AI governance hits the boardroom

Artificial intelligence has moved from an innovation project to a boardroom risk register, as chief information officers now rank it near malware, ransomware and phishing. (prnewswire.com) Logicalis said April 13 that 28% of chief information officers it surveyed now see artificial intelligence as a significant cyber risk, behind malware at 33% and phishing at 30%. The company said its annual report surveyed more than 1,000 chief information officers globally. (prnewswire.com) The same survey said 77% of organizations had a cybersecurity incident in the past year, 41% said incident response times worsened, and only 37% said they had full visibility into artificial intelligence tools used across their organization. Logicalis said 62% reported employees jeopardizing data security through artificial intelligence use. (prnewswire.com) That governance gap is opening as states write their own rules for specific uses of artificial intelligence instead of waiting for Congress to pass one national standard. The National Conference of State Legislatures says its database now tracks artificial intelligence bills across topics including private-sector use, health care, discrimination and oversight. (ncsl.org) Troutman Pepper Locke said on April 12 that legislatures in Nebraska, Maryland and Maine passed artificial intelligence-related bills last week, adding to a fast-growing patchwork of state requirements. Its update said the measures covered chatbots, pricing and mental health services. (troutmanprivacy.com) In Nebraska, lawmakers passed Legislative Bill 525, which includes the Conversational Artificial Intelligence Safety Act. Troutman said the bill requires conversational artificial intelligence services to tell minors they are interacting with artificial intelligence and to tell any user when a reasonable person would not understand the service is not human. (troutmanprivacy.com (nebraskalegislature.gov)) The Nebraska bill also says a service cannot claim it is designed to provide professional mental or behavioral health care, and the state attorney general would enforce it if signed. The Nebraska Legislature’s bill page shows Legislative Bill 525 was placed on final reading on April 7. (troutmanprivacy.com (nebraskalegislature.gov)) In Maryland, House Bill 895 would bar food retailers and third-party delivery platforms from using dynamic pricing or consumer personal data to set prices for goods or services. The Maryland General Assembly page says the bill was in the House as passed enrolled as of April 11 and would take effect June 1, 2026. (mgaleg.maryland.gov) In Maine, lawmakers passed a bill that would prohibit anyone from offering therapy or psychotherapy services, including through internet-based artificial intelligence, unless the services are provided by a licensed professional. Maine’s legislative text also allows licensed professionals to use artificial intelligence for administrative or supplementary support. (troutmanprivacy.com (legislature.maine.gov 1) (legislature.maine.gov 2)) For companies that build, buy or deploy artificial intelligence systems, the compliance question is no longer only whether a model works. It is whether the tool is visible to security teams, whether users are told they are talking to a machine, and whether a product’s rules change when it crosses a state line. (prnewswire.com) (troutmanprivacy.com)