Much of the conversation about AI and the board treats director liability as a question waiting for a new law. It is not. The duty is already here, and it has been for nearly thirty years. Its name is Caremark.

In 1996, the Delaware Court of Chancery held in In re Caremark that directors have a duty to make a good-faith effort to ensure the company has information and reporting systems adequate to surface the risks the board needs to oversee. The duty is not to guarantee good outcomes. It is to establish a system. A board does not breach it by being wrong; it breaches it by failing to try to know.

AI oversight is not a new legal theory. It is the duty of oversight applied to the newest mission-critical risk.

A duty that has sharpened

For years, Caremark claims were considered among the hardest in corporate law to win. That has changed. In Marchand v. Barnhill (2019), the Delaware Supreme Court allowed a claim to proceed against directors who had failed to establish any board-level system to monitor food safety, a risk that was central, or "mission-critical," to the company. The lesson was pointed: where a risk is essential to the business, the board must have a deliberate system to oversee it, and the absence of one is itself the breach.

Subsequent decisions, including those arising from the Boeing and McDonald's matters, continued in the same direction, examining whether boards and officers had established functioning systems to monitor and escalate the risks most central to their organizations. The thread running through all of them is consistent. Courts are asking not whether a bad thing happened, but whether the board built a system to see it coming.

Why AI is mission-critical

The open question for any board is which of its risks a court would now call mission-critical. For a growing number of organizations, AI is becoming exactly that. It is moving into credit decisions, clinical workflows, hiring, pricing, fraud detection, and customer-facing communication, the functions on which the business depends and through which it can do the most harm. As AI becomes embedded in what the organization is, the duty to oversee it stops being optional.

This is not a prediction that courts will invent new obligations for AI. It is the recognition that the existing obligation already reaches it. A board that cannot show a functioning system to identify, monitor, and escalate AI risk is in the position Marchand warned about, and it is in that position whether or not anything has yet gone wrong.

What satisfies the duty

The reassuring part is that the standard is one boards already understand. Caremark does not ask for perfection or for technical mastery of the models. It asks for a system: a program that defines what must be governed, assigns who is accountable, carries critical risks upward through defined channels, and produces evidence that it operates. That is precisely what AI oversight governance is. The duty is old. The application is new. The work is to build the system before a court asks to see it.