Skip to main content

AI in the Boardroom E3 - “Shadow AI”, Continuous Disclosure, and the Inadvertent Disclosure of Material Non-Public Information

Fasken
Reading Time 7 minute read
Share
  • LinkedIn

Overview

Capital Markets and Mergers & Acquisitions Bulletin

Much ink has been spilled on what AI means for public companies and their continuous disclosure obligations. Is the company’s use or development of AI material to its business? Could any discussion of its plans around AI constitute forward looking information? How should AI inform its risk factors?

Much less attention has been paid to key issues around AI use in the continuous disclosure process itself, i.e., not in the substance of the disclosure, but in its preparation and the broader corporate work behind it. This article shines a spotlight on one such consideration: the potential inadvertent disclosure of material non-public information (MNPI), especially through the use of “shadow AI”. A recent U.S. example stands as a cautionary tale. The key takeaway is the importance of robust, responsive and enterprise-specific AI protocols.

This is the third episode in our “AI in the Boardroom” series. For our first two episodes, read AI in the Boardroom: The Good, the Bad, and the Complex Balance Directors Must Navigateand AI in the Boardroom E2 – Not Just for Financial Institutions: What Other Canadian Companies Can Take From the AMF’s AI Guideline. For more Fasken capital markets thought leadership, visit our Capital Markets and M&A insights hub and subscribe.

What is “Shadow AI” and when is the Line Crossed?

“Shadow AI” is the use of AI outside a company’s approved AI tools and parameters. The practice, unlike the name implies, is not necessarily nefarious.

More and more people are using AI as part of their day-to-day workflow. This being today’s reality, using AI tools outside those permitted by the company in connection with one’s work does not necessarily drift into shadow AI, e.g., using a consumer chatbot to conduct mere general market or industry research. The bright red line that should never be crossed and where shadow AI begins is the input, whether by prompt, document upload or otherwise, of company information into non-approved AI tools when such information is meant to be kept within the strict guardrails of the company’s authorized AI protocols.

What Are the Risks Posed by Shadow AI?

The critical risk posed by shadow AI is the unintentional disclosure or other loss of control over the company information input into the AI. Unlike traditional software, some AI tools retain, process or communicate information input by users beyond the immediate user application. This can result in the information being disclosed, reproduced or otherwise shared with third parties beyond the user’s intent. This risk is particularly acute in connection with shadow AI, i.e., tools not vetted by the company’s technology and legal teams for their security and confidentiality protocols. 

Whether a company is private or public, the company information put at risk by shadow AI includes confidential information, commercially sensitive information and privileged legal information. For public companies, the information put at risk also includes MNPI.

MNPI: Handle with Care

MNPI is material facts or material changes relating to a public company that haven’t yet been publicly disclosed as required by securities law or applicable stock exchange rules. Public companies handle MNPI (and potential MNPI) in the ordinary course of their business, including in deciding whether new information is of enough significance to qualify as either a material fact or a material change which requires public disclosure. 

MNPI raises several legal issues and risks for the company and its personnel, including potential insider trading and the possibility of selective disclosure (i.e., tipping). Selective disclosure occurs where MNPI is disclosed other than in the necessary course of business outside appropriate channels, e.g., to one or more individuals or companies and not broadly to the investing public. Importantly, there is no safe harbour in the case of unintentional selective disclosure of MNPI. Should this happen, the company must take immediate steps to ensure a full public announcement is made. The trading of the company’s securities may also be temporarily halted, and financial, administrative and even criminal penalties may be imposed.

Does Shadow AI + MNPI = Selective Disclosure?

The question that naturally follows is whether the input of MNPI into an AI tool (e.g., a consumer chatbot) would constitute selective disclosure under securities law. The answer is not straightforward, but the stakes are high: if it does, the company may be forced to make an immediate full public announcement and could face a temporary halt in the trading of its securities. A key practical concern of regulators informing securities legislation is the selective disclosure of material company information to analysts, institutional investors, investment dealers and other market professionals. A recent example of a selective disclosure enforcement case involved the director of a TSXV-listed company sharing MNPI with a longtime friend and business associate as part of seeking advice regarding a proposed material transaction between the company and a second company.

The input of MNPI into an AI tool does not fit neatly into these or similar categories. The analysis would therefore likely be highly context dependent. Key here would presumably be the AI tool’s terms of use and downstream processing, dissemination and application of input information. 

A Cautionary U.S. Example

A recent U.S. example highlights the risks that arise when shadow AI meets confidential and sensitive company information.

In May 2026, a financial services company became the first U.S. company to file a SEC Form 8-K triggered solely by an employee’s unauthorized use of an AI tool. The employee had input non-public customer information into a consumer AI tool, apparently as a productivity shortcut. The input data included customer names, social security numbers, and dates of birth, among other information. Although the company’s leadership determined that the incident was not expected to have a material impact on the company’s financial condition or operations, they nonetheless decided it was material under Form 8-K given the “volume and sensitive nature of the non-public information at issue”.

To be clear, the incident did not involve the inadvertent disclosure of MNPI via shadow AI, but rather the inadvertent disclosure of confidential, non-public company information so sensitive that the incident itself became material and required immediate disclosure under U.S. securities law. Even so, it stands as a clear cautionary tale of the risks shadow AI poses to sensitive and non-public company information such as MNPI. It also illustrates that those risks are not limited to the inadvertent disclosure of MNPI: the input of sensitive company information into shadow AI can itself trigger consequences sufficient to qualify as a material change – in this case, a self-inflicted cybersecurity event.

Key Practical Takeaways for Public Companies

What are the key lessons for public companies and, in particular, their boards of directors?

AI tools offer efficiency gains, but they also introduce risks. The most well-known of these is the potential for confident errors, ranging from minor inaccuracies to outright hallucinations.

Shadow AI adds a different and potentially far more serious variety of risks. For public companies, these risks include the inadvertent disclosure of MNPI. Numerous different scenarios are foreseeable.

One example is inadvertent disclosure during the actual preparation of continuous disclosure, e.g., if, in preparing the company’s next MD&A or AIF, an employee uses a consumer grade AI tool to summarize recent developments or refine draft disclosure language.

This risk is especially pronounced for public issuers in Quebec, who must in certain cases prepare and file continuous disclosure documents in French. An employee may be tempted to run draft MD&A, AIF, press releases or other disclosure through a consumer-grade AI translation tool, or to draft the French-language versions with such a tool outright. Where these documents contain MNPI, doing so could result in its inadvertent disclosure before its authorized release.

Another potential example is inadvertent disclosure of the information during the company’s actual analysis of whether something rises to the level or material fact or a material change. As securities lawyers know well, this inquiry is often challenging, and difficult judgment calls must often be made. It’s only natural that people tasked with assisting in this analysis or making the judgment call may be tempted to lean on AI as a sounding board, to tease out potential implications, or to play devil’s advocate. 

The key lesson for public companies and their boards is therefore that shadow AI is not merely an IT concern but a disclosure and governance issue that sits at the intersection of technology, legal and the boardroom – and the response must too. The answer is not to ban AI, but to bring it within appropriate guardrails. In practice, that means:

  • robust, enterprise-specific AI protocols and a clear list of approved AI tools, with board-level oversight of their adoption and periodic review;
  • employee training regarding shadow AI, the risks its poses, and its prohibited uses, including as relates to company information;
  • disclosure controls and procedures that expressly contemplate AI use in the preparation and analysis of continuous disclosure documents, with the audit committee or disclosure committee, as applicable, tasked with overseeing compliance;
  • an incident-response plan, which should be tested, if inadvertent disclosure of MNPI occurs; and
  • the inclusion of AI risk – including shadow AI – as a standing item on the board's or a designated committee's agenda, ensuring that oversight keeps pace with the rapid evolution of AI tools and their use across the organization.

All in all, AI and its uses continue to both evolve and accelerate. As they do, and as examples of compliance failures continue to emerge, public companies, their boards, and their AI protocols should continue to respond and adapt accordingly and proactively.

Contact the Authors

For more information or to discuss a particular matter, please contact us.

Contact the Authors

Authors

  • Alexandra Freedman, Associate | Corporate/Commercial, Montréal, QC, +1 514 397 5253, [email protected]
  • Guillaume Saliah, Partner | Corporate/Commercial, Mergers & Acquisitions, Montréal, QC, +1 514 397 4371, [email protected]
  • Tracy L. Hooey, Partner | Mergers & Acquisitions, Toronto, ON, +1 416 868 3439, [email protected]
  • Paul Blyschak, Counsel | Corporate/Commercial, Calgary, AB, +1 403 261 9465, [email protected]
  • Payton Holliss, Associate | Capital Markets, Mergers & Acquisitions, Calgary, AB | Toronto, ON, +1 403 261 9430, [email protected]
  • Léon-Sékou Tétreault, Student, Montréal, QC, +1 514 397-5210, [email protected]
Alexandre Freedman Montréal Summer Student/Étudiante Alexandra Freedman Associate | Corporate/Commercial Montréal, QC +1 514 397 5253
Guillaume Saliah, Partner | Corporate/Commercial, Mergers & Acquisitions Guillaume Saliah Partner | Corporate/Commercial, Mergers & Acquisitions Montréal, QC +1 514 397 4371
Tracey L Hooey Toronto Lawyer Tracy L. Hooey Partner | Mergers & Acquisitions Toronto, ON +1 416 868 3439
Paul Blyschak, Counsel | Corporate/Commercial Paul Blyschak Counsel | Corporate/Commercial Calgary, AB +1 403 261 9465
Payton Holliss, Associate | Capital Markets, Mergers & Acquisitions Payton Holliss Associate | Capital Markets, Mergers & Acquisitions Calgary, AB Toronto, ON +1 403 261 9430