The Call That Already Happened

It's a Saturday morning. The director's phone rings at 8:14 a.m. It's the General Counsel.

"The complaint just hit. Shareholder derivative. The allegation is that we failed in our duty of oversight on how the company was deploying AI."

The director thinks for a moment. "Wait. We approved the AI strategy. Q3 of last year. The full board signed off."

"Yes," the GC says. "We approved it. That's not the problem. The real issue is that we never set up a reporting system to monitor it."

That pause is the most expensive moment in AI governance right now.

Approval Is Not Oversight

That distinction is what now separates boards that are protected from boards that are personally exposed. Not the company. The board.

Adobe just made it a case study.

On April 24, the SEIU Pension Plan Master Trust filed a shareholder derivative lawsuit naming Adobe's CEO Shantanu Narayen, CFO Daniel Durn, and the rest of the board. The allegation is that directors and officers adopted an unlawful AI strategy by using copyrighted material, including content from a dataset called Books3 that had already been pulled for infringement, to train Adobe's small language model, SlimLM. The complaint's most damaging phrase, which appears in the filing itself, is that Adobe allegedly followed an "ask forgiveness not approval" approach to training data.

It's worth pausing on what makes this case different.

This is not an IP lawsuit. It's not a securities fraud class action. It is, at its core, a Caremark claim. Caremark is the Delaware doctrine that holds directors personally liable when they fail to implement reporting systems to detect and escalate material risk. The trap is specific. "We didn't know" is not a defense when you had a duty to set up a system that would have told you.

And the complaint stacks something else on top. It alleges that Adobe repurchased roughly 7.2 million shares for nearly $2.5 billion while the infringement risk was undisclosed. That turns the copyright question into a corporate waste claim and a securities theory. One alleged failure. Three theories of director liability.

The facts are still developing. Adobe will defend. But the structure of the case is what matters here. This is the first major shareholder derivative action where AI behavior at the operating level becomes a board-level fiduciary failure.

It will not be the last.

The Numbers Already Signal What's Coming

AI-related D&O lawsuits doubled in 2024. The trajectory through 2025 didn't reverse it. 88% of organizations are deploying AI. Only 25% have board-approved AI governance policies. That gap isn't a technology problem. It's a fiduciary one.

When something goes wrong with an AI system, a discriminatory output, a privacy breach, an IP allegation, a regulatory finding, the first question plaintiffs' counsel asks is not what the system did. It's what the board knew, when they knew it, and what reporting structure existed to make sure they would.

If the answer is "we approved the strategy and received no further updates," that is the Caremark trap, fully assembled.

The Adobe complaint shows how this assembles in practice. The plaintiffs point to red flags the board allegedly should have seen. The public removal of Books3 in 2023. The wave of AI copyright lawsuits across the industry. The rising disclosure pressure. The argument isn't that the board approved infringement. It's that the board had information available to it that should have triggered an oversight response, and the response never came.

That argument doesn't require AI expertise to make. And it doesn't require AI expertise to lose.

What Real Oversight Looks Like

Reasonable AI oversight isn't technical depth. It's a documented system that produces evidence the board was monitoring material risk. A few elements any defensible structure should include:

An AI inventory the board has actually seen. Not "IT maintains a list." A current, board-reviewed inventory of AI use cases that touch customers, employees, financial outcomes, IP, or regulatory exposure. With named executive owners.

A reporting cadence with escalation criteria. Quarterly is a starting point. Material incidents like model failures, regulatory inquiries, customer complaints reaching threshold, or training data questions get escalated outside the calendar.

Documented decisions on training data and IP. For any company building or fine-tuning models, the board should be able to point to a record showing that data provenance, licensing, and IP risk were considered. Not approved by the board. Considered, with management owning the call.

Minutes that show the conversation happened. This is where most boards fail. The defense in a Caremark case is documentary. If the minutes say "management presented an AI update" with no detail on what was discussed, escalated, or questioned, the record is thin.

A defined response when things go wrong. Who gets called. What gets paused. Who decides. Kill switch logic applies at the governance layer, not just the operations layer.

None of this requires the board to become technical. It requires management to be disciplined and the board to ask for evidence.

This Isn't Just a Boardroom Problem

The Adobe case is being read as a board story. It is. But the same gap exists at every level where AI is being used inside a company.

If you run a function, the question is whether you can produce a list of AI tools your team uses, what data those tools touch, and what you'd do if one of them failed. If you manage a team, the question is whether the AI workflows your people rely on were ever reviewed for risk, or whether they just appeared in the workflow one Tuesday and stuck. If you're an individual contributor using AI to draft, summarize, code, or analyze, the question is whether your organization knows what you're using and whether you'd be comfortable explaining it under scrutiny.

The Caremark logic scales down. Approval is not oversight. Adoption is not governance. Familiarity with a tool is not the same as understanding what it does with the data you give it.

The version of this conversation that reaches the board is the most expensive one. The version that happens at the team level, before something goes wrong, is the cheap one. Most organizations are still skipping the cheap one.

The Real Test

A few questions worth bringing to your next board meeting, leadership offsite, or team standup, depending on where you sit.

Do we have a current, documented inventory of AI use cases that touch customers, IP, or regulatory exposure, and has the right level of leadership seen it?

Is there a named owner with explicit AI oversight responsibility, and when did they last review what's actually in production?

If a complaint, audit, or regulator inquiry landed tomorrow alleging we failed to monitor AI risk, what minutes, reports, or escalations would we point to?

If the answer to any of these takes more than a week to assemble, that's the gap.

The Bottom Line

The Adobe case is not a warning about AI implementation. It's a warning about an assumption. The assumption that AI governance belongs to the CTO, the CIO, or "the technology side of the house."

It doesn't. Caremark is already the law. The Delaware courts didn't need to write a new doctrine for AI. They already had one. AI just made it urgent.

For every board that approved an AI roadmap without approving the monitoring structure around it, and for every team that adopted AI tools without anyone tracking what they're doing, the question is no longer theoretical. The first call from the GC has already happened somewhere.

The only real question is whether your organization is prepared for when it happens to you.

P.S. Ask one question this week. If you're a director, ask your General Counsel: "If a shareholder derivative complaint alleging failure of AI oversight landed on Monday, what documents would we produce as evidence?" If you run a function, ask your team: "What AI tools are we using, and who's accountable if one of them fails?" If you're individual contributor, ask yourself: "If my manager asked me to list every AI tool I use and what data I've put into each, could I?" If any of those answers takes more than 48 hours to assemble, you've found your gap. The Adobe board didn't get 48 hours. Most of us won't either.