Board Oversight of AI and Cybersecurity Risk: What Caremark and McDonald's Mean for GCs
After McDonald's and Marchand, Delaware boards face personal liability for failing to oversee AI and cybersecurity risk. Here's how GCs should structure board-level reporting to satisfy Caremark and SEC obligations.
The Oversight Duty Arrives at the Boardroom Door
For decades, Delaware's duty of oversight—known as the Caremark standard—was considered the most difficult theory in corporate law on which a plaintiff might hope to win. That changed in 2019, when the Delaware Supreme Court revived a Caremark claim in Marchand v. Barnhill, and it shifted further in 2023, when the Court of Chancery held in In re McDonald's Corp. Stockholder Derivative Litigation that corporate officers—not just directors—owe a duty of oversight. The McDonald's derivative litigation settled in 2024, closing a chapter that had already opened a new one: boards and officers now face personal liability for failing to oversee mission-critical risks, and the next frontier is AI and cybersecurity.
For general counsel, the implications are immediate. The SEC's 2023 cybersecurity disclosure rules require annual reporting on board oversight of cybersecurity risk. The SEC's Investor Advisory Committee has recommended AI-specific disclosure guidelines. And as we've written before about 10-K AI disclosures, the gap between what boards approve and what boards actually oversee is where derivative claims are born.
Caremark and Marchand: The Oversight Framework
The duty of oversight traces to In re Caremark International Inc. Derivative Litigation (Del. Ch. 1996), which established that directors must make a good faith effort to implement reporting and information systems, and then monitor those systems. A breach requires showing that directors "utterly failed" to implement any system or "consciously failed" to monitor one—standards that sound in bad faith, not mere negligence. As the KLGates firm noted in its October 2024 analysis of recent Caremark developments, the pleading standard remains high, but Delaware courts have sustained Caremark claims at the pleading stage with increasing frequency, exposing directors and officers to a higher potential for liability.
The watershed moment came in Marchand v. Barnhill, 212 A.3d 485 (Del. 2019). The Delaware Supreme Court reversed the Court of Chancery's dismissal of a Caremark claim against the board of Blue Bell Creameries, which had suffered a deadly listeria outbreak. The court emphasized that oversight duty applies with particular force to "mission-critical" risks—those that are central to the company's business or regulatory compliance. Blue Bell's board had no system to monitor food safety, its single most critical operational risk. The message was clear: when a risk is mission-critical, the absence of a board-level reporting system is itself a breach of the duty of loyalty. We've explored this principle in the AI context in our earlier piece on the Marchand test for AI governance.
Caremark claims proceed under two prongs. Prong one addresses a board's failure to implement any reporting or information system—a complete absence of oversight infrastructure. Prong two addresses a board's failure to monitor an existing system, disabling it from being informed of risks requiring attention. Both require a showing of bad faith, meaning the fiduciary consciously disregarded a known duty. The Delaware Supreme Court confirmed in Lebanon County Employees' Retirement Fund v. Collis, 314 A.3d 709 (Del. 2023), that prong two claims can survive when plaintiffs identify specific red flags the board ignored—over seventy examples of subpoenas, settlements, and regulatory actions sufficed in that case.
The McDonald's Litigation: Extending Oversight to Officers
The McDonald's derivative litigation produced two rulings that reshaped the oversight landscape. In January 2023, Vice Chancellor J. Travis Laster denied a motion to dismiss by McDonald's former Global Chief People Officer, holding for the first time that corporate officers owe a duty of oversight comparable to that of directors. The officer's duty has two components: (1) making a good faith effort to establish an information system sufficient to manage the officer's area of responsibility, and (2) addressing or reporting upward problematic issues—red flags—within or adjacent to that domain.
The McDonald's case itself involved sexual harassment oversight, not cybersecurity. But the legal principle is domain-agnostic: if oversight duty attaches to any mission-critical risk, then cybersecurity and AI risks—which for many companies are now existential—fall squarely within its scope. The derivative litigation settled in 2024, but the January 2023 ruling had already established the framework that makes officer-level oversight failures actionable under Delaware law.
The director claims in McDonald's were dismissed, and that outcome is instructive. The board had adopted corrective measures—new anti-harassment policies, outside advisors, revised training, ended mandatory arbitration. The court held that quibbling with the timing or success of corrective action is "incompatible with bad faith." The lesson for GCs: boards that can document responsive action to red flags are far more likely to survive Caremark claims. Boards that cannot are exposed.
AI as the New Oversight Frontier
AI creates operational risks that are novel in kind and scale. Three categories demand board-level attention:
Hallucination and Output Liability
When AI systems generate false, defamatory, or commercially harmful outputs, the company deploying them may face tort claims, regulatory action, or breach-of-contract disputes. If a customer-facing AI chatbot provides negligent financial advice, if an AI hiring tool produces discriminatory outcomes, or if a generative system fabricates citations in a regulatory filing, the company is on the hook. Boards that approve AI deployments without understanding output risk are approving a mission-critical risk without an oversight system—the precise scenario Marchand condemns.
Training Data Exposure and IP Risk
AI models trained on proprietary data, customer data, or third-party copyrighted material create exposure for IP infringement, trade secret misappropriation, and privacy violations. We've addressed the training-data copyright landscape in our coverage of why chief AI officers face personal liability for oversight failures. When a board approves an AI initiative without understanding what data flows into the model and whether licenses cover that use, it is ignoring a red flag that fiduciary duty requires it to see.
