Artificial intelligence is rapidly moving from experimentation to everyday business practice.
Across South Africa, organisations are using AI to improve productivity, automate routine tasks, support decision-making and uncover new opportunities for growth.
The conversation in most boardrooms has shifted from whether AI should be adopted to how quickly it can be integrated into strategies and business operations.
At the same time, a less visible challenge is emerging.
While many organisations have developed AI policies or guidelines, few have put in place the mechanisms required to provide independent assurance that those policies are being followed, that risks are being managed appropriately and that AI is delivering the outcomes intended. This is where internal audit has an important role to play.
AI is still often viewed as a technology issue; but its impact extends far beyond the IT department.
Human resources teams are using AI to support recruitment processes. Finance functions are exploring AI-driven forecasting and analysis. Marketing teams are leveraging generative AI to create content, and customer service departments are deploying AI-powered tools to improve responsiveness and efficiency.
Whether organisations have formally approved the use of AI or not, employees are also using AI-powered tools to draft emails, analyse data, prepare presentations, and conduct research.
As AI becomes embedded across an organisation in this way, the associated risks are not only technology related - but they also impact the entire business.
Questions around accountability, data quality, privacy, bias and decision-making affect every part of the business. Boards and executives therefore need confidence that AI is being adopted responsibly, and that cannot come from AI policy documents alone.
While a policy may define acceptable use and establish governance principles, it does not provide assurance that controls are working in practice.
Organisations need visibility into how AI tools are being used, what data they rely on, who is accountable for outcomes and whether appropriate safeguards are in place.
Internal audit is uniquely positioned to provide this assurance. Unlike individual business functions, internal audit has a cross-organisational view of risk, governance and control environments.
This allows it to assess not only whether AI-related controls exist, but whether they are operating effectively and supporting organisational objectives. This role extends beyond identifying weaknesses or instances of non-compliance. As AI adoption accelerates, internal audit has an opportunity to help organisations embrace innovation with greater confidence.
For many organisations, this shift may be a difficult one to make. For years, internal audit has primarily been seen as something of a ‘policing’ function - mainly focused on identifying gaps and reporting control failures.
While those responsibilities are still key to the Internal Audit function, the adoption of AI and other emerging technologies create significant opportunities which can only be transformed into value if leaders have confidence in the governance structures to support that process.
This, therefore, requires the Internal Audit function to broaden its perspective beyond identifying control failures but to also highlight where organisations may be missing opportunities to create value, improve performance, and realise the full benefits of technological and business transformation.
Strong assurance frameworks are essential to creating that confidence. When a business has assurance over the quality of the data feeding its AI systems, it is better positioned to trust AI-generated insights.
And when accountability for AI-assisted decisions is clearly defined, management can deploy these tools with greater certainty. In this way, AI assurance becomes an enabler rather than a constraint. It gives organisations the confidence to explore AI opportunities responsibly, rather than treating governance as something that slows innovation down.
In practical terms, that confidence depends on whether organisations can see and manage the risks that come with AI adoption.
Assurance only becomes an enabler when it moves beyond broad principles and examines how AI is actually being used across the business, including informal behaviours and unmanaged use cases that emerge as employees experiment with AI in their daily work.
This phenomenon, sometimes referred to as Shadow AI, can expose organisations to data privacy, confidentiality and compliance risks that may remain invisible until a problem occurs.
Internal audit can help organisations identify these types of blind spots and evaluate whether existing governance arrangements are keeping pace with actual business practices. This allows management to address risks proactively rather than reactively, and to create clear pathways for employees to use AI tools in ways that support innovation without undermining governance.
The same principle applies to concerns around bias, explainability and decision-making. As AI becomes more involved in processes that affect customers, employees and strategic outcomes, businesses need to be able to demonstrate that decisions remain fair, transparent and accountable.
Independent assurance helps ensure these considerations are addressed before they become reputational or regulatory issues.
For all these reasons, AI assurance needs to become a regular feature of audit planning. Just as organisations seek assurance over cybersecurity, financial controls and regulatory compliance, they must increasingly seek assurance over the governance and use of AI.
The goal is not to limit adoption, but to create an environment where innovation can be pursued confidently and responsibly.
Share
