Does the Caremark doctrine require an annual AI audit?

No. The doctrine requires reporting systems and good-faith monitoring. An annual external audit may be part of the architecture but is not, on its own, required by the doctrine.

Is a single board-level discussion of AI enough?

A single discussion, without an ongoing reporting cadence, is unlikely to satisfy the prong-one inquiry for an organization of meaningful AI deployment. The doctrine looks for an architecture, not an episode.

What is the role of the audit committee versus a dedicated technology committee?

The doctrine is agnostic between committee structures. What matters is that the assignment is clear, the cadence is regular, and the documentation is sufficient. Many organizations assign AI oversight to the audit committee initially and revisit the structure as the AI footprint matures.

Does the doctrine apply to private companies?

The Delaware doctrine governs Delaware corporations regardless of whether they are publicly traded. The litigation profile differs substantially — derivative actions are less common at private companies — but the duty of oversight applies.

How does the doctrine interact with the EU AI Act and other regulatory regimes?

The doctrine and the regulatory regimes are complementary. Compliance with the EU AI Act, HB 3773, or other applicable regimes is part of what the board is overseeing. The regulatory regimes prescribe substantive obligations; the doctrine governs the board's oversight of those obligations.

Caremark and AI Oversight: A Reference for Directors

The Caremark framework.

The foundational decision is In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996). Chancellor Allen articulated that directors have a fiduciary obligation to attempt in good faith to ensure that an information and reporting system exists to enable the board to satisfy its responsibility for the corporation's compliance with law and business performance. The Delaware Supreme Court adopted this framework in Stone v. Ritter, 911 A.2d 362 (Del. 2006), locating the duty of oversight within the non-exculpable duty of loyalty and articulating two possible paths to oversight liability:

Prong one — the "information systems" claim. Directors are liable if they utterly failed to implement any reporting or information system or controls to monitor mission-critical risks.

Prong two — the "red flags" claim. Directors are liable if, having implemented such systems, they consciously failed to monitor or oversee the system's operations — thereby disabling themselves from being informed of risks or problems requiring their attention.

Both prongs require a showing of bad faith. Caremark claims have historically been described as among the most difficult corporate claims to plead. The bar remains high. What has changed since 2019 is the Delaware courts' willingness to find that the bar has been cleared.

The mission-critical refinement.

Marchand v. Barnhill, 212 A.3d 805 (Del. 2019), is the decision that revitalized Caremark. Blue Bell Creameries, an ice cream manufacturer, experienced a listeria outbreak that resulted in customer deaths and substantial losses to the corporation. Shareholders alleged that the Blue Bell board had failed to implement a reporting system for food safety. The Court of Chancery dismissed; the Delaware Supreme Court reversed.

The Supreme Court's analysis turned on the centrality of food safety to a food manufacturer. The court held that where a regulatory or operational risk is "mission-critical" to the company's business, the board's oversight function must be "more rigorously exercised." The absence of a board-level reporting system specifically directed at the mission-critical risk supported a reasonable inference of bad faith.

Marchand did not lower the bad-faith standard. It identified the conditions under which a plaintiff's pleading can support a reasonable inference of bad faith — namely, that the board failed to address through any specific reporting system a risk demonstrably central to the corporation's business. The opinion expanded the doctrine's reach by identifying mission-criticality as a feature that triggers heightened oversight expectations.

In re Clovis Oncology, Inc. Derivative Litigation, C.A. No. 2017-0222-JRS (Del. Ch. Oct. 1, 2019), applied the Marchand framework. Clovis was a pharmaceutical company whose lead product was tested in a clinical trial under specific FDA-approved protocols. Shareholders alleged the board failed to monitor whether the trial was being conducted in compliance with those protocols. The Court of Chancery, applying Marchand, denied the motion to dismiss. The clinical trial protocol was, in Clovis, mission-critical. The board's failure to specifically monitor it supported the inference of bad faith oversight.

In re Boeing Co. Derivative Litigation, 2021 WL 4059934 (Del. Ch. Sept. 7, 2021), applied the framework to airplane safety after the two 737 MAX crashes. The Court of Chancery denied the motion to dismiss the Caremark claim against the Boeing directors, finding that airplane safety was plainly mission-critical to an aircraft manufacturer and that the board's reporting structure had been inadequate to that risk. The matter subsequently settled — at the time, among the largest derivative-litigation settlements in Delaware history. The settlement made concrete what the doctrine had been signaling: documented board-level oversight of mission-critical risks is no longer a best practice. It is the conduct by which the duty of loyalty is satisfied.

Extension to officers.

In re McDonald's Corporation Stockholder Derivative Litigation, 289 A.3d 343 (Del. Ch. 2023), extended the duty of oversight to corporate officers. The case arose from allegations of workplace misconduct by McDonald's senior leadership. The Court of Chancery held — in a decision of first impression — that officers, like directors, owe a duty of oversight within their respective areas of responsibility. The standard remains good-faith oversight; the principle now extends beyond the boardroom.

The implication for governance practice is that the documented reporting cadence directors expect from management is part of management's fiduciary obligation, not only the board's. The CIO with responsibility for AI deployment, the Chief Risk Officer with responsibility for model risk, and the General Counsel with responsibility for AI compliance each owe an oversight duty within their domains.

The cybersecurity precedents.

Two recent matters provide useful guidance on the limits of the doctrine in technology-adjacent contexts. Construction Industry Laborers Pension Fund v. Bingle addressed the SolarWinds cybersecurity breach; Firemen's Retirement System of St. Louis v. Sorenson addressed the Marriott data breach. In both cases, the Court of Chancery granted the defendants' motions to dismiss. The boards' cybersecurity oversight, though imperfect, was held adequate against the Caremark standard.

