AI regulation has crossed a threshold.
What was once discussed in principles, frameworks, and forward-looking guidance is now being enforced through real regulatory expectations. For internal audit teams, that shift changes the mandate. AI governance is no longer something to observe from the sidelines. It is something audit leaders are increasingly expected to evaluate, test, and stand behind.
The question is no longer whether AI belongs within audit’s scope. It is whether organizations can explain, defend, and take accountability for the decisions their systems produce.
That reality sits at the center of a recent All Things Internal Audit conversation between Ernest Anunciacion, Head of Product Marketing at MindBridge, and Marko Horvat, Senior Vice President of Business Transformation at ELB Learning. Their discussion reflects a broader change already underway across global regulatory bodies and across internal audit itself.
Listen: Ernest Anunciacion and Marko Horvat discuss how AI regulation is shifting from principles to enforcement and what that means for internal audit leaders.
From Model Risk to Risk to Individuals
One of the most important regulatory shifts is how AI risk is now being defined.
Rather than focusing narrowly on technical failure, regulators are increasingly framing AI risk in terms of harm to individuals. Bias, lack of transparency, inappropriate use, and unexplainable outcomes are no longer abstract concerns; they are central to how AI systems are evaluated.
This reframing fundamentally changes audit’s role. AI is no longer just a technology risk or an IT control consideration. It is a governance issue that intersects with ethics, compliance, operations, and decision-making authority.
For internal auditors, understanding AI systems now means understanding who is affected by AI-driven decisions, how those decisions are made, and where human judgment must remain firmly in control.
Risk Tiering Makes Visibility Non-Negotiable
Another theme gaining momentum is risk-tiered AI regulation, particularly in EU-style frameworks.
These approaches distinguish between prohibited AI uses, high-risk applications, and lower-risk use cases. On paper, this provides clarity. In practice, it creates a new challenge: many organizations cannot confidently say where AI is being used across the enterprise, let alone how risky those uses may be.
Internal audit teams are increasingly asked to assess governance and controls without complete visibility into AI adoption, especially when AI is embedded inside third-party tools or introduced informally through “shadow AI.”
The implication is clear. Audit teams need structured, repeatable ways to identify, categorize, and assess AI use across the organization, not just within formally approved initiatives.
Human Judgment Is Now Central to Regulatory Evaluation
Across regulatory bodies, one expectation is becoming consistent: AI-driven decisions that materially affect people must retain meaningful human oversight.
This goes beyond policy language or procedural sign-offs. Regulators are looking for evidence that:
- AI outputs can be understood and explained
- Decisions can be challenged or overridden
- Accountability remains clearly assigned
Black-box systems introduce governance risk when outcomes cannot be defended. This is especially true when organizations rely on third-party AI solutions. As emphasized in the conversation, vendor-provided AI does not transfer accountability. Responsibility for outcomes remains with the organization using the system.
For internal audit, explainability, traceability, and documentation are no longer supporting considerations. They are foundational to defensible assurance.
Internal Audit’s Role Is Expanding Across the AI Lifecycle
AI governance does not live neatly within one function, and internal audit’s scope is expanding accordingly.
Audit teams are increasingly involved across the AI lifecycle, including:
- Readiness assessments to identify where AI is already in use
- Ongoing monitoring for model drift and unintended behavior
- Evaluation of third-party AI risk
- Collaboration with legal and compliance on regulatory alignment
This expansion requires new capabilities. AI literacy is no longer optional for audit professionals. Understanding concepts such as explainability, hallucinations, and continuous monitoring is becoming core to effective oversight.
Importantly, this does not mean audit teams must become data scientists. It means they must be equipped to ask the right questions and evaluate whether governance mechanisms are working as intended.
What Internal Audit Teams Should Be Doing Now
While AI regulation will continue to evolve, internal audit teams do not need perfect clarity to begin acting.
Practical steps include:
- Mapping where AI is currently in use, including informal or unapproved tools
- Assessing whether AI-driven decisions have appropriate human oversight
- Evaluating explainability and documentation for higher-risk use cases
- Partnering early with legal, compliance, and risk teams to align governance models
The goal is not to slow innovation. It is to ensure AI is deployed in ways that are transparent, accountable, and defensible under scrutiny.
The Bottom Line
AI regulation is no longer theoretical. It is operational.
For internal audit, that reality shifts the conversation from whether to engage to how to lead. Organizations that navigate this transition successfully will treat AI governance as an enterprise discipline grounded in visibility, explainability, and clear human accountability.
Internal audit has a critical role to play in making that future workable.
Listen to the conversation between Ernest Anunciacion and Marko Horvat on how these shifts are playing out in practice.