Modernizing IT SOX Compliance for AI-Native Companies
News & Blogs

Modernizing IT SOX Compliance for AI-Native Companies

Global · · linkedin.com

Traditional IT SOX compliance frameworks are outdated for AI-native companies due to rapid development cycles, cloud-native infrastructure, and continuous model retraining. This article argues for a shift from periodic, bolt-on compliance to continuous, embedded controls within engineering processes. It highlights that AI itself presents both new risks and powerful solutions for more effective and less burdensome SOX programs.


The Old Playbook Doesn't Fit the New World

Adrian Tjakra, CISA, CDPSE shares how traditional IT SOX frameworks, designed for stable, on-premise ERP systems and annual audit cycles, are ill-suited for the dynamic environment of AI-native companies. These companies operate with:

  • Engineering teams deploying code multiple times daily via CI/CD pipelines.
  • Entirely cloud-based infrastructure (AWS, Azure, GCP).
  • Continuous retraining of AI models, potentially impacting financial systems.
  • A blurring line between 'IT system' and 'AI model'.

Applying an unadapted traditional ITGC framework in this context leads to audit fatigue and a false sense of assurance, as controls may not address the actual risks.

Three Things AI-Native SOX Programs Must Get Right

1. Controls must be continuous, not periodic.

In a cloud-native AI environment, annual or semi-annual control testing is insufficient. The future of SOX involves continuous monitoring through automated scripts that flag anomalies in real-time, rather than auditors sampling past transactions. Implementing automated ITGC monitoring can significantly reduce SOX deficiencies by catching issues as they occur.

2. Compliance must be embedded in engineering, not bolted on after.

Many pre-IPO tech companies treat compliance as an audit exercise, documenting controls after systems are built. A more effective approach is 'compliance by design,' where controls are integrated into the system architecture from the outset. This means:

  • Change management controls living within the CI/CD pipeline.
  • Automated access provisioning controls in the identity management layer.

Embedding compliance in the build process ensures it scales automatically with company growth.

3. AI itself is both the risk and the solution.

AI introduces new compliance risks, such as models handling financial data, automated decision-making in financial workflows, and rapid system changes. However, AI also offers powerful solutions:

  • AI-powered continuous monitoring.
  • Anomaly detection.
  • Intelligent risk assessment.

These capabilities can make SOX programs more effective and less burdensome, allowing for real-time analysis of all transactions rather than just samples.

What This Means for Pre-IPO AI Companies

For AI companies preparing for public markets, SOX readiness is a long-term endeavor, not a last-minute project. Companies that succeed start building their compliance foundation 2-3 years in advance, with teams knowledgeable in both modern AI technical architecture and regulatory requirements. This approach allows for a reimagining of governance in the age of AI, moving beyond the outdated frameworks of the past.


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →