Directors and AI: Why Diligence Needs a New Framework

A KPMG study covering more than 48,000 individuals across 47 countries reports that 66% of users now rely on AI tools regularly, while only around half trust the algorithmic output enough to act on it in operational decisions. Read against PwC’s 2024 and 2025 findings that 49% of technology leaders consider AI ‘fully integrated’ into corporate strategy, the gap is striking. Adoption has outpaced trust. And it has outpaced, more importantly for company law purposes, the conceptual tools that govern director liability.

Italian corporate law illustrates the problem with unusual clarity. Article 2392 of the Civil Code, drafted in 1942, sets the standard of director diligence in twenty-three words. That standard was designed for a world in which strategic decisions were made by humans and could, however imperfectly, be reconstructed after the fact. Algorithms (particularly machine-learning systems whose internal logic remains opaque even to their developers) break that assumption. The Italian Supreme Court (Cass. civ. n. 10488/1998) has long held that directors must observe a ‘qualified diligence’ calibrated to the nature of their office. What ‘qualified diligence’ means when the office involves authorising deep-learning systems no one fully understands is a question the courts have not yet answered.

The business judgment rule, which Italian case law has progressively imported from US corporate jurisprudence, makes the tension sharper rather than resolving it. The rule defends business decisions taken in good faith on an adequately informed basis. But the adequacy of information presupposes that the decision-maker can interrogate the inputs. A director who approves a credit-scoring algorithm whose discriminatory outputs are invisible to her, and who could not have understood them even if shown the model, has she been ‘adequately informed’? The orthodox answer is uncomfortable either way.

In a recent paper published in Corporate Governance, Sottoriva and I argue that this is not a problem to be solved by adding a layer of technical knowledge to the director’s job description. No one seriously expects board members to become data scientists, and pretending otherwise would impoverish boards rather than improve them. The shift, in our view, must be elsewhere. Director diligence in the algorithmic era should be assessed primarily at the level of governance processes, not at the level of individual decisions taken with or without algorithmic support.

We propose a framework, the TRACE Model, organised around five dimensions: Transparency, Risk Assessment, Audit Trail, Competence, and Ethics. Transparency does not require disclosure of source code (which would conflict with legitimate trade-secret protection) but does require board-accessible documentation of what each AI system does, what it cannot do, and where it sits in the company’s decision architecture. Risk Assessment translates into a structured evaluation of bias, robustness, and failure modes, both ex ante and on a continuing basis (algorithms drift, datasets age, and a system that worked at deployment may misbehave eighteen months later). Audit Trail responds to the reconstruction problem: directors should not be required to explain every neural-network parameter, but the company must be able to show, for any consequential decision, what data and what configuration the system relied on. Competence is institutional, not individual: the board collectively must hold (through training, independent directors, advisory committees) the capacity to ask the right questions of its technical staff. Ethics, finally, integrates AI governance with the broader ESG framework that already structures much of European corporate disclosure.

The model emerges from Italian doctrine and Italian case law, but the underlying concern is not parochial. Caremark duties under Delaware law require boards to install information and reporting systems ‘reasonably designed’ to detect compliance failures. A board that delegates significant decisions to algorithmic systems without the structural capacity described above risks the same charge of inadequate oversight that Caremark and Stone v. Ritter anticipated for very different contexts. The UK Companies Act 2006, particularly sections 172 and 174, asks comparable questions about reasonable care, skill and diligence. German doctrine has begun developing the notion of digitale Sorgfaltspflicht. The five TRACE dimensions are not a translation of any of these; they are an attempt to operationalise concerns common to all of them in a way courts and counsel can actually apply.

The standard of director diligence is not broken. It does, however, need to be read in light of the technologies it is now asked to govern. The TRACE Model is one attempt at that reading. Whether it persuades will depend on how courts, in Italy and elsewhere, choose to interpret existing duties when the next algorithmic failure reaches them, which, given current adoption rates, will not take long.

The author’s article is available here.

Giovanni Vetrugno is a Senior Auditor at Ria Grant Thornton S.p.A. and a Teaching Assistant in Private Law at the Faculty of Economics and Law, Università Cattolica del Sacro Cuore, Milan.