AI Incidents Up 32% in 2024, NACD Urges Boards to Strengthen Oversight Structures
What happened
The National Association of Corporate Directors (NACD) has published its 2025 Governance Outlook, a guidance document directed at corporate boards across the United States calling for strengthened AI oversight structures in response to a measurable rise in AI-related incidents. Drawing on data from the AI Incident Database, the NACD reports that AI incidents increased 26% between 2022 and 2023, followed by a further increase exceeding 32% in 2024. The guidance identifies hallucinations, bias, and data privacy failures as the primary risk categories driving this trend. In response, the NACD calls on boards to implement updated governance frameworks and reporting structures that provide directors with meaningful visibility into AI risk. Although the document is non-binding, NACD guidance carries significant weight among directors and institutional investors who use it as a benchmark for evaluating governance adequacy.
Why it matters
- ·Regulatory exposure: Although non-binding, NACD guidance is used by institutional investors and regulators as a benchmark for governance adequacy, meaning organizations that lack board-level AI oversight documentation may face heightened scrutiny during regulatory inquiries or investor reviews.
- ·Operational impact: The identification of hallucinations, bias, and data privacy failures as primary risk areas signals that organizations must operationalize monitoring and mitigation controls for these specific categories, not treat AI risk as a single undifferentiated concern.
- ·Organizational risk: The shift of AI oversight from an operational concern to a board-level accountability expectation means compliance and risk teams must establish clear escalation pathways to senior leadership, creating structural and resourcing obligations that many organizations have not yet addressed.
Governance controls affected
What to do now
- ☐Audit current board reporting materials to determine whether AI risk is explicitly surfaced and whether named accountability owners are identified for each primary risk category.
- ☐Establish or update a responsible AI policy that addresses the three risk areas named by the NACD: hallucinations, bias, and data privacy failures, with defined escalation pathways to the board.
- ☐Map existing AI governance controls to board-level visibility requirements and identify gaps where incident data, bias assessments, or privacy failures are not currently reported upward.
- ☐Prepare documentation demonstrating board engagement on AI risk that can be produced in response to regulatory inquiry, investor scrutiny, or an AI-related incident.
- ☐Review and strengthen the AI incident response playbook to ensure it includes escalation procedures that reach board level for incidents meeting defined severity thresholds.
What to watch next
Compliance teams should monitor whether the Securities and Exchange Commission or state-level regulators in the United States begin referencing NACD guidance as an informal standard when evaluating board-level AI governance adequacy in disclosure reviews or enforcement actions. The continued rise in AI incident volumes tracked by the AI Incident Database suggests that incident-driven regulatory and investor pressure on boards is likely to intensify through 2025, making the maturity of escalation and reporting structures an increasingly visible governance metric. Teams should also watch for follow-on NACD publications or peer governance body guidance that may further specify director competency expectations or required reporting cadences for AI risk.