COSO creates audit-ready guidance for governing generative AI

Companies looking to manage risks related to generative artificial intelligence (AI) can now turn to guidance built on a widely used framework of internal controls.

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) published guidance that relies on COSO’s proven Internal Control–Integrated Framework (ICIF). The AICPA is one of COSO’s five supporting organizations.

The publication, Achieving Effective Internal Control Over Generative AI, applies the ICIF’s five components: control environment, risk assessment, control activities, information & communication, and monitoring activities.

“Generative AI is transforming how organizations work, make decisions, and manage information,” Lucia Wind, executive director and chair of COSO, said in a news release. “Its rapid adoption brings enormous potential, but also a new set of risks that demand disciplined oversight. The COSO Internal Control–Integrated Framework gives organizations a clear, proven structure to ensure gen AI is introduced responsibly and with the rigor needed to support reliable operations, reporting, and compliance.”

According to the news release, the report introduces several new elements to help organizations operationalize generative AI governance:

• A capability-first taxonomy: Generative AI use cases are organized into eight capability types — ingestion, transformation, posting, orchestration, judgment, monitoring, regulatory intelligence, and human-AI interaction — each with tailored control considerations that reflect how risks manifest across the data-to-decision lifecycle.

• Audit-ready control mapping: Each capability includes examples, minimum control expectations aligned to all five COSO components, and illustrative metrics to support both operational monitoring and audit evidence collection.

• Practical implementation artifacts: Starter templates, including risk assessment matrices, control testing procedures, and metric dashboards, help organizations accelerate implementation and reduce time-to-value.

Building on a previous COSO report, Realize the Full Potential of Artificial Intelligence, the publication was written by Scott Emett of Arizona State University, Marc Eulerich of the University of Duisburg-Essen, Jason Guthrie of EY, Jason Pikoos of Meta, and David Wood of Brigham Young University.

“Gen AI introduces risks that evolve as quickly as the technology itself,” Wood said in the release. “By grounding gen AI governance in COSO’s established internal control principles, organizations can build systems that are both adaptable and audit-ready.”

— To comment on this article or to suggest an idea for another article, contact Bryan Strickland at Bryan.Strickland@aicpa-cima.com.