The recently published report from Deloitte UK titled “Hot topics for technology and digital risk 2026: Navigating uncertainty, an internal audit perspective” sets out a compelling agenda for IT audit, risk management and assurance functions across 2025‑26.
In its 15th annual iteration, the report emphasises the convergence of multiple pressures, ultra rapid adoption of generative AI, increasingly fragmented cloud landscapes, ever‑more interconnected supply‑chain risks and a shift in sophisticated cyber threat vectors.
Firstly, generative AI emerges as a dominant concern. With organisations embracing large language models and automation tools, risks around data security, algorithmic bias, explainability and regulatory oversight (such as the EU AI Act) are front and centre for IT risk functions.
Secondly, cloud environments are no longer monolithic. The report highlights how regionalisation of cloud services, with nationalised data sovereignty concerns creates vendor lock in, service disruption risks and complex compliance challenges across jurisdictions.
Third, global supply chain vulnerabilities persist. Organisations reliant on third‑ and fourth‑party services face increasing exposure from breaches, service failures and lack of transparency deep in the ecosystem. Effective third‑party risk management is thus a foundational element of modern assurance.
Fourth, cyber‑attack sophistication is escalating. Attackers are leveraging AI to automate phishing, malware deployment and vulnerability detection forcing organisations to shift from traditional reactive defences to agile, AI‑driven detection and response.
For IT audit and risk governance leaders, the implications are clear, old assurance models built on annual cycles, manual controls and siloed functions are inadequate. The report underscores the need for agile internal audit functions that integrate innovation governance with established control frameworks.
In practical terms, risk and audit teams should take the following steps,
Integrate generative AI risk assessments into audit plans, focusing on model governance, data lineage, bias, and regulatory readiness.
Map the cloud estate beyond the organisation: understand regional vendor footprints, data sovereignty risks and resilience of partner ecosystems.
Enhance third‑ and fourth‑party risk visibility, develop deeper analytics into service provider health, control maturity and contractual resilience.
Embed continuous monitoring and agile assurance, leverage automated detection, anomaly based alerts and ‘real‑time’ dashboards rather than purely backward looking audits.
Elevate internal audit’s role, shift from compliance gatekeeper to strategic adviser, aligning with business innovation while safeguarding controls and governance.
In conclusion, the future of IT audit and risk management lies in proactive, forward looking assurance rather than simply reactive control testing. The 2025‑26 horizon demands that audit teams evolve to meet the new risk architecture. Organisations that adapt will not only manage risk but also enable business innovation with confidence. If you’re ready to reimagine your IT risk assurance framework and strengthen your audit readiness, now is the time to act.
