Most big US companies now flag AI use in their public risk disclosures
A new report from The Conference Board and ESGAUGE finds that 72 percent of S&P 500 companies now flag AI as a material risk in their public disclosures. That’s up from just 12 percent in 2023, underscoring how rapidly AI has moved from experimental pilots to business-critical system.
Reputational risk tops the list, cited by 38 percent of companies. Firms warn that failed AI projects, missteps in consumer-facing tools, or breakdowns in service could quickly erode brand trust. Cybersecurity risks follow, disclosed by 20 percent of firms.
Unlike reputational or cybersecurity risks, which can manifest quickly, legal risk is framed as a longer-tail governance challenge that can lead to protracted litigation, regulatory penalties, and reputational harm.
“We’re seeing a clear theme emerging across disclosures: Companies are worried about AI’s impact on reputation, security, and compliance. The task for business leaders is to integrate AI into governance with the same rigor as finance and operations, while communicating clearly to maintain stakeholder confidence,” says Andrew Jones, author of the report and principal researcher at The Conference Board.
Finance, healthcare and industrial sectors have seen the biggest rise in disclosures. From 2023 to 2025, the number of companies disclosing AI-related risks jumped in financials (from 14 to 63 companies), healthcare (from five to 47), and industrials (from eight to 48). Why these sectors? Financial and health care companies face regulatory and reputational risks tied to sensitive data and fairness, while industrials are scaling automation and robotics.
Intellectual property, privacy, and adoption risks are now surfacing too. 24 companies highlight risks spanning copyright disputes, trade-secret theft, and contested use of third-party data for model training. 13 companies warn of sensitive exposure under the General Data Protection Regulation, Health Insurance Portability and Accountability Act, and California privacy laws (CCPA/CPRA). Technology adoption is cited by eight companies, pointing to risks in execution such as high costs of new platforms, uncertain scalability, and the possibility of under-delivering on promised returns.
The full report is available from The Conference Board site.
Image credit: Julia Nielsen/Dreamstime.com