News & Blogs

From Innovation to Regulation: How Internal Audit Must Respond to the EU AI Act

Europe · · wolterskluwer.com

The EU AI Act, set for full enforcement by 2026, introduces the world's first comprehensive regulatory framework for artificial intelligence, classifying AI systems by risk level. This legislation has extraterritorial reach, impacting organizations globally, not just within the EU. Internal audit functions must proactively adapt to this new regulatory landscape by building AI literacy, integrating AI risk into audit planning, and developing methodologies to ensure compliance and effective AI governance.


The EU AI Act: A Global Standard for AI Governance

Artificial intelligence has rapidly transitioned from experimental technology to an integral part of operational processes across various sectors. This widespread adoption, however, brings significant risks to individuals, organizations, and societies. The European Union's Artificial Intelligence Act (EU AI Act) is a landmark regulation, representing the first comprehensive attempt to manage these risks through a binding legal framework.

Much like the GDPR before it, the EU AI Act is poised to become a de facto global standard, influencing how organizations worldwide design, deploy, govern, and audit AI systems, regardless of their geographical location. For internal auditors, this signifies a fundamental shift: AI risk is no longer an abstract concept but a regulated domain with clear expectations for governance, controls, documentation, monitoring, and accountability.

Understanding the EU AI Act's Risk Categories

The EU AI Act employs a risk-based regulatory model, categorizing AI systems based on their potential harm to individuals and society. This approach dictates the level of compliance obligations:

  • Unacceptable Risk: These AI practices are outright prohibited due to their incompatibility with EU values and fundamental rights. Examples include manipulative AI that exploits vulnerable populations or social scoring systems.
  • High-Risk AI Systems: These systems are permitted but subject to stringent requirements. They are typically critical applications in sensitive areas like employment, healthcare, law enforcement, and critical infrastructure. Organizations deploying high-risk AI must conduct extensive risk assessments, implement robust data governance, ensure human oversight, maintain detailed technical documentation, and provide ongoing monitoring.
  • Limited-Risk AI Systems: These systems require specific transparency obligations, such as informing users when they are interacting with an AI (e.g., chatbots or deepfakes).
  • Minimal-Risk AI Systems: The majority of AI applications fall into this category, facing no new regulatory obligations beyond existing laws. Examples include AI in gaming or spam filtering.

The primary focus for regulatory scrutiny and internal audit attention will be on high-risk AI systems, given their significant compliance, reputational, and operational exposure.

The Extraterritorial Reach of the EU AI Act

A crucial aspect of the EU AI Act is its extraterritorial scope. It applies not only to organizations within the EU but also to those outside if they sell AI systems on the EU market or if the outputs of their AI systems are used within the EU. This means non-EU organizations must assume that compliance with the EU AI Act is essential if they interact with EU customers, employees, patients, or users through AI.

How Non-EU Organizations Must Respond

Compliance with the EU AI Act demands significant structural changes for organizations outside the EU:

  • AI Inventory and Classification: Organizations must create a comprehensive inventory of all AI systems in use, including internally developed models, third-party tools, embedded AI, and generative AI used by employees. Each system must be assessed and classified according to the Act's risk categories.
  • Governance and Accountability Structures: Clear accountability for AI risk must be established, covering AI strategy, risk assessment, compliance, and incident response. This often requires extending existing governance frameworks to explicitly include AI.
  • Third-Party and Supply Chain Risk: Given that much AI risk originates from vendors, non-EU organizations must ensure that vendor contracts, due diligence, and ongoing monitoring align with the EU AI Act's requirements, including access to documentation and audit rights.
  • Documentation and Transparency: The Act emphasizes thorough documentation, requiring organizations to demonstrate how AI systems were designed, trained, risks assessed and mitigated, human oversight implemented, and performance monitored. This necessitates a cultural shift towards more rigorous documentation practices.

Internal Audit's Pivotal Role Under the EU AI Act

The EU AI Act underscores the critical need for internal audit to act as a governance partner in AI oversight. Internal auditors are uniquely positioned to assess the effectiveness of AI governance structures and validate management's compliance assertions.

  • Auditing AI Governance: Internal audit should evaluate the existence of clear AI governance frameworks, defined roles and responsibilities, board oversight, and policies governing acceptable AI use.
  • Auditing Risk Classification and Impact Assessments: Auditors must verify that AI systems are correctly classified, risk assessments are complete and objective, and mitigation measures are implemented and tested.
  • Auditing Data Quality and Model Controls: This involves examining data sourcing, governance practices, controls over training and validation data, bias identification, and model drift detection.
  • Auditing Human Oversight and Accountability: Auditors need to assess whether human oversight is meaningful, escalation paths exist for AI failures, and accountability is clearly assigned for AI-driven decisions.
  • Auditing Third-Party AI Risk: Internal audit should expand third-party risk assessments to include AI considerations, such as vendor compliance, transparency into vendor AI models, and contractual protections.

The Criticality of EU AI Act Audits for Compliance

The EU AI Act formalizes the necessity for robust AI governance and risk oversight, pushing organizations towards disciplined, auditable control environments. Internal audit functions must invest in AI literacy, understand governance frameworks, and design appropriate audit methodologies. Proactive engagement is crucial to ensure internal auditors remain relevant as AI increasingly shapes enterprise risk profiles.

The Act also highlights the importance of continuous auditing and monitoring, recognizing the dynamic nature of AI systems. Regulators expect internal audit to actively identify AI risks, facilitate governance discussions, and provide assurance over these emerging risk domains.

Preparing for Increased Requirements

With full enforcement of the EU AI Act approaching, organizations and internal auditors must act now to:

  • Build AI literacy within audit teams.
  • Incorporate AI risk into audit planning.
  • Engage with management on governance design.
  • Pilot AI-focused audits and advisory reviews.
  • Align audit frameworks with emerging regulatory expectations.

The EU AI Act is more than just a new compliance requirement; it signals that AI has reached a level of impact where informal controls are no longer sufficient. AI assurance is now a core component of modern governance, risk, and compliance.


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →