The U.S. Securities and Exchange Commission’s creation of
the Cybersecurity & Emerging Technologies Unit (CETU) marks a
decisive shift in how regulators approach artificial intelligence.
What began as marketing optimism has become a regulated space with
real enforcement teeth. CETU’s mission includes investigating
AI fraud, AI-themed scams, cybersecurity deception, and false or
misleading statements about emerging technologies.
Central to this new landscape is the emergence of AI
washing—the practice of overstating, exaggerating, or
inventing the capabilities of artificial intelligence systems. Much
like greenwashing, which misrepresents environmental
sustainability, AI washing misrepresents technological
sophistication.
The parallels are striking, and the regulatory consequences are
becoming equally severe.
AI Washing vs Greenwashing: Two Sides of the Same
Misrepresentation Coin
For more than a decade, regulators have pursued companies for
greenwashing—false environmental claims used to attract
investors or customers. Now, AI washing is emerging as the next
major frontier.
What they have in common
Depending on the jurisdiction, both AI washing and greenwashing
can involve:
- Overstated claims in marketing or disclosures;
- Lack of supporting evidence;
- Appealing to investor sentiment (sustainability, innovation,
ESG, “AI-powered” solutions); - Failure to disclose limitations or risks;
- Pressure from competitive markets fuelling exaggeration;
- Whistleblower-driven investigations;
- Material misrepresentation under securities law;
- Misleading advertising under competition law.
AI washing is even more problematic
AI washing can involve:
- Claims about algorithms, automation, or risk modelling that
investors rely on; - Statements about cyber or operational resilience tied directly
to AI performance; - Undisclosed manual processes masked as AI;
- AI-themed fraud schemes targeting retail investors;
- AI systems that, if misrepresented, create cybersecurity or
privacy liabilities.
Put simply, if greenwashing misleads about sustainability, AI
washing misleads about capability — and capability
goes directly to value, risk, and governance.
Regulators understand this and they are expanding their toolkits
accordingly.
CETU: The SEC’s Enforcement Response to AI
Washing
CETU is charged with investigating:
- Misleading AI disclosures
- AI-driven deception and online scams
- Cyber intrusions and stolen credentials
- Crypto and blockchain fraud
- False or incomplete disclosures about cybersecurity
incidents - Promotional overstatements of “AI-driven” financial
strategies
Building on the SEC’s first AI-washing enforcement actions
in 2024, CETU represents a shift in U.S approach: if you claim AI
capability, you must prove it.
UK, EU, and Canada Comparison
United Kingdom
AI washing is addressed indirectly through:
- FCA’s rule that communications must be clear, fair, and not
misleading; - ASA/CMA enforcement against misleading technology claims;
and - Crackdown on finfluencers promoting “AI trading
bots”.
European Union
The EU AI Act introduces:
- Transparency and documentation obligations;
- Risk-based categorisation for AI systems; and
- Administrative fines for misleading statements or incomplete
information.
Canada
The Canadian Securities Administrators (CSA) have explicitly
warned against AI washing while Canada’s earlier proposed
federal Artificial Intelligence and Data Act (AIDA)
legislation if revived will impose AI risk-governance obligations
similar to those under the EU’s regime.
Across all regions, regulators are converging on one
expectation: evidence-based AI claims.
How Companies Can Combat AI Washing (and Greenwashing):
Essential Steps
Greenwashing and AI washing have taught regulators that
misrepresentation is rarely a one-off mistake—it’s a
system failure. To address both, companies must implement
structural, ongoing and verifiable controls.
The necessary steps include:
1. Evidence-Based Claims
- Keep technical documentation that substantiates every AI or
sustainability claim; - Ensure claims can be backed up by internal records, testing
data, audits, and model validation.
2. Cross-Functional Sign-Off
AI claims require review from:
- Engineering;
- Forensics;
- Legal;
- Marketing;
- Compliance;
If any of these groups cannot verify a claim, it should not be
made or published.
3. Avoid Superlatives Without Proof
Words such as proprietary, cutting-edge, predictive,
automated, sustainable are red flags when not supported by
measurable evidence.
4. Maintain Documentation of Limitations
Just as companies must disclose environmental limitations in
their disclosures, AI disclosure must include:
- Known risks;
- Data constraints;
- Accuracy limitations; and
- Required human oversight.
