AI Incidents Surged Over 32% in 2024, NACD Guidance Urges Boards to Adapt Oversight Frameworks
What happened
The National Association of Corporate Directors (NACD) has published Tuning Corporate Governance for AI Adoption as part of its 2025 Governance Outlook series, targeting US-based corporate boards. The guidance presents a structured approach for directors to refine existing oversight mechanisms rather than build entirely new governance structures from scratch, emphasizing integration of AI considerations into established risk, audit, and reporting frameworks. Two key data points anchor the document: a 26% year-over-year increase in AI incidents from 2022 to 2023, followed by an acceleration to more than 32% growth in 2024. The NACD specifically directs boards to assess how AI deployment shifts company-wide risk profiles and to define clear escalation and reporting pathways between management and the board. The guidance also aligns with emerging ISO 42001 implementation practice, which similarly encourages integration of AI management into established organizational systems rather than siloed programs.
Why it matters
- ·Boards at US-listed companies face growing regulatory exposure as the SEC has signaled expectations around material risk disclosure, making the absence of structured board-level AI oversight a potential disclosure liability rather than merely a governance gap.
- ·The documented acceleration in AI incident rates, exceeding 32% growth in 2024, means operational risk profiles are shifting faster than most governance frameworks have been updated, creating tangible gaps in incident escalation, model monitoring, and third-party vendor oversight.
- ·Organizations without formally documented AI reporting lines and risk classification processes face organizational risk during shareholder engagement seasons and regulatory inquiries, particularly in sectors subject to California, Colorado, or federal financial and healthcare AI requirements.
Governance controls affected
What to do now
- ☐Formally embed AI risk into the existing enterprise risk management cycle and document board reporting lines before the next governance review or shareholder engagement season.
- ☐Produce a current-state inventory of all AI systems in production and map each system against the company's existing risk tolerance thresholds to support board-level reporting with specificity.
- ☐Audit existing incident response and escalation procedures to confirm they explicitly cover AI-specific failure modes including model drift, data integrity failures, and third-party AI vendor incidents.
- ☐Review board reporting on AI for organizations subject to SEC disclosure obligations or state-level transparency laws in California and Colorado to assess whether frequency and specificity meet emerging regulatory and investor expectations.
- ☐Engage legal, risk, and technology teams jointly to evaluate whether current AI governance structures reflect the NACD and ISO 42001 principle of integration into established organizational systems rather than parallel or siloed programs.
What to watch next
Compliance teams should monitor whether the SEC issues further guidance or enforcement actions clarifying materiality thresholds for AI-related risk disclosures, as board-level accountability expectations are likely to sharpen in 2025. Ongoing rulemaking and enforcement patterns in California and Colorado regarding AI transparency obligations will also be relevant for organizations operating across multiple US jurisdictions. Teams should additionally track updates to ISO 42001 implementation guidance and any NACD follow-on publications that may provide more granular board reporting templates or incident classification frameworks.