Let’s be direct about what the 10% figure really means. In any other risk category, fire safety, financial fraud, data breach, a one-in-ten chance of a landmark legal event before the end of next year would have every general counsel in the country demanding an emergency board session. In AI, most boards haven’t had a single substantive governance conversation.
The question of whether an AI system itself will face criminal charges is, in many respects, the wrong question. AI holds no legal personhood. It cannot be indicted, imprisoned, or fined. Courts, regulators, and prosecutors already know this. The more operationally urgent question, the one with real consequences for real people, is: when AI causes harm, who does the system come after instead?
The answer, increasingly evidenced by litigation and regulatory enforcement, is the humans who deployed it, approved its use, or failed to govern it. That is where this gets uncomfortable for leaders.
“AI changes how decisions get made — but it doesn’t change who’s ultimately accountable. Running decisions through a machine doesn’t shield the company or its officers from responsibility.”
The accountability gap is already being litigated
This is no longer speculative. The case record from 2024–2025 reveals a consistent pattern: regulators and plaintiffs are looking straight through the algorithm to the humans and organizations behind it.
The legal architecture of personal liability
Boards and executives sometimes assume that corporate structure insulates them from the consequences of AI failures. This assumption is increasingly wrong, for reasons deeply embedded in existing governance law, not just emerging AI regulation.
In the US, the Caremark doctrine (Delaware, 1996) established that directors have an obligation to ensure adequate information and reporting systems exist. A board that consciously fails to monitor those systems faces personal liability. Courts are now applying this framework directly to AI oversight, not as a future risk, but as a present duty. A board that cannot describe what autonomous decisions its AI systems are making, who is accountable for those decisions at board level, and what evidence exists of legal compliance has, by this standard, already failed.
In the UK, the Companies Act section 174 duty of care evolves as corporate governance standards change. The Financial Reporting Council, the ICO, the FCA, and the extraterritorial reach of the EU AI Act are collectively defining the standard for AI governance. Directors who are not tracking that evolution are already operating below it.
The EU AI Act is the most structurally significant development for multinational organizations. Fines reach €35 million or 7% of global turnover for serious violations. More importantly, the Act requires providers of high-risk AI systems to ensure that the humans assigned oversight responsibility have the necessary competence, training, authority, and support. Where they don’t, where oversight is nominal rather than real, liability attaches personally.
The insurance floor is disappearing
For three decades, D&O insurance has been the safety net that made corporate directorship commercially viable. Boards structured their governance around its existence. That floor is now developing serious gaps, specifically around AI.
Major underwriters including AIG, Hamilton Insurance Group, and WR Berkley have filed for regulatory approval to limit liability for claims arising from AI systems, including automated decision-making tools. An October 2025 industry analysis captured the emerging consensus: AI risk is “not actuarially mature,” potential loss scenarios are “open-ended,” and the industry is “unwilling to absorb unbounded exposure.” Specific exclusions now enumerate inadequate AI governance, chatbot communications, and regulatory actions related to AI oversight as uninsured categories.
A director who assumed their AI governance exposure was covered by existing D&O policy may be facing personal, uninsured liability. This is not a theoretical concern, it is the emerging insurance market reality of 2026.
“Two-thirds of board directors report limited or no knowledge of AI. Fewer than one in four companies have a board-approved AI governance policy. This is not a knowledge gap. It is an uninsured exposure gap, and it is widening every quarter.”
The governance data is damning
The Deloitte Global Boardroom Program surveyed 695 board members and C-suite executives across 56 countries in early 2025. Nearly one-third of respondents said AI is not on their board agenda at all. A separate Diligent Institute survey found that 60% of legal, compliance, and audit leaders now cite technology as their top risk concern, yet only 29% of organizations have comprehensive AI governance plans in place.
The gap between deployment velocity and governance readiness is where liability accumulates. Organizations are running AI across customer decisions, credit assessments, hiring, healthcare, and operational processes, often with no board-level accountability assigned, no monitoring framework in place, and no documented evidence that anyone with authority has asked the right questions.
MIT Sloan’s 2025 research on 300 companies found that organizations with board-level AI governance frameworks achieve 55% higher ROI on AI investments than those without. Governance isn’t just liability protection, it is, demonstrably, a performance driver. The leaders who treat it as bureaucratic overhead are leaving money on the table while accumulating unquantified risk.
What defensible governance actually looks like
Effective AI governance oversight does not require directors to understand machine learning. It requires the same governance disciplines applied to financial risk, cybersecurity, or regulatory compliance: documented frameworks, assigned accountability, monitored compliance, and escalated incident reporting. The questions are not technical, they are structural.
The leadership question is not technical. It is about exposure.
Polymarket’s 10% probability for AI facing criminal charges before 2027 is not the number that should concern you most. The number that matters is the pace at which AI-related securities class actions are doubling year-on-year, the rising proportion of D&O claims with AI at their center, and the accelerating withdrawal of insurance coverage for exactly the governance failures most boards are currently committing.
AI is not a technology risk that lives in the IT department. It is a legal liability that lives on your balance sheet, in your governance documents, or conspicuously absent from them, and on the personal exposure of every director and officer who approved its deployment without a defensible oversight framework behind them.
The organizations that will navigate this environment are not the ones that move fastest on AI adoption. They are the ones that move deliberately, with governance architecture that can withstand scrutiny from a regulator, a plaintiff’s counsel, or an underwriter who is looking for reasons to deny coverage.
The machines don’t go to prison. The question is whether you’ve given anyone reason to come for you instead.