5. Ensure Governance In Place Before any Whistleblower
Complaint
The worst time to implement a governance scheme is after a
whistleblower incident. At a minimum companies should be
undertaking today if they haven’t done so already:
- AI risk assessments;
- Disclosure controls;
- Audit trails;
- Document retention protocols;
- Board reporting; and
- Crisis-response plans.
These frameworks will serve as both actual governance structures
as well as powerful defence evidence if regulators scrutinise
corporate systems and behaviour.
How Forensic Restitution and McMillan LLP Help Companies
Navigate This Landscape
Regulators expect companies to demonstrate not just compliance,
but due diligence. A combined forensic +
legal review and reconstruction of corporate systems is
now essential.
Here is how firms like Forensic Restitution and McMillan
assist:
1. Evaluating Whether AI Claims Are
Accurate
A forensic consultant can undertake the following:
Technical Verification
- Review code, data flows, and model behaviour;
- Determine which processes truly use AI;
- Distinguish human-driven steps from automated functions.
Operational Verification
- Examine logs, testing documents, user flows;
- Identify internal inconsistencies;
- Compare internal communications to public statements.
Financial Impact Assessment
- Determine whether misstatements influenced revenue, pricing, or
investor decision-making.
This is the same methodology used in greenwashing
investigations—substantiate or refute claims using evidence,
not narratives.
2. Advising on a Path Forward When Claims Are
Overstated
When a claim goes too far (intentionally or not), legal counsel
and forensic consultants together develop a management and
corrective strategy.
Legal Counsel role:
- Assess materiality;
- Advise on internal or external investigations and related
reporting; - Determine whether disclosure or restatement is required;
- Manage communication with regulators, media and
stakeholders; - Maintain privilege where appropriate;
- Prepare for regulatory inspections and investigations;
- Advise on D&O liability risk and protection; and
- Advise on whistleblower exposure and risk.
Forensic Consultant role:
- Document the factual reality of the technology;
- Provide independent verification;
- Develop remediation and internal-control enhancements;
- Assist in reconstructing decision pathways to show good-faith
efforts;
Working together legal counsel and forensic consultants help
companies avoid the two most damaging outcomes:
- Reputational hit;
- Regulatory enforcement, and
- Being perceived as intentionally deceptive, which can be worse
than the technical failure itself.
3. Building a Framework That Withstands Whistleblower
Scrutiny
Every whistleblower allegation prompts the same questions from
regulators:
- What happened?
- Who knew what and when?
- What did the company do to verify its claims?
- What governance existed at the time?
The legal–forensic team ensures the company has clear,
defensible answers to these and related questions. Pre-emptive
actions in this regard can include:
- AI and environmental-claim disclosure policies;
- Model validation protocols;
- Document retention standards;
- Audit trails showing who approved each claim;
- Board oversight frameworks;
- Third-party verification (for high-risk statements);
- Periodic reviews of marketing, investor materials, and
whitepapers; and - Internal whistleblower channels that capture issues early.
These structures provide the organisation with a credible record
of due diligence—critical if a whistleblower makes a
complaint or publicizes a failure or perceived failure.
Why This Matters: AI Hype Is Becoming a Legal
Liability
The lessons from greenwashing are clear:
- When markets reward bold claims, companies exaggerate.
- When companies exaggerate, regulators follow.
- When regulators follow, systems and documentation become
everything.
With CETU, the SEC has declared that AI representations are now
a matter of securities integrity, not marketing flair. The EU, UK,
and Canada will be moving in the same direction. In this
environment, companies must prioritise accuracy, governance, and
provability.
Conclusion: The Path to Compliance Runs Through
Verification, Governance, and Documentation
AI washing is not a temporary trend—it is the next major
enforcement theme in global regulation. A forensic firm like
Forensic Restitution provides the technical and evidentiary
backbone and a law firm like McMillan provides the regulatory and
governance advice.
Together, they help you:
- Verify the accuracy of your AI and sustainability claims;
- Correct and remediate overstated or inaccurate statements;
- Build a defensible framework that can protect against the
consequences of a whistleblowers and provide a defensible position
to the regulator;
This approach does more than merely prevent sanctions and damage
—it builds trust, enhances credibility, and positions
companies as responsible leaders in a rapidly evolving AI
landscape.
The foregoing provides only an overview and does not
constitute legal advice. Readers are cautioned against making any
decisions based on this material alone. Rather, specific legal
advice should be obtained.
© McMillan LLP 2025
