COSO Releases Guidance for Managing GenAI Risks
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has released a new roadmap for managing the risks associated with generative AI. The guidance is designed to translate COSO's Internal Control–Integrated Framework into practical, audit-ready steps for governing GenAI. This addresses a growing need within enterprises for clear frameworks on AI-related governance, risk, and compliance (GRC).
- The new guidance on GenAI is an extension of COSO's existing "Internal Control–Integrated Framework," which is a widely accepted model for internal controls built on five core components: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities. - This guidance was authored by a working group of academics and practitioners from organizations including Ernst & Young and Meta, building on previous collaborations with Deloitte on AI risk management. - A key feature of this guidance is its "audit-ready" nature, which means it provides concrete examples of controls and metrics that can be used to provide evidence to internal and external auditors that GenAI risks are being managed effectively. This includes starter templates for risk assessment matrices and control testing procedures. - The guidance addresses specific GenAI risks such as heightened cyber exposure, prompt-based manipulation, opaque reasoning, and model drift. - Unlike other AI governance frameworks that are voluntary sets of best practices, COSO's framework is designed to be integrated into a company's overall control environment, similar to how it's used for financial reporting and compliance with regulations like the Sarbanes-Oxley Act (SOX). - While the NIST AI Risk Management Framework (RMF) provides a voluntary "how-to guide" for managing AI risk and ISO/IEC 42001 offers a certifiable standard for an AI Management System, the COSO guidance focuses specifically on integrating GenAI into an organization's existing internal control and enterprise risk management (ERM) processes. - For a creative leader, understanding this framework is crucial as it provides a direct line of sight into how the business will assess the value and risk of creative AI tools, ensuring they align with the company's overall governance and compliance standards. - The guidance complements other frameworks like Deloitte's "Trustworthy AI," which focuses on seven key dimensions of ethical AI: transparency, fairness, accountability, reliability, privacy, safety, and security.
