AI and Board Oversight: Quick Update for Core AI Projects

Over the past two years, there has been a steady increase in AI projects that sit squarely inside companies’ core business functions, which raises three board oversight issues: (1) identifying core AI projects, (2) designating specific management responsibility and (3) peer benchmarking.

Identifying Core AI Projects. Corporate boards should consider asking management to provide them with periodic briefings on any major AI project that involves a core business operation of the company, including projects that are anticipated to significantly impact revenue, core risk or legal compliance controls, or large-scale customer experiences.

Designating a Senior Owner. Many substantial enterprise AI projects involve multiple senior executives, but it is often unclear to the board who is responsible for overall risk management. For cybersecurity, some companies have solved this lack of clear ownership by having a Chief Information Security Officer (“CISO”) with a dotted reporting line directly to the Audit Committee. Accordingly, the board should consider asking management to designate one senior executive or committee who is responsible to the board for risk management and reporting for all core AI projects, perhaps allowing for a different person or committee to be designated, as appropriate, for certain key projects. As with cybersecurity, for AI, clear ownership of mission-critical risks, if any, reduces the chances of gaps and speeds up escalation and decision-making when issues arise.

Peer Benchmarking. As part of any reporting on core AI projects, boards should consider asking management to identify similar projects undertaken by other companies in the same industry and explain, if knowable, what risk-management controls those companies have adopted.

For more information, see the Debevoise Data Blog.

AI Can Draft Board Minutes – But Should It? Considerations for Public Companies

The proliferation of AI recording, transcription and summarization features within AI meeting tools has led many public companies to consider adopting AI meeting tools to assist with the drafting of board and committee meeting minutes. While AI meeting tools offer several practical benefits, evaluating the potential risks associated with the use of these features is crucial from a risk oversight, governance and controls perspective.

Below are certain important considerations that should be top-of-mind for public companies that are considering the use of these types of AI applications in board and committee meetings.

Confidentiality and Cybersecurity. Companies using AI meeting tools should confirm with the AI provider that: (i) company data will remain confidential and will not be used to train any AI model; (ii) humans at the AI provider will not have access to company data; (iii) the AI provider will not share company data with any other third parties absent specifically agreed extraordinary circumstances; and (iv) the AI provider has an effective cybersecurity program reasonably designed to protect company data.

Notice and Consents. Some jurisdictions, including certain U.S. states, require the consent of all parties to lawfully record meetings. Regardless of the jurisdiction, meeting participants should receive a notification that a transcription or summary is being generated and be afforded the opportunity to raise concerns. Certain AI meeting tools can create transcripts and summaries without generating any recording.

Accuracy. AI-generated meeting transcripts and summaries may contain inaccuracies and should not be considered final. Such materials should be reviewed and revised by the secretary of the board meeting (or the secretary’s delegate) prior to circulation and entry into the company’s official records. The secretary should adopt the materials as accurate, complete and fit for purpose.

Privileged and Confidential Information. Use of AI meeting tools may not be appropriate if a meeting involves privileged or highly confidential information, such as discussions about ongoing litigation, strategic initiatives, or sensitive regulatory compliance matters. To reduce the risk of a privilege waiver or loss of confidentiality, access to and dissemination of AI-generated materials that may contain privileged or highly confidential information should be limited to the meeting participants and others within the scope of the privilege or confidence.

Circulation and Retention. Companies should take care to understand where the AI-generated materials for board and committee meetings are stored and how they are circulated, as well as any automatic deletion schedule and preservation obligations. Consideration should be given to the risk/reward balance of creating, retaining and distributing large volumes of AI-generated recordings, transcripts, and summaries of board and committee meetings.

Litigation Holds. Companies should consider whether AI-generated materials may contain information that is subject to any litigation holds, and if so, how that information is preserved and reviewed for discovery.

Information Barriers. Many companies have controls in their information systems to restrict access to, and prevent the impermissible disclosure of, sensitive information. Companies should ensure that the use of AI meeting tools is consistent with existing information walls and permissions.

When considering the use of AI meeting tools in the boardroom, it is important to identify and acknowledge the potential risks associated with these applications and to establish policies, procedures, and effective controls to mitigate such risks. Doing so will allow companies to take advantage of the many benefits promised by AI, without exposure to undue risk.

For more information, see the Debevoise Debrief.

FCA Sets Out Final Rules for PISCES and Launches PISCES Sandbox

On June 10, 2025, the FCA published its Policy Statement finalizing the rules for PISCES, a new regulated trading platform designed to facilitate the secondary market trading of shares in private companies. Alongside this, the FCA launched the PISCES sandbox, a live testing environment enabling platforms to operate and refine their offerings ahead of the full regime rollout anticipated by 2030. Trading in the PISCES sandbox is expected to begin later in 2025. The initiative follows the FCA’s December 2024 Consultation Paper and statutory regulations published by HM Treasury in May 2025, which established the legal framework for PISCES and came into effect in June 2025.

PISCES is intended as a secondary market platform for trading existing shares in private companies during periodic, intermittent trading windows (“trading events”). It explicitly excludes primary capital raising through new share issuance and trading of other securities like debt or derivatives. Eligible shares include those of UK private limited companies, UK public limited companies not publicly traded, and certain foreign entities not listed on public markets. Participation is limited to specific investor categories collectively referred to as PISCES investors, generally professional investors, high net worth individuals or companies, sophisticated investors and employees of participating companies (or the trustee of an employee share plan).

