TLDR: Internal audit functions are becoming crucial in navigating the complexities of Artificial Intelligence (AI) by establishing robust governance, risk management, and control frameworks. This proactive involvement is essential for building trust, mitigating risks, and enabling responsible AI innovation within organizations.
As Artificial Intelligence rapidly integrates across enterprises, from automated underwriting to generative customer support, the need for intentional and adaptive control frameworks has become paramount. Internal audit teams are uniquely positioned to lead the charge in AI governance, moving beyond traditional risk mitigation to become strategic advisors in shaping responsible innovation. This shift is critical to avoid unmitigated risks, model failures, compliance breaches, and reputational harm.
PwC highlights that internal audit’s independent assurance is essential for managing AI-related risks and building trust. By embedding audit functions into the AI lifecycle, organizations can ensure responsible use and prevent governance gaps. This proactive oversight not only enhances stakeholder confidence but also strengthens the organization’s overall governance reputation.
The Institute of Internal Auditors (IIA) emphasizes the importance of clear and measured safeguards for AI applications. In their recommendations to the U.S. Office of Science and Technology Policy (OSTP) for an Artificial Intelligence Action Plan, the IIA advocated for a comprehensive plan that underscores governance, internal controls, and risk management. They specifically noted that internal audit, operating under Global Internal Audit Standards, is responsible for providing objective assurance over AI-related risk management and internal control processes. The IIA recommends empowering the private sector through internal audit to execute assurance responsibilities, rather than establishing a traditional regulatory regime.
Québec’s Autorité Des Marchés Financiers (AMF) has also moved on AI oversight for financial institutions, including insurers. Their guidelines emphasize that individuals responsible for AI policies must possess sufficient knowledge of AI systems, their risks, the institution’s risk appetite, and ethical positions. The AMF identifies the board of directors, senior management, risk management, and internal auditors as key stakeholders, elaborating on their roles in the AI system’s lifecycle. This lifecycle includes evaluating training data quality, governing design and acquisition, conducting validations and internal audits, setting usage limits for high-risk AI, and continuous supervision.
The 2025 AI Action Plan in the U.S., as discussed by The National Law Review, signals a dual approach of deregulation and prescription. It aims to ease friction for favored AI development while centralizing federal control over funding, procurement, and export compliance. For AI-facing entities, this necessitates auditing risk exposure, aligning internal governance, and anticipating shifting federal incentives. The plan directs the OSTP and the Office of Management and Budget (OMB) to identify and eliminate rules that constrain AI development, potentially conditioning federal AI funding on state regulatory environments.
Adnan Masood’s “Responsible AI Revisited” further elaborates on critical changes in AI risk and governance. It stresses the need to embed AI risk into Enterprise Risk Management (ERM) strategy, requiring clear governance and ownership, continuous risk assessment, transparency by design, robust real-time monitoring and auditing with human validation, and proactive alignment with evolving regulations. The EU AI Act, which entered into force on August 1, 2024, is highlighted as the world’s first comprehensive AI law, establishing a risk-based classification and imposing strict requirements on high-risk AI systems.
Also Read:
- BSI Unveils Global Standard for Auditing AI Management System Certifiers
- Autonomous AI Reshapes Enterprise Cybersecurity: A New Era of Machine-to-Machine Defense
In essence, internal audit is no longer just a compliance function but a strategic partner in navigating the complex and rapidly evolving landscape of AI. Their involvement from the early stages of AI development and deployment is crucial for fostering responsible innovation, ensuring ethical considerations, and maintaining stakeholder trust.