Automated Decision-Making and Bias
AI systems that make or inform decisions about hiring, lending, healthcare, or housing are subject to a growing patchwork of state and federal anti-discrimination laws. The FTC has warned that automated decision tools can violate the FTC Act if they produce biased outcomes. Under Marchand, if a company's business model depends on automated decision-making, the board must have a system to monitor for discriminatory outputs—and must act when red flags appear.
How GCs Should Structure Board-Level AI Risk Reporting
The SEC's 2023 cybersecurity disclosure rules require public companies to describe in their annual reports "the board's oversight of risks from cybersecurity threats" and "how the board or board committee is informed about such risks." As Skadden noted in its analysis of emerging board expectations for cybersecurity oversight, these disclosures necessitate robust board oversight, documented regular briefings, and clear assignment of responsibility within the board.
For AI risk, no equivalent SEC rule yet exists—but the SEC's Investor Advisory Committee approved recommendations in December 2025 urging the Commission to issue AI-specific disclosure guidelines. The trajectory is clear: AI risk disclosure is coming, and boards that wait will be playing catch-up under legal pressure.
Here is the reporting architecture GCs should build now:
1. Establish a Board-Level AI Risk Register
The first prong of Caremark requires a reporting system. For AI, that means a living document—maintained by legal and updated quarterly—that catalogs every AI system in use, its risk tier, its data sources, its known vulnerabilities, and its compliance status. The register should be presented to the board or a designated committee at least quarterly. If your company has no such register, a plaintiff can argue the board "utterly failed" to implement an information system for a mission-critical risk.
2. Define a Regular Reporting Cadence
The SEC cybersecurity rules expect boards to receive regular briefings from management. Apply the same standard to AI. At minimum, the board (or its audit, risk, or technology committee) should receive:
- Quarterly AI risk dashboard: new deployments, incident reports, vendor risk assessments, regulatory developments.
- Annual AI governance review: full inventory of AI systems, third-party audits, bias testing results, training data lineage.
- Ad hoc incident reports: any AI-related security incident, regulatory inquiry, or material output failure—reported within days, not months.
3. Document Board Deliberation and Response
The McDonald's directors survived because they could point to specific corrective actions. The Walgreens board in Clem v. Skinner survived because it enacted a monitoring system and responded to red flags within months. Documentation is the defense. Board minutes should record not just that AI risk was discussed, but what red flags were raised, what questions directors asked, and what actions the board took. Generic minute entries—"the board received a report on technology risks"—will not suffice when a plaintiff is alleging conscious disregard.
4. Assign Clear Ownership for AI Risk
The SEC cybersecurity rules require disclosure of which board committee oversees cyber risk. AI risk should receive the same treatment. Whether it sits with the audit committee, a technology committee, or the full board, the assignment should be formal, documented, and communicated to management. When no one owns AI risk at the board level, no one is monitoring it—and that is the textbook Caremark prong one failure.
What Happens When Boards Fail
The consequences of oversight failure are no longer theoretical. The SEC's October 2023 enforcement action against SolarWinds and its CISO—the first time the SEC charged a CISO with fraud—demonstrated that regulators will pursue individuals, not just companies, for cybersecurity failures. The SEC alleged that SolarWinds made materially misleading statements about its cybersecurity practices and failed to disclose known vulnerabilities. Two shareholder derivative actions followed, and the company agreed to a $26 million securities class action settlement.
In the AI context, the trajectory is similar. If a company suffers a material AI incident—a biased hiring algorithm that triggers an EEOC investigation, a generative AI system that exposes customer data, or an AI-washing claim that inflates revenue projections—and the board cannot demonstrate that it maintained an oversight system, plaintiffs will plead Caremark. If the risk was mission-critical and the board had no reporting system, Marchand makes the claim viable at the pleading stage. If an officer consciously ignored red flags, the McDonald's framework makes the officer personally liable.
The D&O insurance market has already responded. Premiums and retentions are rising for companies with inadequate cyber and AI governance, and some carriers are excluding AI-related claims entirely. Boards that fail to oversee AI risk face not just derivative litigation but potential personal exposure that their insurance may not cover.
If your board is approving AI initiatives without a governance framework, your directors and officers are exposed. We help GCs build board-level AI risk reporting systems that satisfy Caremark, Marchand, and SEC disclosure obligations.
Key Implications for Practice
Caremark is no longer a toothless standard. Marchand revived it, Collis sustained it, and McDonald's extended it to officers. The doctrine now reaches any mission-critical risk—including AI and cybersecurity—where a board fails to implement or monitor a reporting system.
SEC rules create a disclosure hook for oversight failures. The 2023 cybersecurity rules require annual disclosures about board oversight of cyber risk. AI disclosure guidelines are coming. Inadequate disclosures create securities fraud exposure on top of derivative liability.
Documentation is the most effective defense. Boards that can show regular AI risk briefings, documented responses to red flags, and clear committee assignments will survive Caremark claims. Boards that cannot will face personal liability.
GCs are the architects of the oversight system. The duty of oversight belongs to directors and officers, but the reporting infrastructure that satisfies it is built by the legal department. If your company is deploying AI without a board-level risk register, quarterly reporting cadence, and documented deliberation, the clock is running. The next derivative complaint may not name cybersecurity or sexual harassment as its subject. It may name your AI system.