Reputational risk in the age of AI and transparency

Why one bad AI, cyber or ESG incident can become a board crisis

Reputation used to be treated as the consequence of a bad event. Today, it is often the event itself.

For South African CEOs and boards, this matters because the triggers of reputational damage have changed. A poorly governed AI output, a cyber breach, a misleading sustainability claim, a leaked internal decision, a deepfake-enabled fraud or an ESG inconsistency can move from operational incident to board crisis within hours. The issue is no longer only whether the company did something wrong. It is whether stakeholders believe the organisation had the governance, evidence, controls and values to prevent it.

The uncomfortable truth is that AI, cyber and ESG are no longer separate risk categories. They now converge around one board-level question: Can the organisation be trusted when something goes wrong?

PwC’s 2025 Global CEO Survey captures the leadership tension well. Only 33% of CEOs say they have a high degree of trust in having AI embedded into key processes, while PwC argues that CEOs need “bounded optimism” rather than either blind adoption or uninformed pessimism. EY’s Responsible AI Pulse survey shows the governance gap more sharply: 72% of executives say their organisations have integrated and scaled AI in most or all initiatives, but only a third have proper protocols in place across EY’s responsible AI framework.

That gap between adoption and assurance is where reputation risk now lives.

Reputation is becoming a governance test

A bad incident becomes a board crisis when stakeholders conclude that the organisation’s failure was not accidental, but systemic.

A cyber breach may be forgiven if the company can show strong controls, fast detection, responsible disclosure and care for affected customers. It becomes a reputational crisis when the market sees poor preparation, delayed communication, weak accountability or an underinvestment in resilience.

An AI error may be tolerated if the company can explain the use case, controls, human oversight and remediation. It becomes a crisis when leaders cannot say which AI systems are in use, who approved them, what data they use, how outputs are checked and whether affected customers or employees have a route to challenge decisions.

An ESG mistake may be corrected if there is credible evidence, transparent measurement and clear trade-offs. It becomes a crisis when sustainability language runs ahead of operational reality.

This is why reputation can no longer be delegated to corporate affairs after the fact. It has to be designed into the operating model before the fact.

McKinsey’s 2025 AI trust maturity research makes this link explicit: responsible AI practices are needed to build trust across customers, employees and stakeholders, and the average responsible AI maturity score among surveyed organisations was only 2.0 on a 0–4 scale. McKinsey also found that companies investing in responsible AI reported benefits including improved efficiency, increased consumer trust, enhanced brand reputation and fewer AI incidents.

For CEOs, the implication is clear: trust is not a communications asset. It is a management system.

The new risk stack: AI, cyber and ESG now amplify each other

The risk landscape is becoming more interconnected. Allianz’s 2026 Risk Barometer ranks cyber incidents as the number one global business risk for the fifth consecutive year, while AI jumped from number ten to number two, with Allianz describing AI as an operational, legal and reputational risk. Aon’s 2025 Global Risk Management Survey similarly ranks cyber attack or data breach as the top current and future risk, places damage to reputation or brand in the top ten current risks, and identifies AI and climate change among the top future risks. Aon’s key point is that these risks are systemic and interconnected.

The board problem is that a single event can now trigger multiple consequences:

A cyber breach can create operational downtime, POPIA reporting obligations, customer anger, regulatory scrutiny and questions about board oversight.

An AI incident can create legal risk, discrimination concerns, data privacy exposure, misinformation, customer harm and reputational loss.

An ESG inconsistency can trigger accusations of greenwashing, investor concern, employee cynicism, activist pressure and questions about the integrity of public reporting.

A deepfake or AI-enabled fraud can damage the company financially, but also raise a more damaging question: why were decision rights, verification procedures and executive approval processes so easy to manipulate?

This is why CEOs should stop asking, “What is the probability of this incident?” and start asking, “If this happens, what story will stakeholders tell about our leadership?”

The South African context: transparency is tightening

South African companies face an additional reputational challenge: governance expectations are rising while public trust remains fragile.

The JSE notes that sustainability reporting is becoming an indicator of management quality and a way for companies to show their ability to mitigate sustainability risks and create new opportunities. It also notes that the 2024 CIPC XBRL Taxonomy has been updated to allow voluntary early adopters of ISSB IFRS S1 and IFRS S2 to tag sustainability-related financial disclosures.

On data protection, South Africa’s Information Regulator announced that, from 1 April 2025, organisations must report security compromises through its eServices portal rather than by email, with reporting required where there are reasonable grounds to believe personal information has been accessed or acquired by an unauthorised person.

On AI, South Africa’s National AI Policy Framework, published in 2024, is positioned as a first step towards a full national AI policy, with emphasis on ethical AI, transparency, explainability, security, fairness, privacy and human oversight over critical AI decisions.

