Practical takeaways – what boards and legal teams should do now
- Audit the AI narrative. Map where and how AI appears in your external communications and test whether the claims match the technology you actually use.
- Stress-test “autonomy” claims. Scrutinise references to “agentic”, “autonomous” or “AI-driven” processes and record the level of human oversight and quality control.
- Identify and disclose limitations. Ensure product materials and risk factors fairly describe known issues – hallucinations, error rates, data gaps and uncertainty – especially in high-stakes uses such as financial, health or legal tools.
- Embed AI into fraud risk assessments. Treat AI as a specific fraud driver in failure to prevent fraud work.
- Tighten contracts with AI vendors and partners. Build warranties and disclosure duties around AI use into supplier and distribution contracts, with audit and termination rights where capability claims prove inaccurate.
- Consider insurance protections. Ensure your general liability policies, including Directors and Officers insurance policies, provide cover for any AI-washing claims or regulatory interventions that may arise; in particular, check cover clauses and exclusions to ensure no AI-specific carve-outs.
1. Introduction – from greenwashing to AI-washing
For several years, the litigation horizon was supposed to be dominated by climate change lawsuits. What materialised more quickly was something narrower and more legally straightforward: a wave of greenwashing enforcement and civil claims focused on misleading ESG disclosures and overstated sustainability credentials.
AI is now following a similar arc. The rhetoric of “AI-first”, “LLM-powered” and “agentic workflows” has become ubiquitous in investor presentations and annual reports – and our review of annual reports in three very different sectors (manufacturing, digital services and payments) found well over a dozen AI references in each case, with one report mentioning AI more than 100 times. That direction of travel is echoed in Arize AI’s 2024 survey, which reported a more than 400% year-on-year increase in Fortune 500 companies citing AI as a material business risk. AI language now permeates corporate disclosures across sectors, and the question is no longer whether AI is mentioned but how often – and how far the narrative can be squared with reality in a market where litigation funders and claimant law firms are actively scanning for discrepancies to build shareholder class actions and group claims.
That environment creates obvious tensions for in-house disputes teams and risk professionals. Where the story outpaces the underlying technology – or omits hard truths about how AI actually behaves – the risk is that AI hype becomes “AI-washing”. These are statements about AI capabilities, autonomy or impact that are false, misleading or incomplete in ways that are likely to give rise to scrutiny by enforcement authorities and – in particular – civil litigation, with potential consequences extending beyond the immediate dispute.
2. Context – AI everywhere, and an AI premium to match
Across markets, AI is rapidly becoming part of the standard corporate narrative. Boards talk about generative AI transforming customer service, automating HR or finance, and unlocking new revenue streams.
Investors, for their part, are rewarding that story. There is an “AI premium” in valuations, and regulators are watching closely. We have already seen AI-washing cases in other jurisdictions – including the SEC’s March 2024 settlement against Delphia (USA) Inc. and Global Predictions Inc., where a combined US$400,000 penalty was imposed for false claims about predictive AI capabilities that did not in fact exist. That trend is likely to be replicated here as the Labour Government seeks to position the UK as an AI hub and AI becomes more central in corporate disclosures, product claims and investor communications.
The same dynamics can be seen in UK-listed companies, where AI references in annual reports and earnings calls have multiplied. When a CEO tells the market that “90% of employee HR interactions are now handled by AI” or even that their company is now “AI-first”, they are potential hooks for regulatory scrutiny and litigation if they prove unsustainable. Aspirational AI claims can quickly become a securities and fraud issue if they are not grounded in evidence.
3. Analysis – where AI-washing risk most obviously arises
(a) Overstating AI capability and autonomy
The first and most visible category is exaggeration. Companies announce that AI is going to revolutionise their business, drive future revenue and transform margins, when in practice they have bolted an API licence from a foundation model provider onto existing workflows. Legacy IT services firms offering data analytics now describe themselves as providing “AI-driven insights” without a material change in the underlying product.
This risk becomes more acute as the vocabulary shifts from “AI-assisted” to “autonomous” or “agentic” AI. Promises that AI agents will perform complex tasks end-to-end, independently optimising workflows or making decisions, may be attractive to investors – but they can be difficult to reconcile with reality if any meaningful deployment still depends on heavy human oversight and manual quality control. Even though much of what is badged as “agentic AI” today is simply standard model use wrapped in new branding, the disclosures often read as if genuinely autonomous systems are already in place. In that scenario, the legal issue is not the use of third-party models – it is the mismatch between the simplicity of the branding (“AI-first”, “agentic”) and the more mundane technical reality.
A similar concern arises where businesses over-claim on “responsible AI” governance – for example by suggesting they are already aligned with regimes such as the EU AI Act or DORA, or that models “do not train on customer data” – and also where they are overly confident that these regimes do not apply to them, in ways that cannot be reconciled with how systems are actually built and run.
(b) Concealing human labour
A second, slightly different, pattern is where products marketed as AI-driven are, in substance, powered by cheap human labour or by hybrid processes that are far less automated than the branding suggests.
