What Is an AI Audit?
An AI audit is an independent review of how an organization's AI systems are governed, used, and controlled — covering whether a model was approved before deployment, whether its outputs are monitored for drift or bias, whether a human can intervene in its decisions, and whether anyone could explain a specific AI-driven outcome if a regulator or customer asked.
It is distinct from a data privacy audit. Data governance controls who can access information; AI governance controls what the AI is allowed to do with it once it has access — training, inference, automated decisions, and now, increasingly, autonomous action.
Why Has This Become a Board-Level Issue?
Two speeds have diverged. Adoption is outrunning oversight: a 2026 NIST AI RMF implementation guide reports that 72% of organizations are already using or planning to use agentic AI, while 65% admit their AI adoption is moving faster than their ability to fully understand it. At the same time, only 26% have comprehensive AI governance policies in place, even though 72% of S&P 500 companies disclosed at least one material AI risk in 2025.
Boards have absorbed this gap directly. According to EY's Center for Board Matters, roughly 40% of S&P 500 companies have assigned AI oversight to at least one board-level committee, up from just 11% the year prior — and the audit committee is frequently where that responsibility lands by default. Diligent's Nithya Das, general manager of governance at the firm, frames 2026 as the year "boards and executive teams institutionalizing AI governance as a core competency" stops being aspirational and becomes an operating expectation.
What Frameworks Do Companies Audit Against?
No single framework covers everything an AI audit needs to check. In practice, mature programs layer several, each covering a different layer of the problem.
NIST AI RMF — A voluntary US risk-management framework built around four functions: Govern, Map, Measure, Manage. It supplies the risk vocabulary auditors use to describe AI-specific failure modes (hallucination, drift, prompt injection) that traditional audit standards don't name. Not certifiable; treated as a baseline — part of the broader set of AI governance controls organizations layer on top of it.
ISO/IEC 42001 — The first international, certifiable AI management system standard. Where NIST gives a risk vocabulary, ISO 42001 gives the actual management system: defined roles, documented controls, internal audits, and an external assessor who signs off. Enterprise procurement teams increasingly request this certification alongside SOC 2 and ISO 27001.
The IIA's AI Auditing Framework — Assurance-specific guidance written by and for internal auditors, covering AI strategy, data governance, vendor controls, and reporting. It's the practitioner layer that ties NIST's vocabulary and ISO's management system to actual testing and sign-off work.
COBIT and COSO — Older IT-governance and internal-controls frameworks (COBIT from ISACA, COSO's internal controls framework) that organizations are extending rather than replacing. COSO published specific guidance on generative AI internal controls in April 2026, built around a six-step roadmap: govern, inventory, assess, design, implement, monitor — deliberately designed to plug into financial-reporting controls audit teams already run.
OWASP Top 10 for Agentic Applications — Published December 2025, this is the first formal risk taxonomy specific to autonomous AI agents rather than single-turn AI tools, covering failure modes like goal hijacking, tool misuse, identity abuse, memory poisoning, and rogue agents. It matters because none of the frameworks above were originally written with agents in mind.
How Is Auditing an AI Agent Different From Auditing a Chatbot?
A chatbot answers a question and stops. An agent plans, calls tools, writes to databases, and triggers downstream workflows — often across multiple steps with no human reviewing each one. That changes what an audit has to check.
The regulatory clock is already running. The EU AI Act's high-risk obligations, which require human oversight, intervention points, and a stop-or-correct mechanism for autonomous systems, take effect in August 2026 for any business operating in the EU or serving EU residents. Yet a 2026 KPMG survey of large-enterprise leaders found that 75% cite security, compliance, and auditability as the most critical requirements for deploying agents — while separately, only 30% of organizations have reached governance maturity level three or higher for agentic AI controls specifically. That's a wide gap between what leaders say they need and where their actual controls stand.
An agent-specific audit checks four things a standard AI audit might miss entirely, beyond the fairness and bias dimension a traditional audit already covers:
- Tool permission scope. What systems, APIs, and databases can the agent actually reach, and is that access bounded to what the task requires?
- Action-level audit trails. Not just "the agent ran" but a logged record of each individual tool call, attributable to a specific agent identity and policy decision.
- Intervention points. Whether a human can actually stop, correct, or override the agent mid-task — not just at the start or end of a workflow.
- Multi-agent orchestration risk. Where one agent assigns work to others, whether failures or bad decisions can cascade across the chain before anyone notices.
What Does the Audit Process Actually Look Like?
