The kitchen sink committee.
When one committee oversees everything, does it oversee anything?
Alex Kruzel February 2026 Telesto Board Series
A board meeting that wouldn't end
A professional acquaintance of mine sits on the board of one of the world's largest automotive companies. Last year, she told me something that stopped me: the audit committee met seventeen times in 2025. Not by design. By necessity (Trade policy shifted so rapidly, geopolitical exposure changed so fast, and the committee's mandate was so expansive that every month) sometimes every week, something urgent demanded formal oversight. "These directorships were never meant to be full-time jobs," she said. "But that's what they've become."
That account is not an outlier. It is a leading indicator. What is happening at the audit committees of the world's most sophisticated public companies (the scope creep, the competency strain, the governance fatigue) is now becoming visible at companies of every size and sector. And most boards are not prepared for the conversation about what to do next.
In my work advising corporate boards and management teams through Telesto Strategy, I spend considerable time on exactly this tension. The audit committee has, over the past two decades, been transformed from a focused financial oversight body into something that increasingly resembles a catch-all risk repository for everything the full board doesn't have a committee for yet. The result is a governance structure under significant strain. With meaningful implications for the C-suite executives who report to it and for the directors charged with providing genuine oversight.
How the mandate expanded
▼The audit committee's scope did not expand overnight. It accumulated, incrementally and often reactively, in response to successive crises and regulatory inflection points. Understanding the arc matters because it reveals something important: each expansion felt justified in isolation. The aggregated result was not the product of deliberate design.
In the wake of Enron and WorldCom, SOX fundamentally restructured audit committee authority, mandating independence, establishing financial expertise requirements, and placing external auditor oversight squarely with the committee.
Dodd-Frank introduced enterprise risk management as a board-level mandate. For many companies without separate risk committees, that responsibility defaulted to audit. The ERM mandate has never left.
Investor activism and frameworks like TCFD and SASB pushed climate and ESG risk onto audit committee agendas. Audit committees found themselves reviewing non-financial disclosures they were not originally constituted to evaluate.
The SEC's final rule required public companies to identify which board committee oversees cybersecurity risk. The audit committee became the default designee at 64% of S&P 500 companies (CAQ review of post-rule 10-K filings), not because it was best equipped, but because it was already there.
Generative AI adoption accelerated across enterprise functions while the return of aggressive US tariff policy, including expanded Section 232 measures and new levies on Chinese imports, created urgent compliance and disclosure obligations. Audit committees absorbed oversight of both domains simultaneously, often without dedicated expertise in either.
Escalating tensions across the Taiwan Strait, Red Sea shipping disruptions, and sanctions regimes targeting Russia and Iran elevated geopolitical exposure from a periodic discussion topic to a standing audit committee concern. With direct implications for supply chain disclosures, segment reporting, and enterprise risk assessments.
What audit committees now own
According to the 2025 Audit Committee Practices Report. A collaboration between the Center for Audit Quality and Deloitte. The scope of audit committee responsibility has never been broader. The following reflects the proportion of S&P 500 audit committees now formally responsible for each domain.
Sources: CAQ/Deloitte 2025 Audit Committee Practices Report; EY Audit Committee Transparency Barometer; BDO Q4 2025 Audit Committee Agenda. AI and ESG figures represent directional estimates where formal tracking varies by survey.
Four domains no single committee can master
What concerns me most in my advisory work is not simply that the audit committee's mandate has grown. It is that four specific domains have converged simultaneously, each of which requires deep domain expertise that most audit committee members do not have, and that governance frameworks were not designed to provide.
AI governance
AI has become the defining governance challenge of 2025–2026. Audit committees are now expected to oversee AI model risk, algorithmic bias in customer-facing systems, data provenance for training sets, and regulatory compliance across a fragmented global landscape. From the EU AI Act to emerging US executive orders (most committee members lack the technical fluency to evaluate whether management's AI governance frameworks are substantive or performative) creating a dangerous gap between stated oversight and actual understanding.
Tariffs & trade compliance
The 2025 trade policy environment introduced layered tariff obligations across metals, components, agriculture, and technology (Audit committees are now expected to verify customs classifications, monitor rules of origin) assess transfer pricing exposure, and review supply chain restructuring decisions. In real time, with financial disclosure implications attached to each.