If a service is promoted as “autonomous AI” handling content moderation, customer interactions or document review at scale, but in practice relies on a large workforce to check outputs, correct hallucinations and validate data, questions arise about whether the technology is doing what was promised.
Representing such tools as scalable, low-touch AI solutions may be misleading if their true operating model is labour-intensive and fragile.
(c) Downplaying technical limitations and AI governance
Then there is the well-known technical profile of large language models and other generative tools. They are probabilistic, prone to hallucination and can fabricate content – sometimes in ways that are reputationally or legally harmful, for example by attributing false statements to individuals or organisations, or by fabricating sources. Failing to disclose these limitations in high-stakes use cases, or implying a level of accuracy and reliability that is not supported by testing, risks crossing the line from optimism into misrepresentation.
Industry benchmarks such as the Vectara Leaderboard suggest that even market-leading models retain a stubborn “hallucination floor” of around 3%, underlining that these risks are structural rather than short-term teething problems.
A product that cannot be made “fit for purpose” because hallucination is an inherent limitation may give rise to exposure if those issues are glossed over in external communications.
As issues like hallucinations and error rates become better known and more closely examined, it will be harder for organisations to argue that the harm they cause was unexpected or incidental. If these limitations are well understood, failing to explain them properly or put controls around them may also create difficulties in seeking insurance protection when claims arise. Insurers are likely to ask whether the loss came from a genuinely unexpected failure, or from known weaknesses that were consciously accepted and built into the product or service without adequate safeguards. As a result, weaknesses in AI governance can affect not only legal liability, but also how far insurance protections are capable of responding when claims arise.
4. Litigation risk
(a) Regulatory and criminal enforcement – FCA, SFO and others
AI-washing can attract regulatory and criminal scrutiny.
Consumer-facing AI claims may also fall within the UK’s consumer protection regime. The DMCCA includes a strategic market status regime for major digital platforms, but the more relevant point for present purposes is its broader prohibition on misleading consumer practices. Where products are sold as “AI-powered”, “autonomous” or materially enhanced by AI, businesses should be able to substantiate those claims if challenged. The Law Commission is also considering whether consumer law enforcement could be strengthened through a new consumer class actions regime, which could in due course affect how claims based on misleading AI-related product statements are brought. Advertising claims are another early pressure point: while ASA enforcement is primarily self-regulatory, the CAP Code requires objective AI claims to be substantiated, and adverse rulings may create a public record that later feeds into consumer, contractual or regulatory scrutiny.
For listed companies, AI-heavy announcements that are misleading, false or incomplete may engage the Market Abuse Regulation and the FCA’s disclosure and listing regimes. Issuers must ensure information released to a regulatory information service is fair, clear and not misleading; describing a modest or untested AI rollout as “transformational” is likely to be scrutinised against that standard. The FCA’s public messaging on AI is deliberately supportive – it wants firms to experiment, develop and test AI in ways that drive innovation, benefit consumers and markets, and support the growth and competitiveness of UK financial services. At the same time, it has stressed that AI use sits within existing expectations on governance, systems and controls, operational resilience and fair treatment, including the Consumer Duty, and boards that lean on AI for credit, trading, fraud detection or customer engagement should expect questions about how those systems have been tested, monitored and described, consistent with the UK Corporate Governance Code’s requirement to monitor and review material IT controls.
For FCA-regulated firms, the issue is not limited to listed-company disclosure. AI-related claims in financial promotions and customer-facing materials must be clear, fair and not misleading, including where firms suggest that AI improves returns, reduces risk, detects fraud or automates important customer functions. In more serious market-facing cases, false or reckless AI claims may also raise questions under the Financial Services Act 2012 offences relating to misleading statements or impressions, where the relevant knowledge, recklessness and inducement elements are present.
In terms of criminal enforcement, the new failure to prevent fraud offence – and the accompanying Home Office guidance – will be highly relevant. That guidance expects fraud risk assessments to be dynamic and specific, taking account of emerging technologies and expressly asking firms to consider the fraud triangle. In practice, that means asking where AI – whether in-house or vendor-supplied – creates opportunities to mislead customers, investors or regulators, and whether existing controls still work in an AI-driven environment. A generic anti-fraud policy is unlikely to satisfy the “reasonable prevention procedures” defence if it lacks targeted measures for AI-enabled risks such as deepfakes and synthetic invoices, and if internal incentives around “AI adoption” increase pressure on staff and intermediaries to over-sell capabilities – a clear example of the pressure element the guidance highlights.
The offence also reaches far beyond misleading public markets. A vendor that overstates the capabilities of an AI-powered payroll, document review or time-recording system in a private procurement may be committing fraud, and if that conduct is by an associated person for the organisation’s benefit – for example a sales partner misleading customers on the benefits of generative AI – the corporate may face failure to prevent exposure alongside civil misrepresentation or contractual claims. The SFO, as the UK’s lead prosecutor of serious fraud, has already said it will “go hunting” for early cases under the new offence, and has already shown interest in tech-related matters by commencing a new large-scale crypto investigation; AI-related misconduct is likely to be a natural area of focus.
