Why Legal Sign-Off on AI Claims Doesn't Satisfy SEC Disclosure Control Requirements

Written By Chris Cook

Does legal sign-off on an AI claim satisfy your disclosure control obligation?

A claim doesn't need to be false to become a federal case. It just needs to be unverified.A claim doesn't need to be false to become a federal case. It just needs to be unverified.

The Situation

FactSet recorded a record 331 S&P 500 companies, 68% of the index, referencing AI on Q4 2025 earnings calls. Each of those references now sits in the public record, which the SEC's Cyber and Emerging Technologies Unit was created to examine. The standard CETU applies was set on January 14, 2025, when the SEC charged Presto Automation in the first AI washing enforcement action against a public company for making materially false statements about its AI product Presto Voice, and separately, failing to maintain disclosure controls. The second charge required no proof that any specific AI statement was false, only that no process existed to verify the statements before they were published. Presto’s cease-and-desist order is now public record of the SEC's approach and establishes their template for AI claims going forward.

The Exposure

72% of S&P 500 companies disclosed AI as a material risk in their 2025 10-K filings, up from 58% in 2024 and 12% in 2023, according to The Conference Board. That means the universe of companies with AI claims in their filed documents has grown sixfold in two years. Each disclosure and each earnings call statement about AI is now a claim sitting in the public record, and now we know CETU's questions will center around how your verification process works.

The Judgment Call

The general approach in compliance is to treat claims as a legal review issue and route every external statement through counsel, with their sign-off as the de facto control. That's a defensible approach when the claim question is primarily about the language used or concerns about potential over-reach, but it isn't when the question is about underlying accuracy - because lawyers reviewing an earnings script or press release almost never review the engineering logs, test results, or product roadmap that confirm or disprove it. The issue is that the SEC's order against Presto made two distinct charges: (1) making false AI statements, and (2) that the company "had no established process for drafting, reviewing, or approving" the reports containing them, and that "no one at Presto was formally responsible for ensuring" the disclosures were accurate. That second charge is the one that defines the disclosure controls requirement: a named owner with a process-based evidence trail. If that doesn't exist in your firm, then even if the claims are supported you still have an exposure.

  • Risk: Asking product, engineering, and marketing teams to produce evidence for claims requires coordinating internally and centralizing documentation, which won’t be done reliably as an incremental responsibility by someone outside of governance.

  • Benefit: The documented evidence record enables more frequent and more confident external AI messaging with minimal regulatory exposure.

This Week’s Action

  • What to do: Pull all AI-related claims from your most recent investor memo, SEC filing, or website, and for each claim identify the specific person who can produce the supporting evidence.

  • Who to involve: Your CAE, who has the independence and governance, and the product or technology lead who owns the system the claim describes.

  • What outcome to achieve: A three-column list sorting each claim into evidence support buckets: current, stale, or unsupported.

  • Time required: 30 minutes per source to compile the claims list, 30 minutes for the CAE to collect responses from system owners, 30 minutes to review the consolidated results.

Artifact

Run this assessment against the list of claims, one claim at a time. Two or more "No" or "Unknown" answers on a single claim is the absence-of-control gap the SEC charged Presto Automation for.

Ownership
Is there a named individual (not a department), accountable for verifying this specific claim before it was published?
☐ YES   ☐ NO   ☐ UNKNOWN

Evidence
Can that individual produce a document, test result, or system log dated within the last 90 days that supports the claim as written?
☐ YES   ☐ NO   ☐ UNKNOWN

Recurrence
Is there a scheduled date to re-verify this claim?
☐ YES   ☐ NO   ☐ UNKNOWN

Independence
Did anyone, outside the team making the claim, review the supporting evidence before it was published?
☐ YES   ☐ NO   ☐ UNKNOWN

Retrievability
If a regulator or plaintiff requested the evidence for this claim tomorrow, could you produce it within 48 hours?
☐ YES   ☐ NO   ☐ UNKNOWN

If your General Counsel believes legal review is sufficient, review these gaps and the Presto case with them.

When the stakes exceed your internal capacity:

  • AI Exposure Diagnostic: A 2-hour strategic evaluation for risk, compliance, and legal leaders to identify your highest-priority governance gaps and deliver a 90-day remediation roadmap.

  • 12-Week Governance Sprint: Translate regulatory requirements into audit-ready policies, control frameworks, and accountability structures.

  • Ongoing Advisory Retainer: Embedded judgment for policy updates, vendor assessments, and board prep as regulations and technology evolve.

Reply with "Diagnostic" or “Sprint” to schedule a conversation for next month.

Chris Cook writes Judgment Call weekly for compliance and risk officers navigating AI governance.

Former IBM Vice President and Deputy Chief Auditor. Published in the AI Journal, speaker at Yale.

Chris Cook

Managing Partner & Founder

Blackbox Zero

Forwarded this by a colleague?Subscribe to Judgment Call

Chris Cook
Next

Why Unaudited AI Claims in a PE Exit CIM Create Post-Close Warranty Liability