The Risk Factors section is the part of an annual report where a company is required to tell investors, in its own words, what could go wrong. It is not optional boilerplate that a company writes however it likes; it is governed by a specific Securities and Exchange Commission rule, Regulation S-K Item 105, codified at 17 CFR 229.105. For AI companies, this section has become the primary disclosure venue for the legal, regulatory, and reputational risks attached to the technology itself — and reading it carefully is one of the cleaner ways to see what management formally concedes might harm the business.

Item 105 sets out what the section must contain and how it must be written. The rule requires a discussion of 'the material factors that make an investment in the registrant or offering speculative or risky,' organized 'logically with relevant headings,' with each risk under a subcaption that 'adequately describes the risk.' The Commission explicitly discourages generic, could-apply-to-anyone risk language; where a company does include generic risks, the rule requires them to be grouped at the end under a 'General Risk Factors' caption. The rule also requires plain English and, for discussions longer than 15 pages, a two-page summary up front.

Concisely explain how each risk affects the registrant or the securities being offered.— 17 CFR 229.105 (Regulation S-K Item 105), source

That five-word instruction — 'concisely explain how each risk affects the registrant' — is the standard against which a reader can judge any risk factor. A risk written to satisfy the rule should say something specific about this company; a risk written as throat-clearing ('the economy could decline') is exactly what the rule discourages. The distinction matters most in a fast-moving field like AI, where the company-specific risks are often new and concrete.

How AI risk shows up in the section

AI companies populate Item 105 with risks that did not exist in older filings. NVIDIA's annual report on Form 10-K for the fiscal year ended January 26, 2025 includes a risk factor addressing the responsible use of AI, stating plainly:

AI poses emerging legal, social, and ethical issues and presents risks and challenges that could affect its adoption, and therefore our business.— NVIDIA Corporation, Form 10-K (fiscal year ended January 26, 2025), source

The same filing discloses regulatory risk in concrete terms, noting that governments 'are considering enacting or have already enacted regulations concerning AI technologies, which may impact our ability to train, deploy, or release AI models, and increase our compliance costs,' and that the strategic importance of AI 'has resulted in regulatory restrictions that target products and services capable of enabling or facilitating AI.' For a company whose accelerators are subject to export controls, that is not a generic risk — it is a company-specific exposure that ties directly to product lines, which is precisely the specificity Item 105 is built to elicit.

Reading risk factors as a year-over-year signal

The same filing's risk language also extends beyond regulation into the operational realities of selling AI. NVIDIA's 10-K discloses that issues 'relating to the responsible use of our technologies, including AI in our offerings, may result in reputational or financial harm and liability,' and that a failure 'to develop effective internal policies and frameworks relating to the responsible development and use of AI models and systems offered through our sales channels' could produce 'brand or reputational harm, competitive harm or legal liability.' Read against Item 105's command to explain how each risk affects the registrant specifically, those sentences identify exposures tied to the company's actual products and sales channels rather than to the economy at large — the kind of concrete, registrant-specific risk the rule is designed to draw out. The clustering of multiple distinct AI risks under their own subcaptions is itself a structural signal of how central the technology has become to the company's risk profile.

Because the rule requires company-specific language, the most informative way to read risk factors is comparatively, across years. New subheadings, sharpened verbs (a risk that 'may' cause harm becoming one that 'has' caused harm), and quantified exposures are the markers of a risk management chose to elevate. A risk factor that appears for the first time, or that moves from hypothetical to actual, is a disclosure event in itself — even when no single quarter's numbers move — because the company has formally told investors the exposure is now material enough to name.

Two cautions keep the reading honest. First, the presence of a risk factor is not an admission that the risk has materialized; it is a forward-looking disclosure of what could happen, and the rule frames it that way. Second, risk factors are written by management with input from counsel, so the value is in the specificity and the change over time, not in treating any single sentence as breaking news. The discipline is to compare this year's risk section against last year's, flag the AI-specific language that is new or sharpened, and trace each flagged risk back to the exact Item — Risk Factors is Item 1A of the 10-K, governed by 17 CFR 229.105 — so the citation is to the rule and the filing, not to a summary of either. Read with that discipline, the Risk Factors section is less a legal formality than a map of what management has formally conceded could go wrong, written under a rule that demands the map be specific to the company drawing it — and for AI companies, it is increasingly a map dominated by the technology itself.