Cyber + operational technology
Cybersecurity has been on audit committee agendas for years (what has changed is the OT layer: shop floors) logistics networks, agricultural equipment, and grid connections are now attack surfaces. Most audit committee members understand IT cyber risk reasonably well. Almost none have deep fluency in OT vulnerabilities, and the distinction matters enormously for sectors like industrials, manufacturing, and energy.
Energy prices & access
For energy-intensive industries, steel, aluminum, chemicals, food processing, data centers, cold chain logistics, energy cost and supply continuity is a material financial risk. The audit committee is increasingly expected to assess energy exposure in financial disclosures, evaluate hedging strategies, and understand geopolitical risk to energy supply chains. This is sophisticated territory for a body whose core training is accounting.
The question is no longer whether these risks are material. They clearly are. The question is whether the people responsible for overseeing them are equipped to do so, and whether "I relied on management" will hold as a legal defense when it doesn't.
, Alex KruzelWhere the pressure is sharpest
Not all industries feel this triple pressure equally. For sectors with deep physical supply chains, energy-intensive operations, or complex cross-border sourcing, the convergence of tariff, cyber, and energy risk creates a compounding governance problem that is qualitatively different from what these companies faced even three years ago.
| Sector | Tariff exposure | Cyber / OT risk | Energy risk | AC pressure |
|---|---|---|---|---|
| Industrials & heavy mfg. | Fabricated metals face avg. tariff rates above 30% under 2025 Section 232 measures | OT-connected plant floors; 87% ransomware surge in industrial environments (Dragos 2025) | Energy represents 15–30% of COGS in many sub-sectors; price volatility directly hits margin | Critical |
| Agriculture & food processing | Retaliatory tariffs on soybeans, poultry, and grain exports; significant impact on export-bound goods | Precision agriculture systems and cold chain logistics increasingly connected; fewer security teams | Food processing is highly energy intensive; natural gas and electricity costs affect processing margins materially | Critical |
| Retail & consumer goods | Apparel, electronics, and household goods face steep tariff increases from China sourcing | Supply chain digital systems; point-of-sale and ERP vulnerabilities; tariff-related domain fraud rising | Store operations, distribution centers, and cold storage all carry energy cost exposure | High |
| Logistics & transportation | Customs compliance complexity; origin documentation requirements; trans-shipment monitoring | Connected fleets, routing systems, and port infrastructure; new vendors create OT gaps | Fuel costs are the dominant variable; LNG pricing, diesel hedging, and electrification capital | High |
| Automotive | Transportation equipment now faces avg. tariff rates above 25%; EV battery sourcing and USMCA compliance | Connected vehicles, supplier network OT, SAP trade management. Each a distinct attack surface | Energy transition capital costs; grid access for EV manufacturing; utility relationships as strategic assets | Critical |
| Chemicals | Dual-use technology export controls; complex international sourcing; sanctions exposure on precursors | Process control systems; SCADA vulnerabilities in refining; state-actor targeting | Energy is often the primary feedstock; natural gas and electricity directly determines production economics | Critical |
How public companies are responding
Several large US multinationals have already begun adapting their audit committee charters, internal audit scopes, and management reporting structures in response to this expanded mandate. Their approaches are instructive, and imperfect.
USMCA origin reviews
GM's audit committee expanded its internal audit scope to include third-party reviews of supplier compliance with US and Mexican origin requirements, particularly around EV battery sourcing and its implications for USMCA duty treatment.
Geopolitical risk register
Caterpillar's audit committee now oversees a dedicated geopolitical risk register tied to tariffs, foreign sales disclosures, and segment reporting vulnerabilities in China and Brazil, integrating what was previously a commercial risk into formal financial oversight.
Tariff exposure dashboards
P&G added tariff exposure tables to its internal audit risk dashboards, with particular focus on packaging materials, resins and aluminum. Where tariff-driven cost structures have direct implications for pricing strategy and COGS disclosure.
Customs classification audits
After tariffs on poultry and grain imports compressed margins, Tyson's audit committee approved expanded testing of customs classifications for export-bound goods. A domain that most audit committees had not previously treated as a priority.
