Silicon semiconductor wafer close up

Cyber and AI oversight disclosures: what companies shared in 2025

Photographic portrait of Patrick Niemann
Pat Niemann

EY Americas Center for Board Matters Leader

Contributors

7 minute read 14 Oct 2025
Related topics
EY Center for Board Matters

Public disclosures reveal how leading boards are overseeing AI and cybersecurity.

In brief

  • Companies are expanding disclosures on artificial intelligence (AI) and cybersecurity governance as technology’s role in business evolves.
  • AI oversight disclosures have increased significantly, more than doubling in many areas.
  • Through enhanced disclosures, companies have an opportunity to better communicate the rigor of their technology governance approach.

In today’s fast-changing and highstakes digital environment, boards are elevating their oversight approach. Voluntary disclosures around AI and cyber are not just more common — they’re also more robust, doubling in scope across several critical areas.

How EY can help

Companies are putting the spotlight on their technology governance, signaling an increasing emphasis on cyber and AI oversight to stakeholders.

 

In the past year, according to company disclosures, the increased sophistication of cyber threats has prompted companies to enhance their cybersecurity defenses, while adversaries have also advanced their attack methods. Ransomware attacks rose by over a third, and generative AI (GenAI) — rather than traditional AI — is emerging as a key feature of the threats, often in the form of deepfakes, and the company response.

 

Deepfakes are just one example of threat actors’ using GenAI for malicious purposes and are now the second most common type of cybersecurity incident, behind malware.¹ However, some argue that today’s biggest risk is the loss of sensitive company information when employees use unapproved AI services.²

 

One recent survey of full-time employees across industries and regions in the United States found that 78% of employees report using AI tools in the office and 58% admit to providing sensitive company information to large language models.³ At the same time, organizations are increasingly using GenAI as part of their toolkit to respond to cyber risks.⁴ Board oversight of these areas is critical to identifying and mitigating risks that may pose a significant threat to the company. This article explores how technology oversight disclosures and related governance practices are evolving to meet the challenges of this moment. We aim to help boards and management teams understand the disclosure landscape and the underlying governance practices it reflects and identify opportunities to strengthen and better communicate the rigor of their governance approach in an area of stakeholder focus.

2025 AI oversight disclosure trends: Four key findings

Fortune 100 company AI disclosures

Select a category:

Topic

Disclosure

2025

2024

Risk oversight approach

Disclosed a focus on AI in the risk oversight section of the proxy statement

48%

16%

Board-level committee oversight

Disclosed that at least one board-level committee was charged with oversight of AI matters*

 

Disclosed AI oversight by the audit committee

 

Disclosed AI oversight by a non-audit committee

40%

 

21%

 

25%

11%

 

8%

 

8%

Director skills and expertise

AI disclosed as an area of expertise sought on the board or cited in at least one director biography

 

AI disclosed as an area of expertise sought on the board

 

AI cited in at least one director biography

 

Board-level education and training efforts on AI

44%

 

15%

 

35%

 

11%

26%

 

8%

 

23%

 

8%

Management reporting structure

Provided insights into management reporting to the board and/or committee(s) overseeing AI matters

 

Identified at least one management role providing AI insights to the board (e.g., the CISO or CTO)

 

Included language on frequency of management reporting to the board or committee(s)

16%

 

8%

 

9%

6%

 

4%

 

5%

Topic

Disclosure

2025

2024

Risk factors

 

Included AI as a stand-alone risk factor

 

Included AI as a risk factor

 

36%

 

89%

14%

 

69%

Topic

Disclosure

2025

2024

Responsible use

Disclosed the use of AI frameworks, principles or guidelines

25%

11%

Shareholder engagement

Included AI under shareholder engagement topics

21%

11%

Compensation

Included AI in executive compensation considerations

31%

25%

Education and training

Disclosed use of education and training efforts on AI matters

13%

5%

Percentages are based on total disclosures by companies. Data based on the 80 companies on the 2025 Fortune 100 list that filed Form 10-Ks and proxy statements for this year through July 31, 2025.

*Some companies delegate AI oversight matters to more than one board-level committee.


