News & Blogs

US Shifts AI Stance: National Security Directives Elevate AI Governance to Critical Operational Infrastructure

Global · · tobyderoche.substack.com

Recent White House actions signal a significant shift in the US government's approach to AI, moving from caution to accelerated adoption, particularly within national security. This reclassification of AI as operational infrastructure, rather than a future technology, profoundly impacts internal audit and assurance professionals. Organizations must now consider AI not just for its potential, but for its secure, reliable, and accountable integration into critical processes, demanding a more robust and integrated governance framework.


AI Governance: From Policy Discussion to Control Environment

The US government's recent Executive Order and National Security Presidential Memorandum 11 mark a pivotal moment for AI governance. These directives emphasize accelerating AI adoption, particularly in national security and cybersecurity, shifting the perception of AI from a nascent technology to critical operational infrastructure. For internal audit and assurance professionals, this means AI governance can no longer be a peripheral compliance exercise but must be integrated into core enterprise risk management, cybersecurity, vendor oversight, operational resilience, and board-level oversight. The focus is now on ensuring AI is not just adopted, but adopted securely, reliably, and accountably.

The Merging of AI and Cybersecurity Control Environments

A key takeaway from the new directives is the explicit focus on AI-enabled cyber defense. The Executive Order directs agencies like CISA and OMB to prioritize AI for protecting federal systems and critical infrastructure, including sectors like healthcare and finance. This integration means AI itself becomes auditable within the cybersecurity control environment. Internal audit teams will need to expand their scope to assess AI-enabled security tools for reliability, accuracy, monitoring for drift, change management, and incident response. The traditional asymmetry in cyber risk, where attackers outpace defenders, is now being addressed with AI, but this introduces new governance challenges related to the audibility and trustworthiness of these AI systems.

Evolving Assurance for High-Risk AI and Vendor Management

The directives also highlight the need for more formal assurance for powerful AI models, even without mandatory licensing. While the government aims to avoid pre-approval regimes, it expects robust evidence of testing, security, monitoring, and control for high-risk AI. This translates into a heightened focus on vendor risk, especially for AI systems embedded in critical business processes. Organizations will need to move beyond standard due diligence (e.g., SOC 2 reports) to scrutinize vendor capabilities regarding model modification, data handling, update deployment, subcontractor use, and incident reporting. The national security context even introduces provisions for terminating contracts with non-compliant vendors, underscoring the critical nature of AI supply chain control and operational resilience.

Rethinking Incident Response and Audit Frameworks for AI

NSPM-11 provides a comprehensive definition of AI incident response, encompassing degradation, data loss, malfunctions, and adversarial attacks. This broad definition acknowledges that AI incidents are not always traditional cybersecurity events but can involve issues like unsafe outputs or unauthorized actions by AI agents. Organizations must update their incident response plans to include AI-specific scenarios, define escalation paths, and clarify authority for disabling AI systems. Furthermore, traditional audit frameworks will be stretched. While existing controls for access, change, and data management are relevant, AI introduces new complexities: accountability for AI-generated decisions, testing systems with probabilistic outputs, validating vendor-embedded models, and distinguishing between acceptable model error and control failure. Internal audit's role is to bring discipline to this fast-moving environment, ensuring AI adoption aligns with secure, governable, and resilient operational objectives.


Read more
Comments

No comments yet. Be the first.


Sign in to join the discussion.

Sign in or Create account
Subscribe

By email

Get audit & assurance news in your inbox.


By feed reader

We publish RSS, Atom, and JSON feeds sliced by category and region.

View all feeds →

Have a tip? Submit a story or job →

Subscribe by email

Get audit & assurance news in your inbox. Or use a feed reader — view all feeds →