Trade system cyber integration
Ford added cybersecurity audit checkpoints to its SAP-based trade management system, recognizing that the integrity of tariff compliance data is itself a cyber risk, with financial and legal consequences of misclassification or manipulation.
Dedicated risk committee structure
JPMorgan's audit committee charter mandates a minimum of eight meetings annually and requires joint sessions with the Risk Committee on overlapping domains. A structural approach that most non-financial services companies have not yet adopted, but arguably should consider.
AI as the competency bridge, and its own governance problem
The question I find most often unasked in boardrooms is not about a specific risk. It is about infrastructure: What resources should we be using to develop the competencies we lack, and how do we use AI to fill those gaps?
The honest answer is that AI is already transforming what is possible for audit committee support (Real-time risk dashboards) automated regulatory monitoring, natural language interfaces for reviewing complex compliance documents, and AI-driven anomaly detection in financial data are all either available now or on a short horizon. These tools can compress the knowledge gap between what a generalist director can absorb and what expert-level oversight actually requires.
But this creates a paradox that I find genuinely unresolved: if the audit committee is now expected to oversee AI risk within the organization, and AI is simultaneously the most promising tool to help the committee do its own work more effectively, who governs the tool that is supposed to help you govern?
Real-time risk monitoring
AI-enabled dashboards can continuously monitor tariff regulatory updates, geopolitical risk signals, and cybersecurity threat feeds, providing audit committee members with synthesized, decision-ready intelligence rather than backward-looking management reports.
Document intelligence
Large language models can review customs classifications, audit findings, and compliance documentation at scale, surfacing anomalies and inconsistencies that would take human review teams significantly longer to identify.
Simulation & scenario modeling
AI can model tariff impact scenarios, energy price sensitivity, and cyber event financial consequences across different business assumptions, giving audit committees the ability to stress-test disclosures and risk assessments rather than simply accepting management representations.
Continuous education
AI-curated knowledge tools, including regulatory briefing summaries, sector-specific risk digests, and comparative governance benchmarking, can help audit committee members maintain functional fluency across domains without requiring expert-level depth in each.
The practical question for boards is not whether to adopt these tools. It is how to do so with appropriate governance guardrails, how to evaluate the quality of AI-generated analysis, and how to ensure that AI assistance does not create a false sense of oversight competency that is itself a governance risk.
What boards and C-suites should be asking now
When I work with companies on these challenges, the most productive starting point is almost never a specific risk domain. It is the meta-question: Is this committee constituted and equipped to provide meaningful oversight of what it has been asked to oversee?
For C-suite executives, who both report to the audit committee and depend on its oversight functioning well. The practical implications are significant. A committee that is overextended is not an effective check. It is a liability surface: for disclosure quality, for regulatory compliance, and for crisis management when something goes wrong.
For board members, the challenge is partly compositional and partly architectural. The right question is not only "who should be on this committee" but "what should this committee actually own, and what should move to a dedicated subcommittee, a joint session with another committee, or the full board." That structural conversation is one most boards are avoiding, and the discomfort of having it is orders of magnitude smaller than the discomfort of a regulatory inquiry or a shareholder derivative suit.
The resources exist. AI-enabled monitoring tools, expert advisory panels, structured continuing education programs, cross-committee protocols. But they require deliberate investment and deliberate design. The audit committee will not reorganize itself. That work belongs to the board as a whole, and it belongs to the CEO and CFO who are closest to the operational risks the committee is trying to oversee.
What I know from working across these companies is this: the boards that are asking the hardest questions about their own governance structures are the same boards that are best positioned to withstand what 2026 will bring. That is not a coincidence. The kitchen sink was never meant to hold everything (Knowing that, and acting on it) is one of the most consequential governance decisions a board can make right now.
Open questions without clean answers
These are not rhetorical questions. They are the ones that surface in boardrooms and strategy sessions and that I have not seen satisfactorily resolved, not in the governance literature, not in regulatory guidance, and not yet in the companies I advise.
Alex Kruzel
Alex advises corporate boards, management teams, and private equity sponsors on geopolitical risk, operational resilience, and sustainability strategy across the US and globally. She is the author of The Courage to Continue. She can be reached at www.alex-kruzel.com.