AI governance is no longer a theoretical boardroom issue. As regulators move from guidance to enforcement, weak oversight of artificial intelligence is fast becoming a live directors’ and officers’ liability risk, with implications for valuation, disclosure and investor trust.
That shift is underlined by recent regulatory action against X over its Grok AI chatbot. French authorities have raided offices linked to the platform, while UK regulators have opened fresh lines of inquiry into its data use and content controls. While the investigations focus on technology and compliance, the exposure they create is increasingly landing at board level.
Jimmy Heaton (pictured), head of international D&O and financial institutions at Rokstone Underwriting, said AI governance should already be viewed squarely through a D&O lens.
“AI governance is always a directors and officers risk hazard, as is governance of anything, full stop,” he said. “Even if you have an exclusion for a certain kind of activity, D&O policies, by their nature, are picking up the governance risk, the management risk.”
Crucially, Heaton warned that exposure can arise both from action and inaction.
“You’re always exposed to it, whether directors think they’re doing a great job or they’re putting their head in the sand and ignoring AI completely,” he said. “Losing competitive advantage and seeing the business devalued as a result is still a D&O hazard stemming from AI.”
The governance challenge is magnified by how heavily modern company valuations now depend on intangible assets, particularly data, intellectual property and reputation.
Heaton pointed to the changing make-up of the S&P 500, with around 90% of asset value estimated to be intangible as of 2020.
“If that’s reputational or R&D-driven, and there’s an issue with the reputation or a flaw in the research, that value can be erased overnight,” he said.
He also highlighted how the valuation of Twitter during Elon Musk’s takeover hinged on questions over the platform’s user base, specifically whether non-human or spam accounts were more prevalent than disclosed. The episode illustrated how governance failures can rapidly translate into financial and legal risk.
Heaton said the sheer scale of investment flowing into AI is itself creating D&O exposure.
“If you look at the six largest S&P 500 companies at the time – names you’d expect: Apple, Microsoft, Amazon, Alphabet and Meta – all of them are publicly pushing AI as hard as a company can,” he said.
Much of that investment is funnelled through suppliers such as Nvidia, which has benefited from being the dominant provider of AI chips.
Boards are therefore exposed not just through how AI is governed operationally, but through how capital is allocated and justified to investors, particularly where long-term infrastructure, energy and environmental pressures are involved.
The D&O risk becomes sharper where companies overstate their AI capabilities to drive valuations, a practice often referred to as AI-washing.
Heaton pointed to the collapse of Builder.ai, which promoted itself as an AI-driven platform allowing customers to build apps without coding expertise. The company raised around $445m in venture capital between 2018 and 2023 and reached a reported $1.5bn valuation before becoming insolvent in 2025.
“The valuation was based on the AI capabilities, the potential in it,” Heaton said. “What actually happened was it turned out this AI didn’t exist.”
Instead, customer requests were routed to human developers behind the scenes, limiting scalability and ultimately undermining the business model.
“As much as AI is going to build valuations, it also adds requirements,” he said. “As the world starts to regulate more and more in this area, that regulatory burden is only going to increase.”
Heaton also warned that fragmented global regulation is compounding the risk for directors.
“The US is regulating and monitoring AI and the reporting requirements in an entirely different way to the EU. The UK obviously has the option to do its own thing again,” he said.
For globally operating firms, managing and communicating compliance across jurisdictions will be critical.
“How companies manage that and communicate that they’ve complied is going to be critical to either stopping D&O claims, or causing them,” Heaton said.
Despite AI risk being widely discussed across financial and technology markets, Heaton said it has yet to be fully absorbed across insurance underwriting.
“It’s not to say this is only a D&O risk, it’s a huge risk for most insurance classes and most businesses in general,” he said.
From an underwriting perspective, he said caution is already increasing, particularly for early-stage companies and funds positioning themselves as AI-focused.
“I’m being more cautious if a company is new and raising investment and is either saying it’s an investment fund looking to invest in AI, or a new company that is AI-based and trying to raise capital,” Heaton said.
Even as commentators openly question whether AI valuations have reached bubble territory, the market has yet to correct.
“It’s openly acknowledged as a bubble, yet it doesn’t seem to have burst, which is odd,” Heaton added.
For D&O insurers and brokers, the warning signs are becoming harder to ignore. AI governance is no longer a future risk to monitor, but a present-day boardroom exposure with genuine claims potential.
