Governing the Board’s Own Use of AI: Fiduciary Duties, Risks and Practical Safeguards
Key Takeaways
- Generative and, more recently, agentic AI has started to enter the boardroom as a working tool. Directors are beginning to use it to synthesize and interrogate board materials, while general counsel and corporate secretaries are evaluating its use for transcribing deliberations and preparing minutes (interest that has yet to translate into widespread adoption). Working literacy in AI use is becoming a component of effective board service.
- The duty of care asks directors to be reasonably informed when they make decisions, and the duty of oversight asks them to maintain an information and reporting system that surfaces material risks. AI can serve both duties but discharge neither, and both apply to the board’s own use of these tools. Under the duty of care, to be reasonably informed through AI, directors must be reasonably informed about it — reliance on its untested output is no substitute for the board’s independent judgment. Under the duty of oversight, AI tools that surface and frame the information and analysis on which directors rely become part of the board’s own information and reporting system, and they warrant the same discipline the board already demands of management’s systems (e.g., approved tools, defined controls and periodic review).
- AI tools implicate concrete risks: loss of confidentiality over highly sensitive board information; waiver of attorney-client privilege and work-product protection; a materially expanded, text-searchable record (e.g., verbatim transcripts alongside approved minutes, unverified content entering the corporate record and prompt histories); and a chilling effect on candid deliberation. Recent federal decisions indicate that materials processed through consumer-grade AI tools may forfeit privilege and work-product protection and that vendor-held data may, in certain circumstances, be preserved for third-party litigation notwithstanding users’ deletion settings.
- The risks are manageable. A board-specific AI-use policy (addressing approved and prohibited tools and uses; access controls; protocols for recordings, transcripts and drafts; human validation; and deletion schedules with an automatic legal-hold override, among other considerations), together with director AI fluency and appropriate D&O coverage, can capture the technology’s benefits while narrowing the exposure.
AI: From Board Oversight Topic to Working Tool
Generative and, more recently, agentic AI tools have started to enter the boardroom, supporting analysis, transcription and recordkeeping. Board-specific AI tools now draft minutes from meeting recordings, distill board books into focused briefings, and help directors sharpen questions for management or benchmark performance, among other uses. The efficiencies and heightened insights can be substantial. Yet the boardroom is where a company’s most sensitive information converges, and the same AI tools that deliver these gains can create meaningful risk without appropriate governance and safeguards, as further discussed below. Adoption remains early, with boards, general counsel and corporate secretaries alike only beginning to evaluate these tools for board use.
Fiduciary Duties Applied to the Board’s Own Use of AI
The traditional duties of care and oversight attach to the board’s own use of AI tools as they attach to all board conduct. Neither demands technological expertise of directors, only disciplined judgment, exercised now with a working literacy in the AI tools that inform it.
The duty of care asks directors to be reasonably informed when they make decisions. Applied to the board’s own use of AI, the duty of care cuts in two directions. Used well, AI can help directors discharge it more effectively. A director who can interrogate the record directly, benchmark performance and stress-test management’s assumptions is less dependent on how information is packaged and presented — a meaningful narrowing of the information gap that has historically defined the board’s position relative to management. But to be reasonably informed through AI, a director must be reasonably informed about it. A corollary to the duty of care is the reliance doctrine, under which directors may rely in good faith on corporate records and on the officers, employees and outside experts who inform their judgment. The doctrine presupposes accountability behind the source, however. Human sources, whether officers, employees or outside experts, can be vetted and questioned, and their own duties and professional exposure stand behind what they provide; corporate records are created and maintained within the company’s internal controls. An AI tool offers none of these assurances, and its raw output is not naturally a record of the corporation, sitting outside the controls and human accountability that make corporate records reliable. Accordingly, where AI output informs a board decision, directors should seek to understand the tool’s limitations, test the output, and weigh it as one input among several rather than as advice entitled to deference.
The duty of oversight asks directors to maintain an information and reporting system that surfaces material risks. This duty, too, applies reflexively to the board’s own use of AI. AI tools that surface and frame what directors rely on become part of the board’s own information and reporting system, and an ungoverned tool is a gap in that system. The board already knows what disciplined oversight looks like because it expects it of management. Meeting the duty here means applying the same expectations to itself: approved tools, defined controls and periodic review.
