AI disruptive risks results from rapid development of AI and gaps in adoption standards, ethics and regulatory oversight.
Two important business questions from an IT Audit perspective are:
- What are the implications of AI adoption to your workforce, operations, products and services. What’s your RCM (Risk & Control Matrix).
- What is your AI Change management principles – nature/scope & is it integrated to your ITGC.
- AI change management ITGC processes are central in the management of AI Risk. How? e.g.
- Add review-approval from HR, Legal, C suite, BOD
- AI Design – models matters – tests internal/external data sources. Test false negative & false positives for reasonableness.
- AI Dev/Test/QA – ethical consideration before, during and after implementation. Functional specs matter – ask end-user worker. – RL
- AI Prod – data is fluid, so periodic tests – employ audit AI agents.
- Establish data classification standard (DCS)
- AI Risk on Safety, i.e. harmful & biased results & content – Understand the difference between AI bias and Human bias.
- AI risk on Cybersecurity is emerging and fraught with challenges for CISO and executive leadership.
- AI Risk of knowledge complexity gaps of 2nd & 3rd lines of defense practitioners.
- Discuss responsible AI scaling policy & processes, e.g., capability threshold, approved baselines & required safeguards .
- Employ AI pragmatically in audit, e.g. population & sample data evidences and in repetitive audit tasks.
- Deploy AI Audit Insight agent to study audit findings e.g. deficiency type by process or function, application, system, auditor, etc.
- Consider AI Audit Director agent to manage stakeholder communication, feedback and audit deadlines.
- Control your Verifier Agent to assure data/info for completeness & accuracy
- Test your AI Agents at least annually – data source & destination tests, access test, etc.
AI without
Clean, Structured, & Governed Data
is just a science project (SR)