With the AI Act in force, that sentence is becoming a governance expectation — one a board should be able to say, date, and evidence.
Boards are already expected to state that they have assessed cyber risk, climate exposure, and going concern. AI exposure is joining that list — not because a regulator demands the exact document, but because the question is now asked in every diligence process, credit review, and renewal negotiation.
An exposure statement answers it the way boards prefer to answer: with a dated, scored, comparable document rather than a narrative.
The position statement is the public rendering: how a company uses AI, what it does not do with customer data, and why its service holds. Once a few companies in a market publish one, the question moves to those who haven't.