For South African CEOs, this means reputational risk is moving from soft judgement to hard evidence. Boards will increasingly need to show what was known, what was decided, what was tested, what was disclosed and what was remediated.

The “trust gap” is now a performance gap

The reputational risk conversation should not make CEOs defensive about AI. The opportunity is real. BCG’s AI Radar 2025 found that 75% of executives rank AI or GenAI as a top-three strategic priority, but only a quarter report meaningful value. BCG CEO Christoph Schweizer summarised the challenge: “while 75% of executives rank AI as a top three strategic priority, only a quarter report meaningful value”.

The lesson is not to slow down AI adoption. It is to professionalise it.

Deloitte’s 2026 State of AI in the Enterprise report shows that worker access to AI rose by 50% in 2025, but oversight of agentic AI is lagging, with only one in five companies having a mature governance model for autonomous AI agents. Deloitte’s earlier GenAI research warned that business leaders are under pressure to act “while ensuring appropriate governance and risk mitigation guardrails are in place.”

That is the CEO’s balancing act: move fast enough to remain competitive, but not so fast that the company loses control of its own evidence, data, decisions and accountability.

IBM’s 2025 Cost of a Data Breach research puts the issue plainly: “the real risk isn’t AI itself, it’s AI without governance.” IBM found that 97% of organisations reporting an AI-related security incident lacked proper AI access controls, while 63% lacked AI governance policies to manage AI or prevent shadow AI.

In other words, reputation risk is increasingly a control failure before it is a communication failure.

What should CEOs and boards do now?

The first move is to create a single board-level view of AI, cyber and ESG risk. These should not sit in separate committees, separate dashboards and separate assurance processes without a mechanism to connect them. The board needs to know where the organisation is most exposed to stakeholder harm, regulatory scrutiny and public trust loss.

The second move is to insist on an AI use-case register. The CEO should be able to ask: where is AI being used, who owns the use case, what data is involved, what decisions are affected, what human oversight exists, what risks have been assessed and how incidents would be escalated?

The third move is to create an evidence discipline for public claims. Any claim about AI capability, cyber resilience, sustainability progress, transformation, customer fairness or social impact should be backed by evidence that can survive scrutiny. The standard should be simple: do not say externally what cannot be proved internally.

The fourth move is to run board-level simulations. Not generic crisis simulations, but realistic scenarios: a biased AI lending decision goes public; a ransomware group leaks customer data; an executive deepfake authorises a payment; a sustainability claim is challenged by activists; an employee reveals the company is using public AI tools with confidential information. The test is not whether the organisation can issue a holding statement. The test is whether the CEO, CFO, CIO, CHRO, general counsel, risk lead and communications team can make aligned decisions under pressure.

The fifth move is to define escalation thresholds before the incident. Boards should know what triggers immediate CEO notification, regulator engagement, customer communication, external forensic support, insurer notification, legal privilege, board convening and public disclosure.

The sixth move is to treat culture as a control. Shadow AI, weak cyber hygiene and ESG exaggeration often begin as cultural signals: pressure to move fast, fear of raising concerns, incentives that reward performance over prudence, and a leadership narrative that treats governance as friction. CEOs should ask whether employees believe they can slow down a risky decision without career consequences.

The board questions that matter

A board that wants to govern reputational risk in the age of AI and transparency should ask:

1. Where are we using AI in ways that affect customers, employees, pricing, credit, safety, advice, claims, procurement or compliance?

2. Which AI, cyber or ESG failure would cause the greatest loss of stakeholder trust, even if the direct financial loss were manageable?

3. Can we evidence every material public claim we make about AI, resilience, sustainability, transformation and customer protection?

4. Do we know which third parties hold our data, make decisions on our behalf, host our systems or influence our sustainability claims?

5. Have we tested our response to a reputational crisis that crosses legal, technology, operational, regulatory and communications boundaries?

6. Would our employees know what to do if they saw an AI error, cyber weakness, data misuse or misleading ESG claim?

7. Can management show the board the difference between policy existence and control effectiveness?

The CEO’s role: make trust operational

The CEO cannot personally manage every AI model, cyber control or ESG metric. But the CEO does set the tone for how the organisation balances ambition and accountability.

In practical terms, that means making trust operational. Trust must show up in investment decisions, governance forums, executive incentives, incident response, data architecture, vendor management, assurance plans and public reporting.

The companies that get this right will not be the ones that avoid every incident. That is unrealistic. They will be the ones that can show stakeholders that their controls were serious, their response was fast, their communication was honest and their remediation was credible.

In an age of AI and transparency, reputation is no longer protected by saying the right thing after a crisis. It is protected by being able to prove the right things before the crisis.