In practice, claims about the maturity, reliability or strategic importance of AI systems are rarely purely technical statements, but are instead about organisational readiness, control frameworks and decision-making. In many cases those statements may well be seen to sit directly at a senior level, with corresponding implications for liability allocation and insurance response.
(b) Civil liability – FSMA, misrepresentation and contractual claims
AI-washing creates real exposure to civil claims. Civil claims are likely to track many of the same events that attract the attention of enforcement authorities, creating a risk of parallel exposure where AI-washing has inflated expectations or disguised weaknesses in the underlying technology.
Under FSMA s.90, prospectuses and listing particulars that contain untrue or misleading AI statements, or omit required information about AI-driven business models, can found negligence-based claims by investors who suffer loss. Investors do not need to prove reliance on any specific AI disclosure, only that they acquired the securities and suffered loss. A prospectus built around an AI growth story that cannot be substantiated is an obvious risk, particularly as the UK positions itself as a leading AI hub and attracts more AI-heavy listings.
FSMA s.90A then provides a route for investors to sue over misleading AI statements in other published information – such as annual reports, interim results and RNS announcements – where a person discharging managerial responsibility, typically a director, knew the statement was untrue or misleading, was reckless as to its truth, or dishonestly concealed a material fact, and the investor relied on it. In AI‑heavy annual reports – where AI is referenced dozens of times and positioned as central to strategy – it may be easier for claimants to argue reliance than in other contexts. Where AI is framed as a key driver of future performance, false or incomplete statements about AI capability will be central to arguments around loss.
Outside the securities context, similar fact patterns can support claims for misrepresentation, deceit and breach of contract. If an AI‑enabled product does not perform as promised, or contractual statements about autonomy, accuracy or compliance cannot be substantiated, customers and commercial counterparties may seek to recover losses. For example, a litigation services business that buys an “AI‑powered” document review platform sold as near‑autonomous – but later finds that a significant proportion of the review still depends on human oversight to rein in hallucinations and bias – may sue the vendor for misrepresentation and breach of contract. If the vendor has also marketed the tool to end‑clients on the basis of substantial cost savings compared with instructing a law firm, those same exaggerations about autonomy and performance could, in certain circumstances, amount to fraud and trigger criminal and regulatory interest.
In practice, the same facts can trigger several problems at once. A single set of AI‑related claims or failures may lead to shareholder lawsuits, customer disputes and regulatory attention, depending on how those claims were made, how others relied on them, and how they later compare with what the technology actually did.
Insurance may help with the cost of defending and resolving those claims, but it will depend on the precise terms of available insurance and coverage may be affected by whether the losses are the result of a genuinely unexpected failures, or the foreseeable outcome of known AI limitations that were understood in advance and deployed without adequate controls.
(c) Insurance implications
While AI-washing is often talked about as a problem of governance or corporate messaging, it does not – of itself – create a new kind of legal risk. When things go wrong, claims are likely to be brought using familiar arguments such as negligence, misleading statements or failures of management oversight, rather than any AI-specific legal theory.
Accordingly, insurance protection is likely to be available under traditional liability insurances such as professional liability insurance, general liability protections and directors’ and officers’ insurance and, for companies, securities cover, subject to any applicable exclusions. Therefore, insureds will want to keep a close eye on any AI-specific exclusions that insurers might seek to introduce, which could compromise the availability of insurance and, similarly, insureds can expect greater scrutiny from their insurers at the policy placement stage on how AI capabilities are governed, controlled and supervised in practice.
5. Conclusion – A surge of AI-washing cases is imminent
AI-washing looks increasingly likely to follow the path of greenwashing. If there is an AI “bubble” in current valuations, the point at which it deflates is when losses crystallise – and with them the pre-condition for FSMA s.90 and s.90A claims by investors in AI-focused businesses.
Alongside that, there is a separate risk of civil fraud, misrepresentation and breach of contract claims brought by customers and commercial counterparties who relied on overstated AI capabilities or performance.
AI-washing claims are therefore likely to move steadily from regulatory warnings and market commentary into live disputes, particularly where losses crystallise and earlier AI claims are tested against what the technology actually did.
As those disputes unfold, attention is also likely to turn to what insurance cover is available, with defendants seeking to rely on their liability insurances to protect them against defence costs and potential liabilities.
For UK companies, the task now is not to dampen legitimate AI innovation, but to ensure that public and contractual claims about AI are grounded in technical reality, supported by evidence and fully integrated into disclosure controls, product governance, fraud frameworks and governance processes, and ensure that insurance policies are scrutinised to ensure they provide an effective risk mitigant. Organisations that take a hard look at their “AI story” now – and strip out wishful thinking – will be better placed if that AI premium is tested in hindsight.
Authored by Reuben Vandercruyssen, Lydia Savill, and Matt Steven.
