Putting new COSO GenAI internal controls guidance into practice

Talking points

• The new Committee of Sponsoring Organizations of the Treadway Commission (COSO) generative artificial intelligence (GenAI) guidance helps organizations apply COSO’s 2013 Internal Control–Integrated Framework (ICIF) to fast-moving GenAI use cases.
• The guidance turns broad GenAI governance principles into practical control design, monitoring, and audit-ready documentation.
• Organizations that act early can scale GenAI with more confidence, especially in financial reporting and other high-risk areas.

In tech startup and entrepreneurial circles, there’s a familiar saying: “driving down the road while it’s still being paved.” With artificial intelligence (AI) in finance and accounting, it’s more like racing down the freeway while the guardrails are still being installed.

As AI rapidly accelerates from finance pilot programs to real-world use cases, a clear gap has developed between deployment and governance. Just 25% of organizations, for instance, report having a fully implemented AI governance program,¹ and only 21% have a mature governance model for autonomous AI agents.² While efforts like Deloitte’s Trustworthy AI™ framework have helped some organizations establish governance programs, what’s really needed is an industrywide standard—a common governance language and approach that organizations can rally around.

Enter COSO, a longtime thought leader in internal control, risk management, and governance. In February, COSO released Achieving effective internal control over Generative AI. Building on COSO’s 2013 Internal Control–Integrated Framework (ICIF), the report lays out a pragmatic approach to GenAI governance. Ahead, we highlight the report’s most important takeaways and share leading practices for putting them into action.

With unique capabilities come new risks

When GenAI burst into the mainstream a few years back, it captured attention because of its ability to process structured and unstructured information; generate text, images, and code; and interact with downstream systems through application programming interfaces. The result? Unprecedented efficiencies and analytical capabilities.

Those capabilities also introduced a distinct set of risks. They include GenAI’s ability to sound confident despite being wrong, model drift and bias accumulation, susceptibility to manipulation through carefully crafted prompts, and “shadow AI”—unauthorized or ungoverned AI implementations outside formal IT oversight.

Characteristics of the COSO framework

With these risks in mind, COSO developed a view of GenAI governance based on eight capabilities:

• Ingestion
• Transformation
• Posting
• Orchestration
• Judgment
• Monitoring
• Knowledge retrieval
• Human-AI interaction

This capabilities-based framework aligns with the five components (covering 17 principles) of the COSO integrated framework: control environment, risk assessment, control activities, information and communication, and monitoring activities. The goal in all this is to help organizations integrate GenAI into their operations by using the framework’s structure to clarify objectives, strengthen control design and execution, and increase rigor in traceability and monitoring.

Practical tools

Two practical features of the COSO AI framework stand out:

Audit-ready control mapping. Each of the eight capabilities includes embedded examples, minimum control expectations aligned to the five COSO components, and illustrative metrics for operational monitoring and audit evidence collection. This mapping helps close the gap between the governance framework and audit requirements.

Implementation tools. COSO helps reduce implementation time from months to weeks by providing starter templates such as risk assessment matrices, control testing procedures, and metric dashboards that teams can tailor to their specific scenarios.

Top takeaways from COSO’s GenAI guidance

We see COSO’s GenAI guidance as most useful when it builds on the 2013 ICIF rather than acting as a prescriptive rulebook. That matters because GenAI requires a different mindset of both management and auditors. It means shifting from rule-based systems with predictable outputs to probabilistic models with variable results—and from point-in-time assurance to ongoing monitoring of performance and risk.

That monitoring is especially important when GenAI is used in financial reporting, because this is not a “set it and forget it” technology. Effective monitoring focuses on meaningful indicators such as transaction volume, transaction size, and override rates to spot model drift and other issues early. It should also include regular checks on accuracy and reliability, along with reviews of root causes, whether tied to prompt design, retrieval issues, or vendor changes.

Leading practices

Moving forward, organizations can take the following six actions to manage GenAI risks effectively:

• Establish cross-functional GenAI governance with defined roles, accountability, controls, and escalation protocols.
• Maintain a GenAI use-case inventory and map in-scope use cases to key business processes, relevant assertions, and key controls.
• Apply a use-case-based decision framework to rightsize the level of human involvement.
• Implement COSO-aligned control “building blocks” for GenAI across the organization.
• Apply heightened rigor to financially relevant GenAI use cases by mapping in-scope use cases to financial reporting processes, relevant assertions, and key controls.
• Ensure appropriate communication, alignment, and documentation.

Deloitte’s Audit & Assurance AI leadership

Deloitte delivers responsible, tested, human-led, AI-powered innovations, addressing complex challenges with practical, trusted solutions. Deloitte’s AI-enabled offerings, combined with extensive industry, domain, and regulatory experience, can transform financial complexity into strategic clarity. Deloitte's approach is grounded in quality, integrity, and transparency.

What role can Deloitte play?

Deloitte can advise you on how to leverage the COSO framework to put GenAI controls into practice—from governance and risk assessment to monitoring and documentation. For more information, explore our Heads Up: “COSO Releases Publication on Internal Controls Related to Generative AI” (April 3, 2026) in the Deloitte Accounting Research Tool (DART). You can also reach out to us directly. 

Endnotes

1. Optro, “New research finds only 25 percent of organizations report a fully implemented AI governance program,” July 30, 2025.
2. Jim Rowan et al., State of AI in the Enterprise: The untapped edge, Deloitte, January 2026.

The services described herein are illustrative in nature and are intended to demonstrate our experience and capabilities in these areas; however, due to independence restrictions that may apply to audit clients (including affiliates) of Deloitte & Touche LLP, we may be unable to provide certain services based on individual facts and circumstances.

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Copyright © 2026 Deloitte Development LLC. All rights reserved.