Governance has long meant supervising people, and the board’s use of AI extends it to supervising systems. The skills are familiar — framing the right questions, interrogating the output, calibrating reliance and governing the record — and boards have long exercised them with management, auditors and outside experts. While AI can sharpen the board’s analysis and quicken its tempo, the judgment that the board exercises must remain its own.
Risks: Confidentiality, Attorney-Client Privilege and Work Product, Record and Candor
The very capabilities that make AI tools valuable in the boardroom can also create meaningful risk. Directors may use these tools to synthesize large volumes of material and pose targeted questions, while general counsel and corporate secretaries may turn to them to transcribe deliberations and draft minutes. But summaries may be inaccurate, incomplete or fabricated, questions leave prompt histories, and information entered into consumer-grade tools may pass beyond the company’s control. The corporate record, meanwhile, absorbs AI-recorded deliberations and the drafts they yield.
- Confidentiality. Board materials are among the most sensitive information a company holds. Entering such materials into a public, consumer-grade tool may expose them to the vendor’s training processes, its personnel, a cyber breach of the vendor’s systems or discovery. Courts have already noted that users have no substantial privacy interest in what they submit to publicly accessible AI platforms. In recent copyright litigation, for example, a federal court ordered a major AI provider, over its objection that it was being forced to abandon privacy commitments to users, to preserve all chat logs that would otherwise have been deleted, including conversations users had deleted and “temporary” chats designed to disappear when the session ends. By the provider’s own account, deleted conversations and “temporary” chats persist on its systems for up to 30 days before removal, and deletion commitments remain subject to exceptions where retention is legally required. Notably, however, the court order excluded customers under enterprise agreements and zero-data-retention terms (i.e., arrangements under which the provider stores neither the customer’s prompts nor the model’s outputs). Board work should therefore remain within enterprise-grade tools governed by contractual confidentiality and data-use limitations, including commitments not to train on company data and to delete it on a defined schedule, as well as, where available, zero-data-retention configurations. Deletion schedules should be routine and calendar-driven rather than ad hoc (deletion timed to adverse developments may invite spoliation claims), on a cycle long enough to serve legitimate governance and business needs but regular enough that sensitive material does not linger on vendor systems and should suspend automatically whenever a legal hold attaches.
- Attorney–Client Privilege and Attorney Work Product. The attorney–client privilege protects from disclosure communications between a client and his or her attorney that are intended to be, and in fact were, kept confidential, made for the purpose of obtaining or providing legal advice. The attorney work-product doctrine protects from disclosure materials prepared in anticipation of litigation that memorialize an attorney’s mental impressions. Processing such communications and material through an AI tool can waive both protections. Two recent federal decisions (the first to address the question) illustrate both the risk and its fact-dependence. In one, the court held that documents a criminal defendant generated using a publicly available AI tool, of his own volition and without direction from counsel, were neither privileged nor protected work product, emphasizing that an AI tool is not an attorney and that the platform’s terms disclosed that user data could be shared with third parties. United States v. Heppner, No. 25-CR-503 (S.D.N.Y. Feb. 17, 2026). In the other, by contrast, the court held that a self-represented litigant’s AI queries and outputs were protected work product reflecting her own mental impressions and that disclosure to the tool did not waive the protection because it was not disclosure to an adversary. Warner v. Gilbarco, Inc., No. 2:24-cv-12333 (E.D. Mich. Feb. 10, 2026). The divergent outcomes reflect the distinct doctrines at issue: privilege generally is lost by disclosure to any third party, while work product is lost only by disclosure to an adversary. Pending further court guidance, the prudent course when using AI in connection with privileged material or attorney work product is to:
- use enterprise-grade AI tools with confidentiality protections and no training provisions;
- ensure any AI use is initiated and directed by counsel, with such direction documented to preserve the strongest possible argument for privilege protection;
- label AI-assisted drafts appropriately (e.g., “Privileged & Confidential — Attorney Work Product — Draft,” with a notation that the content is AI-assisted, preliminary and subject to revision);
- avoid commingling legal content with ordinary business analysis in prompts and outputs; and
- keep any privileged legal discussions out of AI transcription altogether.