Disclosure Arrangements

Under the final rules, PISCES operators (entities authorized to run a PISCES platform) must ensure companies provide a core set of disclosures before trading events. This includes an overview of the company’s business and management, audited financial statements for the last three years or since inception, details on capital structure and ownership, employee share schemes, directors’ trading intentions, major shareholdings, material risk factors, material contracts, any notable financial changes, price parameters for trading, information on previous trading events and a contact point for further inquiries. In response to comments received, the FCA removed some initially proposed disclosure requirements such as sustainability disclosures and forward-looking financial forecasts, but allows operators to require additional disclosures if they choose. Companies must update and correct disclosures promptly during trading events, and operators are responsible for ensuring disclosures are disseminated simultaneously and with sufficient notice.

Disclosure Oversight

PISCES operators must monitor compliance with disclosure requirements, investigate investor complaints, and take remedial action against breaches. While operators do not pre-approve or verify disclosure accuracy, they must notify the FCA if they suspect misleading information or manipulative trading. Operators also set platform rules regarding trading event operations, including notification of event timing, shares available, participant eligibility and pricing. Trading events may be “permissioned,” allowing companies to restrict participation based on objective and non-discriminatory criteria tied to legitimate commercial interests. Companies can set floor and ceiling prices for shares during trading events, subject to disclosure requirements on price-setting methods and third-party involvement.

Market Manipulation and Oversight

To maintain market integrity, operators must investigate complaints related to trading events, resolve disputes impartially and have authority to postpone, suspend or refuse trading if serious breaches occur. Unlike traditional regulated markets, the FCA did not impose insider dealing laws specific to PISCES, but requires operators to implement monitoring systems proportional to their platform size to detect and address manipulative trading. These arrangements will be evaluated throughout the sandbox period.

Trading Intermediary Requirements

PISCES trading follows an intermediated model where investors engage through brokers or financial intermediaries rather than directly with platform operators. Intermediaries are prohibited from offering any monetary or non-monetary incentives tied to investment volume, such as bonuses or fee rebates. They must include risk warnings in all communications, emphasizing the high-risk nature of investing in PISCES shares and the possibility of total loss. Personalized risk warnings and access to detailed risk summaries are mandatory before engaging individual investors. Intermediaries must verify that investments are appropriate, meaning the investor has sufficient knowledge and experience, and apply a 24-hour cooling-off period before allowing the first purchase order. Investors must also sign a restricted investor statement affirming that high-risk investments, including PISCES shares, do not exceed 10% of their net assets in the past year.

New legislation effective July 3, 2025, exempts transfers of PISCES shares from stamp duties when traded on PISCES platforms. This enables employers to amend existing employee share schemes (such as Enterprise Management Incentives and Company Share Option Plan) to incorporate PISCES trading events without losing tax advantages. HM Treasury plans to publish further guidance on these tax amendments by the end of July 2025.

The PISCES sandbox will operate until June 2030, allowing the FCA and market participants to test and refine the framework to balance innovation with appropriate regulatory oversight. While the final rules impose fewer mandatory disclosures than initially proposed, operators have flexibility to impose additional platform-specific requirements, including investor eligibility criteria. PISCES represents a significant innovation by offering private companies and investors an opportunity for liquidity in a regulated secondary market. However, the extent to which companies and investors will adopt this “private-plus” market remains uncertain as the market develops.

For more information on the Policy Statement, see the Debevoise in Depth. For more information on PISCES, see Debevoise Update – UK Government Publishes New Regulations on PISCES, Debevoise Update – FCA Publishes Update on PISCES, and Debevoise in Depth – FCA Publishes Consultation Paper on PISCES.

SEC Formally Withdraws 14 Rule Proposals

On June 12, 2025, the SEC formally withdrew 14 outstanding rule proposals issued between March 2022 and November 2023. Although most observers doubted that the current SEC would adopt these proposals, the SEC’s action confirms that any future rulemaking on these topics must start anew with a new proposal and a fresh opportunity for public comment. Notable rule proposals withdrawn include those related to the following areas:

• Substantial Implementation, Duplication, and Resubmission of Shareholder Proposals Under Exchange Act Rule 14a-8 (87 FR 45052) – withdrew the proposed Rule 14a-8 amendment that would have narrowed the circumstances under which registrants could rely on the “substantial implementation,” “duplication” and “resubmission” bases for excluding shareholder proposals. The substantial implementation exclusion allows registrants to omit proposals that have already been largely implemented, the duplication exclusion allows registrants to omit proposals that substantially duplicate another proposal submitted for the same meeting and the resubmission exclusion allows registrants to omit proposals that have been voted on previously and did not receive sufficient support.

• Conflicts of Interest Associated with the Use of Predictive Data Analytics by Broker-Dealers and Investment Advisers (88 FR 53960) – withdrew the proposed rules under the Securities Exchange Act of 1934 (“Exchange Act”) and the Investment Advisers Act of 1940 (“Advisers Act”) related to, among other things, certain interactions between broker-dealers or investment advisers and investors through these firms’ use of predictive data analytics.

• Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies (88 FR 14672) – withdrew the proposed rules and forms and amendments to existing forms under the Advisers Act and the Investment Company Act of 1940 (“Investment Company Act”) to require registered investment advisers and investment companies to adopt and implement written cybersecurity policies and procedures reasonably designed to address cybersecurity risks, disclose information about cybersecurity risks and incidents, report information confidentially to the SEC about certain cybersecurity incidents,  and maintain related records.

• Enhanced Disclosures by Certain Investment Advisers and Investment Companies About Environmental, Social and Governance Investment Practices (87 FR 36654) – withdrew the proposed amendments to rules and forms under both the Advisers Act and the Investment Company Act to require, among other things, registered investment advisers, certain advisers that are exempt from registration, registered investment companies and business development companies, to provide additional information regarding their environmental, social and governance investment practices.

SEC Updates C&DIs Related to Legal Proceedings Disclosure

On June 20, 2025, the SEC’s Division of Corporation Finance updated its C&DIs on Regulation S-K, Section 104. Item 103 – Legal Proceedings.

This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.