Managing AI Risk with Confidence: A Governance Foundation Built on NIST and COSO

Artificial intelligence is no longer an experiment running at the edges of the organization. It supports customer engagement, accelerates decision-making, and increases efficiency across internal functions, from AI-assisted reconciliations to automated monitoring and analytics. AI is rapidly evolving from pilot to embedded business capability.

That shift changes what leadership is accountable for. As AI becomes embedded in operations, leaders are answerable for how it is governed, how data is protected, and how risks are managed. The organizations approaching this with confidence are not building separate AI risk programs. They are extending the governance, accountability, and assurance practices they already trust.

Two frameworks provide a practical foundation for that work. The NIST Artificial Intelligence Risk Management Framework (AI RMF) and COSO’s guidance on internal control over Generative AI together offer a defensible approach for governing AI within existing risk and assurance models.

A Practical Foundation for AI Governance

NIST helps organizations manage AI risk in a way that supports innovation and aligns with enterprise risk management. The AI RMF is voluntary guidance designed to be tailored based on an organization’s size, sector, and risk profile.

COSO’s guidance on Generative AI focuses on internal control within the COSO Internal Control Integrated Framework. It emphasizes that AI should operate within control environments that support assurance, oversight, and accountability.

The two frameworks are complementary. NIST offers a lifecycle-based structure for identifying and managing AI risk, while COSO embeds those risks into governance, control activities, and monitoring practices that auditors and regulators expect. Together, they enable organizations to adapt existing governance structures instead of building parallel AI risk programs

Applying the NIST AI RMF Through a COSO Lens

The NIST framework organizes AI risk management into four integrated functions: Govern, Map, Measure, and Manage. Each aligns with COSO’s internal control components and supports SOC and enterprise risk management expectations.

Effective AI use begins with strong governance. Organizations establish ownership, accountability, and policies that define how AI is approved, monitored, and overseen. Executive and board visibility should align with organizational values and risk appetite. COSO reinforces this through its focus on tone at the top, ethical standards, and accountability, including clear ownership of AI use cases and defined approval authority.

Mapping creates clarity around where AI is used and how it interacts with data, systems, customers, and third parties. This work supports COSO’s risk assessment principles by helping organizations define system boundaries and understand where AI affects financial reporting, customer data, or regulated activities.

Measurement focuses on testing, monitoring, and validating AI risks. This can include accuracy, reliability, resilience, security, privacy, and fairness. Because AI systems are probabilistic and subject to change, organizations must evaluate consistency over time, especially when models, prompts, data sources, or vendors are updated.

Management completes the cycle. AI risks are addressed through response procedures, change management, and continuous monitoring. COSO’s monitoring and remediation principles emphasize early detection, timely assessment, and effective action. Without this discipline, AI can shift from a managed capability to an unmonitored one.

Why This Matters for SOC Reporting and ERM

AI is becoming embedded within system boundaries and existing control environments. For organizations subject to SOC 1 and SOC 2 examinations, AI may influence financial reporting, transaction processing, and controls related to security, availability, confidentiality, processing integrity, and privacy, depending on how it is implemented.

Stakeholders expect organizations to demonstrate that AI-enabled activities are appropriately included in system descriptions, that regulated data is protected throughout the AI lifecycle, and that third-party AI services are governed through established vendor management practices.

There is also an expectation that AI-generated outputs are explainable, reviewable, and subject to control. The NIST AI RMF extends familiar risk management practices to address AI-specific risks such as hallucinations, model drift, bias, automation bias, and limitations in transparency and interpretability.

Putting AI Governance into Practice

AI adoption does not require rebuilding governance from the ground up. It calls for intentional oversight, clear accountability, and integration with established risk and assurance practices. Organizations that use NIST to structure AI risk management and COSO to embed AI into internal control frameworks are better positioned to innovate responsibly, meet SOC and audit expectations, and build lasting trust with stakeholders. The focus is not on adopting a new framework, but on extending existing disciplines to a technology that depends on them.

As AI adoption accelerates, organizations need more than guidance. They need a clear path to operationalize governance and demonstrate control. Our Risk Advisory Solutions team works with you to embed AI into your risk, control, and assurance frameworks in a way that is practical, scalable, and audit-ready. From strategy through execution, we help you reduce risk exposure, meet stakeholder expectations, and build lasting trust.