Auditing AI: What Internal Audit Functions Need to Know 

Audit functions are under pressure to step into unfamiliar territory. Artificial intelligence is no longer an emerging technology sitting on the edge of enterprise transformation, it is embedded in core processes, decision-making, and customer interactions. Yet internal audit functions are struggling to keep pace.

AuditBoard’s 2026 Focus on the Future survey captured a stark reality: organizations have high expectations for internal audit to provide AI assurance, but auditors report low readiness and still underestimate AI’s likely impact. That disconnect is more than a capability gap, it is a strategic risk.

This piece explores that gap: why AI has become an audit priority, what internal audit leaders need to understand about AI risk that most do not yet grasp, and the regulatory landscape that is making this urgent right now.

AI Is No Longer an IT Priority – It Is an Audit Priority

For years, emerging technologies fell under IT audit. That model no longer works.

AI systems are not just infrastructure; they are decision engines. They influence credit approvals, pricing models, hiring recommendations, fraud detection, and operational forecasting. They may even already be performing key financial functions. Inadequate AI systems do not just bring technical issues, they can create significant financial, regulatory, and reputational consequences.

This shift has three important implications:

  • AI risk is an enterprise risk, not a technical risk. It affects all facets of an organization including compliance, ethics, strategy, and operations.
  • Ownership is diffuse. AI is often built by data science teams or service organizations, deployed in business units, and governed loosely across multiple functions.
  • Traditional controls don’t fully apply. AI systems evolve over time, making static control assessments insufficient.

For internal audit, this means AI governance is no longer a niche exercise. It must be incorporated into the core audit universe and the enterprise risk governance process.

The AI Assurance Expectation Gap

Organizations expect internal audit to evaluate AI governance frameworks, assess model risk and bias, provide assurance on regulatory compliance, and validate controls over AI development and deployment.

Yet many audit teams report limited understanding of how AI systems work, a lack of standardized audit methodologies, insufficient access to technical expertise, and difficulty scoping AI-related audits.

This gap is compounded by a common misunderstanding: many auditors believe AI risk is primarily about model accuracy. Accuracy is just one dimension and often not the most critical one.

What CAEs Need to Understand About AI Risk (That Most Do Not Yet Grasp)

Chief Audit Executives need to reframe how they think about AI risk. The most significant risks are not technical, they are systemic, and they compound from other historically weak areas in most organizations.

1) Data Risk Is the Foundation

AI systems are only as good as the data they are trained on. Risks include biased or incomplete training data, unauthorized or unethical data use, data drift over time, and a lack of data lineage and traceability.

Auditing AI systems without ensuring the adequacy of the data governance program will lead to incomplete assurance. A data governance assessment is crucial before AI systems can be evaluated.

2) Governance Gaps Are the Real Exposure

The most common failure is not a flawed model, it is weak governance. No centralized inventory of AI systems. Unclear ownership and accountability. A lack of policies for development and deployment. Missing approval and monitoring processes.

This is where internal audit can deliver some of its highest value, yet it is also where most functions are least mature. Consider the governance of third-party AI systems. Many organizations are rapidly embedding AI into operations through vendors. In these cases, ownership becomes inherently blurred: the vendor develops and maintains the model, the business relies on its outputs, IT integrates it into systems, and risk or compliance may have limited visibility into how it works. This ambiguity creates a governance gap that internal audit is uniquely positioned to address.

3) Regulatory Risk Is Accelerating (and Fragmenting)

Regulatory expectations for AI are no longer theoretical, they are already taking shape across federal agencies, state laws, and sector-specific rules. The challenge is not just the pace of change, but the fragmented nature of regulation in the U.S., where no single comprehensive federal AI law exists, yet multiple enforceable requirements already apply.

For internal audit, this creates a new kind of risk: organizations may be non-compliant without realizing it, because obligations are emerging across jurisdictions and industries simultaneously.

Key U.S. Regulations Internal Audit Should Be Tracking

Bias Audits and Transparency (New York City Local Law 144)

New York City’s Local Law 144 is one of the clearest examples of AI-specific audit requirements already in force. It requires annual independent bias audits for AI-driven hiring tools, mandates public disclosure of audit results, and requires candidate notification before AI is used in decisions.

This is a direct signal to internal audit: algorithmic systems are now subject to formal audit expectations, not just internal controls.

Algorithmic Discrimination and Risk Frameworks (Colorado SB21-169)

Colorado’s SB21-169 focuses on AI use in insurance but sets a broader precedent. It prohibits unfair discrimination from algorithms and predictive models, requires organizations to test models for bias and document results, and mandates a formal risk management framework and ongoing monitoring.

This is particularly important because it moves beyond transparency into demonstrable risk management and governance, areas squarely within internal audit’s mandate.

SEC Expectations on AI Disclosure and Governance

At the federal level, the SEC is not waiting for AI-specific legislation. Instead, it is applying existing disclosure and governance rules to AI use. Companies must disclose material AI risks and impacts to investors. Expectations include board oversight of AI and clear reporting on how AI is used. The SEC has increased scrutiny on misleading claims (“AI washing”) and risk disclosures.

In practice, this means AI has already become a board-level governance and audit issue, not just an operational concern.

The Federal and State Patchwork

The broader regulatory landscape includes federal reliance on agency enforcement and existing authorities rather than a unified law, state-led momentum across privacy, employment, and insurance use cases, and increasing alignment around core themes such as bias mitigation, transparency, and accountability.

The result is a patchwork of requirements that organizations must navigate, often without a single source of truth.

What This Means for Internal Audit

Across these regulations, a consistent set of expectations is emerging transparency requirements driving public disclosure of AI use and audit results, bias and fairness obligations requiring demonstrable testing for discriminatory outcomes, documentation and auditability requiring evidence of governance, controls, and monitoring, and board and executive accountability requiring clear oversight of AI risks.

These are not future-state concepts, they are already enforceable in specific jurisdictions and industries.

The Audit Implication: Move Before Mandates

Internal audit functions cannot afford to wait for a single, harmonized AI regulation. The regulatory direction is clear: AI systems must be explainable, testable, governed, and auditable.

The organizations that are ahead are not those reacting to each new law, they are those building audit capabilities that anticipate regulatory convergence: establishing AI inventories before regulators require them, testing for bias before audits become mandatory, and embedding AI governance into existing control frameworks.

In short, regulatory risk in AI is no longer about “if”, it is about how quickly expectations become enforceable in your jurisdiction.

Internal audit’s role is to close that gap before regulators do.

Final Thought

AI is redefining how organizations operate. Internal audit must evolve accordingly.

Those that treat AI as an extension of IT risk will struggle. Those that recognize it as a core driver of enterprise risk and build their audit capabilities around that reality it will become indispensable.

The question is no longer whether internal audit should engage with AI. It is whether it can close the gap fast enough.