Recent industry reports and commentary across ISACA, AuditBoard, and major advisory firms highlight a clear and growing trend: AI adoption is outpacing control design.
Organisations are rapidly deploying AI tools across business functions, from productivity and reporting to analytics and decision support. However, many lack clear visibility over usage, ownership, and associated risk exposure.
This creates a familiar problem in a new context:
technology moving faster than the control environment designed to govern it.
A New Version of a Known Risk
From a practitioner perspective, this is not a new issue, it is a new manifestation of an old one.
Historically, similar gaps have emerged during:
- Cloud adoption
- Shadow IT expansion
- Rapid system transformation
In each case, the pattern is the same:
- Technology is adopted quickly to deliver value
- Governance frameworks lag behind
- Risk accumulates in areas that lack visibility or ownership
AI is now following the same trajectory, but at a significantly faster pace.
Why AI Changes the Risk Profile
What makes AI different is how embedded and opaque it can be.
Unlike traditional systems, AI tools are often easily accessible without IT involvement, integrated into day-to-day workflows and capable of generating outputs that influence decisions without clear audit trails or validation controls.
This creates challenges across core ITGC domains:
- Access control – Who is using AI tools, and under what permissions?
- Change management – How are AI models updated or configured?
- Data integrity – What data is being used, and how is it validated?
- Auditability – Can outputs be traced, reviewed, and evidenced?
-
In regulated environments, these questions quickly move from theoretical to material risk considerations.
The Operational Reality
The challenge is not just technical—it is operational.
In many organisations AI usage is decentralised across teams, ownership is unclear or undefined, policies exist but are not embedded into workflows and monitoring is limited or reactive.
As a result, risk does not present itself immediately. Instead, it accumulates quietly, often surfacing only when Audit reviews identify gaps or data governance issues arise. By that point, remediation is more complex and more costly.
Implications for IT Audit and Governance
For IT audit and risk teams, this introduces a new dimension to assurance.
Traditional audit approaches rely on:
- Defined systems
- Documented controls
- Established ownership
But AI challenges all three and this means audit and risk functions must adapt.
- Expanding risk assessments to include AI usage and tooling
- Evaluating whether existing ITGC frameworks adequately cover AI-related risks
- Focusing on control design within real-world usage, not just policy documentation
For senior stakeholders, this becomes a governance question - "Do we understand how AI is actually being used across the organisation?"
Closing Perspective
The takeaway is simple but increasingly important, adoption needs to be matched with design. Controls should evolve alongside technology and not follow behind it. Organisations that embed governance into AI adoption early will be better positioned to manage risk, support innovation, and meet regulatory expectations.
Those that do not, risk repeating a familiar pattern, only this time, at AI speed.