These decisions are instructive. They do not stand for the proposition that cybersecurity is not mission-critical. They stand for the proposition that some board-level reporting on cybersecurity, even where the reporting proved insufficient to prevent the incident, satisfies the prong-one inquiry. The plaintiff who alleges a prong-two red-flags theory must point to specific red flags the board ignored, not to the fact of the incident itself.

For AI oversight, the cybersecurity precedents counsel that some documented board attention to AI governance is materially better than none, and that the documentation should be sufficient to demonstrate the board has implemented reporting systems and is monitoring them.

Why AI qualifies as mission-critical.

The doctrinal question is whether AI governance, for a given corporation, falls within the universe of mission-critical risks the doctrine reaches. The answer is fact-specific. The framework asks whether the risk is central to the corporation's business and whether a reasonable board would understand that failures in this area would have material consequences.

For many organizations of meaningful AI deployment, AI governance meets that test. The reasoning runs along several axes.

Centrality to operations.

Where AI systems materially influence revenue generation, customer experience, employment decisions, credit decisions, healthcare decisions, or content moderation, AI is no longer adjacent to the business. It is the business.

Regulatory exposure.

The regulatory perimeter around AI has expanded substantially. The EU AI Act's high-risk system obligations take effect August 2, 2026 (subject to possible deferral under the Digital Omnibus). Illinois HB 3773 took effect January 1, 2026. New York City Local Law 144, the Colorado AI Act, and California's ADMT regulations are operative. Federal sectoral regimes — EEOC guidance, financial services model-risk regulation, FDA guidance on AI as a medical device — are active. The regulatory profile of AI parallels the profile of cybersecurity in many respects.

Catastrophic potential.

Certain AI deployments carry catastrophic-potential exposure — model-driven decisions in safety-critical contexts, content moderation at scale, autonomous decision-making in regulated industries. Academic commentary at the Harvard Edmond & Lily Safra Center for Ethics has argued that AI applications with the potential for outsized impact may meet the mission-critical standard for that reason alone.

Litigation profile.

Securities class actions citing AI-related disclosure inadequacies are increasing. Derivative actions citing AI oversight failures are likely to follow. The documented oversight record is the directors' defense.

For directors of organizations whose AI deployment is material to revenue, regulatory exposure, or downside risk, the prudent posture treats AI governance as within the mission-critical universe. The cost of that treatment is documentation. The cost of the alternative is litigation exposure that the doctrine has, over twenty-five years, made increasingly viable.

What documentation looks like.

The Caremark inquiry is fundamentally an inquiry into the record. What is the board doing, what is the board seeing, and what is being reported to the board? An oversight architecture that satisfies the prong-one inquiry typically includes several elements.

A defined committee assignment.

AI oversight is assigned to a specific committee — typically audit, risk, or a dedicated technology committee — with the assignment reflected in the committee's charter.

A reporting cadence.

Management reports to the assigned committee on a regular cadence (quarterly is common) on the AI inventory, the regulatory landscape, material incidents, and the state of internal controls.

Documented committee discussion.

The committee's minutes reflect substantive engagement with the reports — questions raised, follow-ups requested, escalations to the full board where appropriate.

Defined escalation pathways.

Material AI incidents, regulatory inquiries, and significant changes in the AI footprint have defined escalation pathways from management to the committee to the full board.

Documented training.

The committee and, where appropriate, the full board receive periodic education on the regulatory landscape and on the AI systems the company deploys. The training is documented.

An external view.

The board, on a defined cadence, takes an external view of the AI oversight architecture — either through an independent advisor, a peer review, or a third-party assessment. The external view is documented.

None of these elements, on its own, satisfies the duty. The duty is satisfied by the architecture as a whole, demonstrating that the board has implemented a reporting system and is monitoring it in good faith.

Practical implications.

The doctrinal trajectory carries several practical implications for directors.

Documentation is the defense.

The board that can produce minutes, committee charters, management reports, and external assessments has the defense. The board that cannot does not.

Underwriters will ask.

D&O carriers are asking AI governance questions at renewal. The documentation that satisfies the Caremark inquiry is, in most cases, the documentation that satisfies the underwriter inquiry. The same record serves both purposes.

The standard is not perfection.

Caremark does not require directors to prevent every incident. It requires directors to implement reporting systems and to monitor them in good faith. The Marriott and SolarWinds dismissals are instructive on the floor.

Officer-level oversight matters.

Post-McDonald's, the oversight expectations on officers — the CIO, the CRO, the GC — are part of the architecture. Officer-level documentation is part of the board-level defense.

The litigation profile is evolving.

Securities class actions and derivative actions citing AI disclosure and oversight failures are increasing. The litigation profile will, in the firm's view, continue to expand. Documentation built in advance of incidents is the documentation the board will rely on if and when incidents occur.

This article was last reviewed on May 20, 2026. The Delaware duty-of-oversight doctrine continues to evolve through Court of Chancery and Supreme Court decisions; the article will be updated as the case law develops. Directors who want a board- ready synthesis should request the AI Governance & D&O Liability briefing. Directors who want a structured working session with the board or committee should see Board & Committee Briefings. Directors who want ongoing oversight support should see Standing AI Compliance Advisor. For the broader practice frame, see BoardSight AI. For the AI-securities-class-actions tracker, see AI Securities Class Actions Tracker. For the D&O underwriting questions companion piece, see D&O Underwriting Questions for AI Governance.