2025 cybersecurity oversight disclosure trends: Four key findings

Fortune 100 company cybersecurity disclosures

Select a category:

Topic

2025

2023

2021

2019

Disclosed that at least one board-level committee was charged with oversight of cybersecurity matters*

96%

92%

87%

81%

Disclosed that the audit committee oversees cybersecurity matters

78%

77%

68%

62%

Disclosed oversight by a non-audit-focused committee (e.g., risk, technology)

35%

30%

28%

24%

Disclosed oversight by a risk committee

13%

13%

10%

9%

Disclosed oversight by a technology committee

11%

10%

9%

9%

Disclosed oversight by another committee (e.g., compliance)

13%

9%

9%

8%

Topic

2025

2023

2021

2019

Cybersecurity disclosed as an area of expertise sought on the board or cited in at least one director biography

86%

78%

70%

53%

Cybersecurity disclosed as an area of expertise sought on the board

73%

62%

43%

27%

Cybersecurity cited in at least one director biography

74%

66%

59%

46%

Topic

2025

2023

2021

2019

Provided insights into management reporting to the board and/or committee(s) overseeing cybersecurity matters

100%

84%

66%

57%

Identified at least one management role providing cybersecurity insights to the board (e.g., the CISO or CIO)

89%

56%

32%

27%

Chief Information Security Officer  (CISO)

78%

41%

22%

16%

Chief Information Officer (CIO)

24%

20%

11%

13%

Chief Technology Officer (CTO)

15%

5%

1%

0%

Included language about frequency of management reporting to the board or committee

99%

77%

56%

44%

Disclosed reporting frequency of at least annually or quarterly; remaining companies used terms like “regularly” or “periodically”

60%

49%

34%

18%

Topic

2025

2023

2021

2019

Disclosed alignment with external framework or standard**

73%

30%

11%

4%

National Institute of Standards and Technology (NIST)

64%

22%

9%

3%

International Organization for Standardization (ISO)

23%

6%

3%

0%

Other**

15%

9%

3%

0%

Referenced response readiness, such as planning, disaster recovery or business continuity considerations

99%

77%

68%

59%

Stated that preparedness efforts include simulations, tabletop exercises or response readiness tests

58%

13%

5%

3%

Stated that the company maintains a level of cybersecurity insurance

31%

27%

16%

11%

Included cybersecurity in executive compensation considerations

10%

10%

9%

1%

Topic

2025

2023

2021

2019

Disclosed use of education and training efforts to mitigate cybersecurity risk

86%

56%

37%

25%

Topic

2025

2023

2021

2019

Disclosed collaborating with peers, industry groups or policymakers

40%

16%

11%

11%

Topic

2025

2023

2021

2019

Disclosed use of an external independent advisor

99%

43%

23%

14%

Percentages are based on total disclosures by companies. Data is based on the 80 companies on the 2025 Fortune 100 list that filed Form 10-Ks and proxy statements for this year through July 31, 2025.

*Some companies delegate cybersecurity oversight to more than one board-level committee.

** Some companies disclose they seek to align to more than one external framework or standard. Such frameworks or standards cover different scopes and may not cover all aspects of the enterprise; some include external certification or attestation. Other frameworks or standards include Payment Card Industry Data Security Standards, Health Information Trust Alliance, System and Organization Controls 1 and 2, and more.


Cyber and AI oversight disclosures: what companies shared in 2025 

Download the full report to see all the data and questions for the board to consider


Summary

Boards are increasingly prioritizing transparency and strengthening AI and cybersecurity governance disclosures. Nearly half of Fortune 100 companies highlight AI in board risk oversight, with increasing details on governance, director expertise, and committee responsibilities. AI is also more frequently cited as a distinct risk factor in regulatory disclosures. When it comes to cybersecurity oversight, most Fortune 100 companies assign that oversight to the audit committee, align with external frameworks, conduct preparedness exercises, and seek cyber expertise in the boardroom.

About this article

Photographic portrait of Patrick Niemann
Pat Niemann
EY Americas Center for Board Matters Leader
Community champion. Family man. USC Trojan alum.

Contributors

Related topics
EY Center for Board Matters

Related articles

What drives board effectiveness amid uncertainty

Read about the key takeaways for board members coming out of proxy season 2025.

Barton Edgerton + 1

2025 proxy season review: Four key takeaways

Read about the key takeaways for board members coming out of proxy season 2025.

Jamie Smith

How boards support transactions in an unpredictable deal market

Find out what roles boards are playing in oversight of transactions in an unpredictable deal market.

Robyn Bew + 2

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.