be enough to drive disclosure regime change. Together, they make it inevitable.

The companies that build AI risk disclosure capability now — inventory, framework alignment, board oversight cadence, audit trail — will absorb the eventual rule with minimal incremental cost. The organizations that already aligned their cyber disclosures to NIST CSF in 2024 are good models for what this looks like.

The Risk

The risk is the one that hit cyber disclosure hard in the first cycle: minimum-viable filings.

When the cyber rule landed in 2024, a meaningful fraction of public-company filings produced what amounted to compliance theater — language that satisfied the rule’s literal requirements without describing a substantive program. Some of those companies will pay for that gap when their first cyber incident under the new regime tests whether their disclosed program actually exists.

AI is going to repeat this pattern unless something changes. Organizations that file thin AI risk disclosures, satisfy the eventual SEC requirement on paper, and have not done the underlying inventory or governance work will be the ones whose next AI incident produces a discoverable gap between filing and reality.

There is a second risk that is specific to AI. Cyber disclosure converged on NIST CSF as the dominant framework. AI disclosure does not yet have a clear convergence point. NIST AI RMF is the leading candidate. ISO 42001 is the closest international parallel. The EU AI Act categorizes risk differently than either. Organizations that bet on the wrong framework will end up redocumenting in the SEC’s preferred direction once it converges. The cost of being early on framework choice is small. The cost of being early on the wrong framework is significant.

The Verdict

The Promise & Risk needle leans Promise — strongly — for organizations that act in the next 18 months. There is a clear precedent (the cyber disclosure transition), a clear set of leading frameworks (NIST AI RMF, ISO 42001), and a clear gap between what organizations are filing today and what they will be required to file by 2028.

For organizations that wait, the verdict is the same as it was for cyber: the rule arrives, the filing happens under deadline pressure, the gap between filed program and actual program produces the next round of expensive lessons.

After 25 years in cybersecurity disclosure, the pattern is unmistakable. The work that gets done before the rule is materially cheaper than the work that gets done under it.

For the longer analysis → I wrote a deep piece combining a 2017 analysis of cyber risk in 10-K filings with what the 2023 SEC cyber rule actually changed and a forecast for AI-specific 10-K disclosure within 18-24 months.

Read Cyber Risk in the SEC 10-K Era — and What's Coming for AI