News & Blogs

Auditing AI: Bridging the Gap Between Governance Claims and Verifiable Assurance

Global · · zhaomichelle.substack.com

This article highlights the critical and growing need for robust AI auditing as organizations rapidly deploy AI systems. It argues that while AI governance budgets are increasing, a significant gap exists between having policies and implementing effective, verifiable assurance functions. Internal audit professionals are uniquely positioned to address this gap by leveraging existing risk management skills and adapting them to the probabilistic and complex nature of AI, focusing on independent evidence and understanding distinct AI failure modes.


The Urgent Need for AI Auditing

The rapid adoption of Artificial Intelligence across industries has created a significant challenge for oversight and assurance. While many organizations are investing in AI governance, there's a stark difference between merely claiming governance and actually implementing a verifiable, independent assurance function. This gap is where the internal audit profession must step in. Traditional audit methodologies, often reliant on pass/fail logic and deterministic systems, are insufficient for AI's probabilistic outputs and complex failure modes. Auditors must evolve their approach to provide meaningful assurance in this new landscape.

Understanding AI's Unique Risks and Failure Modes

Effective AI auditing requires a nuanced understanding of the distinct ways AI systems can fail, moving beyond a generic concept of "AI risk." The article categorizes these failures into three main families:

  • Generative-model failures: These include issues like hallucination (AI confidently stating false information) and bias (skewed outputs reflecting training data imbalances). These are inherent to how generative models function, meaning they cannot be entirely eliminated but must be bounded and detected.
  • Predictive-ML failures: This category encompasses problems like concept drift and stale training data, where models fail because the real-world conditions they operate in change faster than their underlying assumptions or training data. This requires controls focused on continuous monitoring and retraining.
  • Data-handling failures: Not directly related to model behavior, these involve sensitive data leakage through normal, often well-intentioned, use of AI tools (e.g., employees pasting confidential information into external generative AI services). This highlights the need for robust data privacy and provenance controls.

The common thread across these is the lopsided nature of their downside risks; even a low error rate can have severe consequences if errors occur in critical decisions. This necessitates a shift from average error rates to understanding the impact of specific errors.

Starting the AI Audit Journey

For internal audit functions, initiating AI auditing doesn't require an immediate overhaul of skills or becoming data scientists overnight. The initial steps leverage existing audit competencies and focus on foundational understanding and scoping:

  • Establish an inventory baseline: Create a comprehensive register of all AI/ML systems, including third-party tools embedded in SaaS, to understand the full scope of AI use within the organization.
  • Profile risk across key dimensions: Assess each in-scope system against critical risk domains such as governance, data provenance, regulatory compliance (e.g., EU AI Act, NIST AI RMF), privacy, and change management. This helps identify specific areas of exposure.
  • Assemble the right cross-functional team: Recognize that AI risk is multifaceted, requiring collaboration across legal, data science, security, and audit. Augment existing risk management skills with specialized technical fluency as dictated by the identified risk profile.

These initial steps enable auditors to map the AI landscape and identify critical risk areas before delving into the more technical aspects of pipeline-level verification. The goal is to move towards a discipline where audit conclusions are probabilistic, transparent about uncertainty, and based on independent, reconstructible evidence, rather than relying on simplistic pass/fail attestations.


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →