COSO Releases Guidance on Internal Controls for AI

Generative AI is reshaping how companies create, process, and act on information, but its probabilistic output and rapid evolution introduce new control challenges. COSO, the long‑standing authority on internal control frameworks, has responded by extending its five‑component model to address these challenges. By treating AI prompts, model configurations, and data feeds as governed assets, the guidance bridges the gap between traditional risk management and the fluid nature of machine‑learning systems, offering auditors and finance leaders a familiar yet modern toolkit.

The core of COSO’s AI guidance rests on five principles: validation of outputs, continuous risk assessment, scalability safeguards, low‑entry‑barrier governance, and leveraging AI for monitoring. It calls for living risk registers that update whenever models or corpora change, and for control activities such as pre‑deployment testing, separation of configuration and approval rights, and mandatory citation of high‑impact outputs. Crucially, the framework insists on board‑level visibility, ensuring that senior leadership can weigh AI‑driven opportunities against emerging threats like hallucinations, bias, or model drift.

For businesses, the roadmap translates into concrete steps: establish an AI governance body, inventory all generative‑AI use cases, map each to COSO’s control components, and embed real‑time dashboards with deep‑dive reviews. Aligning AI risk controls with established internal‑control standards not only mitigates compliance and reputational risk but also unlocks AI’s potential to automate monitoring, documentation, and validation tasks at scale. As regulators and standard‑setters, such as the IAASB, move toward AI‑focused guidance, firms that adopt COSO’s framework early will gain a competitive edge and a defensible audit trail for AI‑enabled decisions.