Why internal audit should act now to support the establishment of an effective AI governance and risk management program

Talking points

• As AI adoption accelerates, governance in many companies is still catching up.
• Internal audit teams should act as an AI catalyst—promoting the adoption of a robust AI governance program.
• By evaluating adherence to leading practices, internal audit teams can provide assurance that AI governance, risk management, and controls are well designed and functioning effectively.

Artificial intelligence (AI) has quickly shifted from a boardroom buzzword to a strategic imperative for many organizations. As executive teams double down on the latest AI innovations, companies are accelerating experiments with chatbots, agentic systems, and advanced analytics—aiming to boost quality, cut costs, and unlock new growth. Yet, while these pilots race ahead, many organizations are just beginning to establish AI governance frameworks—or, in some cases, have yet to get started—opening themselves up to serious risks and consequences.

This gap between the rapid deployment of AI and the slower pace of governance development presents internal audit organizations with a unique and timely opportunity to step in to add immediate value to their companies. Internal audit can serve as the seatbelt for a company that already has the accelerator to the floor with its AI pilot programs. This emerging role for internal audit involves elevating risk conversations and embedding assurance early in the AI deployment process. 

In this blog, we’ll take a closer look at internal audit’s role as a catalyst in helping the enterprise appropriately govern AI expansion. We’ll also explore leading practices teams can follow to get up to speed on effective AI governance.

Guidance for AI governance

Let’s begin with some general guidance for enterprises starting their AI governance journey. When establishing AI governance, companies should: 

• Inventory with intent. Go beyond formal projects; look for robotic process automation (RPA) bots that use large language models (LLMs), Software as a Service (SaaS) integrations, and experimental pilot projects.
• Consider all types of risks. Evaluate policies against the five pillars of AI assurance: transparency, fairness, privacy and security, reliability, and accountability. 
• Vary testing techniques. Combine traditional control testing with new methods: adversarial prompting, boundary/stress tests, and data-lineage tracing.
• Recognize the risks posed by agentic AI. Autonomous agents, which plan, act, and learn with minimal human oversight, can potentially introduce more risk than, say, a Q&A chatbot. Agentic AI controls should therefore include goal alignment, guardrails, audit trails, and human-in-the-loop overrides to effectively mitigate this higher level of risk.
• Don’t forget that culture counts. In our experience, effective governance is 20% policy and 80% behavior. The organization should foster the mindset that responsible AI is everyone’s job.

Internal audit’s changing role

Given the rapid rise of AI adoption across today’s companies, the internal audit organization can no longer afford to take a passive, wait-and-see approach to governance. Instead, it should step up as a proactive catalyst to help navigate both the opportunities and risks of AI. Specifically, internal audit should: 

• Raise awareness of AI risks by identifying and communicating emerging threats and vulnerabilities to the organization.
• Champion the establishment of a robust AI governance program to promote responsible innovation.
• Evaluate the design and test the effectiveness of the governance program to confirm it’s working as intended.

Practical steps that can have a major impact

AI governance should be grounded in core governance principles but also allow for today’s rapid pace of innovation. The goal for the enterprise is to set clear AI guardrails—enabling responsible deployment without unnecessary roadblocks.

Here are four practical steps internal audit teams can take to help the organization establish its AI governance framework:

1. Validate the AI landscape: Inventory use cases, data flows, and model types—including “shadow” projects—and compare them to what the organization tracks. Example result: A quick-start survey uncovers a marketing team’s generative pretrained transformer (GPT) content generator running without approval.
2. Assess the governance framework: Compare existing policies to leading practices (e.g., NIST AI RMF, ISO 42001). Identify missing guardrails for ethics, bias, security, and accountability. Example result: Governance gap analysis shows the company policy lacks practical monitoring expectations for critical AI applications.
3. Test AI control design and operating effectiveness: Validate that AI controls (e.g., data quality, model monitoring, change management, human oversight) work in real life—before and after deployment. Example result: For an agentic AI that autonomously reprices e-commerce SKUs, an internal audit might simulate out-of-range scenarios to confirm that escalation triggers work as intended.
4. Advocate and elevate: Present findings to senior leadership, recommend remediation, and track progress—not just as an annual exercise, but on a continuous basis. Example result: Audit dashboards to the audit committee highlighting risk trends and remediation status of audit issues involving AI governance.

Moving forward

AI innovation won’t wait for perfect governance, but strong governance is essential—so internal audit should act now. Start by piloting an AI governance review and a deep-dive assessment on a high-risk use case. Embed AI risks into the annual audit plan and use data analytics to monitor emerging issues. Partner with risk owners, compliance, and technology to encourage practical controls. By acting early, internal audit can help the organization capture AI’s benefits while managing risk and meeting stakeholder expectations.

What role can Deloitte play?

Deloitte can advise you on internal audit’s expanding AI role. Our Audit & Assurance professionals have extensive experience advising finance executives and internal audit teams in establishing effective AI safeguards, risk management procedures, and internal controls that balance oversight and innovation. For more information, visit our website, or reach out to us directly. 

The services described herein are illustrative in nature and are intended to demonstrate our experience and capabilities in these areas; however, due to independence restrictions that may apply to audit clients (including affiliates) of Deloitte & Touche LLP, we may be unable to provide certain services based on individual facts and circumstances.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.