- Inventory every AI system in use — including shadow AI and shadow agents. Go beyond the approved-vendor list: browser extensions, personal AI accounts, and AI features embedded inside already-sanctioned SaaS tools. This is the most common gap auditors find — only about 25% of organizations report comprehensive visibility into how employees actually use AI, per industry-aggregated shadow AI research citing IBM and Microsoft data.
- Map each system's risk tier. A marketing copy assistant and a credit-underwriting model, or an autonomous agent with database write access, don't warrant the same scrutiny.
- Assess the governance framework against leading practice. Compare existing policy to NIST AI RMF or ISO 42001 and identify missing guardrails — on paper, before testing anything live, the same gap analysis covered in how AI governance works across the AI lifecycle.
- Test whether controls actually operate, not just exist. This is where real findings surface. A common failure mode documented across 2026 governance guides is "paper governance": a policy exists in a document with no connection to the running system, so when an incident happens, the controls described in the policy simply don't exist in the code.
- Verify human oversight and escalation paths. Confirm a named owner exists for each AI use case, and that a tested shutdown procedure exists — not just a theoretical one. This matters: ISACA's 2026 research found 56% of professionals don't know how long it would take to halt an AI system in the event of a security incident.
- Produce audit-ready evidence, not a policy summary. Logs, model documentation, bias-testing results, and decision records a regulator or enterprise customer could review without the company reconstructing the story after the fact.
Where Audits Usually Find the Gap
The most common discovery in an AI audit isn't malicious misuse — it's an unapproved tool nobody flagged. Deloitte's internal audit practice cites a recurring pattern: a quick-start survey at one organization uncovered a marketing team running a GPT-based content generator with no approval process behind it at all.
That pattern holds at scale. Shadow AI research aggregating IBM, Microsoft, and Awareways data finds that a large majority of employees now use AI tools their employer hasn't authorized, with only a small minority relying on employer-approved alternatives. Compounding it, ISACA's 2026 research found 25% of organizations have no active AI policy at all — exactly the kind of governance tooling gap that leaves shadow AI as the dominant, least-governed way AI actually gets used inside a company.
The lesson mirrors cross-border data audits: the company that gets flagged usually isn't the one with the worst intentions, it's the one that can't produce the record when asked.
Frequently Asked Questions
Is an AI audit the same as a data privacy audit?
No. A data privacy audit checks who can access personal data and under what legal basis. An AI audit checks what an AI system does with that data once it has access — training, monitoring, and whether a human can intervene. Bias, model drift, and autonomous decision-making fall outside a privacy audit's scope entirely.
What is "shadow AI" and why does it matter for an audit?
Shadow AI is AI tool use that happens without IT, security, or compliance approval. It matters because it represents usage the organization can't yet govern, and most users remain unaware of the compliance implications, which means the exposure is invisible until an audit specifically goes looking for it.
Do small or mid-sized companies need to follow NIST AI RMF or ISO 42001?
Neither is legally mandatory for most companies. But enterprise customers and regulated-industry clients increasingly request alignment with one or both during vendor due diligence, so smaller companies selling into those markets often need to demonstrate it regardless of size.
Does a standard AI audit framework cover autonomous agents?
Not fully. NIST AI RMF, ISO 42001, and the IIA framework were largely written before agentic AI scaled in production, which is why the OWASP Top 10 for Agentic Applications (December 2025) exists as a separate, purpose-built taxonomy for risks like tool misuse and rogue agent behavior.
How often should an AI audit happen?
Continuously rather than annually, for high-risk use cases. Point-in-time audits miss model drift or a tool quietly gaining new capabilities between review cycles. Lower-risk, internal-only tools can follow a less frequent cadence.
Who owns AI oversight: the audit committee, IT, or a separate group?
Increasingly the audit committee absorbs this directly, per EY's board-tracking data, since testing controls and verifying evidence overlaps closely with traditional financial audit work, rather than requiring an entirely new governance body.
What happens if an audit finds a control doesn't actually work?
The remediation path mirrors traditional internal controls: document the gap, assign a named owner, set a timeline, re-test before sign-off. With AI systems, "doesn't work" often means the control existed in policy but was never implemented in the code or workflow — testing operating effectiveness, not just design, is the step organizations most often skip.
Where Privacy Governance and AI Auditing Overlap
AI audits and privacy governance converge wherever an AI system — agentic or otherwise — touches personal data, which in practice is most of them. Secure Privacy's platform is built for that intersection: visibility into what data an AI tool can access, vendor and subprocessor risk tracking, and the DPIA and audit-trail documentation an AI governance review asks for first. It doesn't replace a technical AI audit — bias testing, model evaluation, and agent runtime enforcement require specialized tooling — but it closes the privacy-side gap audits consistently flag: knowing exactly what data flows into which AI system or agent, and proving it on demand.
