AI Governance Library

Achieving Effective Internal Control Over Generative AI (GenAI)

GenAI is arriving in boardrooms… compresses decision cycles… but also introduces risks — hallucinations, prompt-injection attacks, opaque reasoning… that can threaten the reliability of operations.
Jakub Szarmach
3 min read
Achieving Effective Internal Control Over Generative AI (GenAI)
Achieving Effective Internal Control Over GENERATIVE AI
Achieving Effective Internal Control Over GENERATIVE AI .pdf
4 MB
download-circle

⚡ Quick Summary

This COSO report translates its well-established Internal Control Framework into the world of generative AI. Instead of proposing a new governance model, it adapts existing control principles to GenAI-specific risks such as hallucinations, model drift, and prompt injection. The document stands out by introducing a capability-based approach—mapping controls across eight AI functions—and aligning them with audit-ready requirements. It bridges a critical gap between high-level AI governance and operational, testable controls. Designed for practitioners in risk, audit, compliance, and finance, it provides not just theory but also templates, metrics, and implementation steps. The result is a highly actionable guide that makes GenAI governance auditable, scalable, and compatible with existing enterprise control systems.

🧩 What’s Covered

The report is structured around adapting the five COSO components—Control Environment, Risk Assessment, Control Activities, Information & Communication, and Monitoring—to GenAI systems. It begins by framing the unique nature of GenAI: probabilistic outputs, dynamic behavior, scalability of errors, and low barriers to adoption. These characteristics fundamentally reshape how internal controls must be designed.

A central contribution is the introduction of eight GenAI capability types (e.g., data ingestion, transformation, orchestration, judgment, monitoring), which serve as the backbone for risk identification and control design. This “data-to-decision lifecycle” approach helps organizations pinpoint where risks originate and how they propagate across processes.  

Each COSO component is then mapped to GenAI-specific practices. For example, the Control Environment emphasizes ownership, AI literacy, and ethical boundaries, while Risk Assessment becomes continuous and scenario-driven due to model volatility. Control Activities introduce concepts such as human-in-the-loop validation, prompt governance, and AI “bill of materials.” Information & Communication focuses on traceability (e.g., prompts, outputs, model versions), and Monitoring evolves toward continuous metrics like drift, bias, and hallucination rates.

The report also includes practical elements: implementation roadmap (six-step cycle from governance setup to monitoring), real-world case studies (e.g., clause extraction errors, forecasting drift), and detailed appendices with control examples, metrics, and artifacts for each capability type.

💡 Why it matters?

This is one of the first documents that makes GenAI governance operational—not just conceptual. It connects AI risk directly to internal control systems already used in enterprises, especially in finance and audit.

For organizations struggling to move from “AI principles” to “AI controls,” this report provides a missing layer: how to design controls that are testable, auditable, and aligned with existing assurance frameworks. It also introduces a mindset shift—treating AI outputs as “claims requiring validation” rather than facts—which is crucial for real-world deployment.

From an AI governance perspective, it effectively bridges COSO, risk management, and emerging AI assurance practices, making it highly relevant for compliance with regimes like the EU AI Act or future audit expectations.

❓ What’s Missing

The report is deeply rooted in internal control and audit contexts, which makes it less accessible for broader AI governance audiences (e.g., product teams or policymakers).

It also focuses primarily on enterprise and financial reporting use cases, with limited coverage of high-risk AI domains such as biometric systems, recommender systems, or safety-critical applications.

There is little discussion of alignment with external regulatory frameworks (e.g., EU AI Act risk categories), which would strengthen its applicability in compliance-driven environments.

Finally, while highly detailed on controls, it provides less guidance on organizational transformation—such as how to embed these practices culturally or scale them across large, decentralized organizations.

👥 Best For

Internal auditors and risk professionals

Finance and compliance teams working with AI

AI governance leads in large organizations

External auditors assessing AI-enabled controls

IT governance and security teams

📄 Source Details

COSO (Committee of Sponsoring Organizations of the Treadway Commission), 2026 report developed with contributions from academic and industry experts including EY and Meta representatives.

📝 Thanks to

COSO Board and contributing authors including Scott Emett, Marc Eulerich, Jason Guthrie, Jason Pikoos, and David A. Wood

Report Guide
About the author
Jakub Szarmach

Jakub Szarmach

Read next

Vendor Evaluation Criteria for AI Red Teaming Providers & Tooling

The OECD.AI Index – Technical Paper

OECD Due Diligence Guidance for Responsible AI

Introductory Guidance to AI Controls Matrix (AICM)

International AI Safety Report 2026

AI Governance Library

Curated Library of AI Governance Resources

AI Governance Library

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to AI Governance Library.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.