- Expanded Record. AI tools reshape not only how a board works but also what it leaves behind. A board meeting may now yield audio recordings, a full transcript, multiple minute drafts and a log of prompts, each of which is text-searchable. The retention of a verbatim transcript (or AI-generated “super minutes” that capture the discussion in near full detail) alongside approved minutes presents particular risk — two divergent records of the same meeting invite the contention that the minutes may have been sanitized or that the operative deliberation resided in the fuller version. A more detailed record is not a more protective one, and the judgment reflected in approved, condensed minutes is precisely the human value-add. Accuracy concerns compound the problem, as AI tools may misattribute statements and fabricate content. AI-generated output should therefore always require human verification and approval. The record further extends beyond the meeting to chat histories and user logs: each prompt or query a director enters may be retained, subject to discovery and, where legal advice is implicated, may raise attorney–client privilege and work-product concerns. How long any of this material survives, and on whose systems, can be set contractually on enterprise AI tools.
- Deliberative Candor. Effective boards depend on the open, candid exchange of views. If directors assume that every word is transcribed, permanently logged and potentially read back to them in litigation, they may guard their statements and the quality of deliberation will suffer. Before adopting routine AI transcription, a board should candidly assess whether, in the context of its own personal dynamics and at this point in time, the efficiency justifies the cost. If it nonetheless proceeds, it should adopt strict protocols governing notice and consent, access controls and retention, including clear rules for pausing transcription during executive sessions and privileged discussions.
Recommended Practices
Adopt a board-specific AI-use policy.
Cover approved and prohibited AI tools (limiting board work to enterprise-grade, company-controlled platforms and barring personal accounts and consumer chatbots); rules for confidential and privileged material (what may be entered into which tools and on whose direction where legal advice is implicated); access controls (permissions tied to role, with executive-session materials walled off from management and executive directors); and protocols for recordings, transcripts, drafts and retention (who may record, how AI-generated drafts are labeled and reviewed, and how long each category of material is kept).
Diligence vendors and contract for safeguards.
Vet AI vendors’ security credentials, data practices and retention architecture before adoption, and embed safeguards contractually: confidentiality and data-use limitations; no-training commitments; defined deletion schedules; and, where available, zero-data-retention configurations, together with audit rights, breach-notification and output-ownership provisions.
Protect attorney–client privilege and attorney work product.
Use AI in connection with legal advice only at counsel’s direction, with that direction documented; label AI-assisted drafts (e.g., “Privileged & Confidential — Attorney Work Product — Draft,” noting the content is AI-assisted, preliminary and subject to revision); avoid commingling privileged content with ordinary business analysis; and keep privileged discussions outside AI transcription.
Govern the record.
Treat approved minutes as the only official record, with no verbatim transcripts or AI “super minutes” maintained alongside them; label AI-generated content as preliminary drafts subject to human review, and require that review before anything is circulated, stored or permitted to formally enter the corporate record; and apply calendar-driven retention with a legal-hold override when preservation is required.
Address consent and access.
Where a board elects AI recording or transcription, confirm compliance with recording-consent requirements (all-party consent in some jurisdictions) and provide notice before any meeting is recorded or transcribed. Restrict AI outputs to secure environments with permissions tied to role, and ensure select access for independent-director executive sessions.
Build AI literacy and confirm D&O coverage.
Develop the board’s AI literacy through structured education and confirm that D&O coverage and indemnification adequately cover AI-related claims.
Conclusion
Approached with discipline, AI tools should strengthen board governance rather than weaken it. Used well, they have the potential to narrow the information gap that has long defined the board’s position relative to management by letting directors probe the record and stress-test management’s assumptions and help them discharge their fiduciary duties more fully. Without proper safeguards, however, they can expose the company’s most sensitive information, endanger privilege and work-product protection, and convert candid deliberation into a searchable and legally exploitable record. The difference lies in governance.
Contacts
- Elena Hera

Elena Hera
Partner - Kaitlin Betancourt

Kaitlin Betancourt
PartnerCo-Chair AI - Deborah S. Birnbach

Deborah S. Birnbach
PartnerCo-Chair, Public M&A / Corporate Governance