COSO Releases Framework for Managing GenAI Risks

- The COSO Internal Control–Integrated Framework, on which the new GenAI guidance is based, was first issued in 1992 and significantly updated in 2013. It is the most widely used internal control framework in the U.S. and is built on five core components and 17 principles. - This is not COSO's first foray into technology risk management; the organization has previously published guidance on managing risks associated with blockchain in 2020 and a broader paper on realizing the potential of AI in 2023 with Deloitte. - The guidance addresses specific GenAI risks that are highly relevant in finance and analytics, such as data integrity compromises, model "hallucinations" leading to flawed analysis, information security failures, and non-compliance with regulations like GDPR or industry standards like SOX. - The release is timely, as enterprise adoption of AI is dramatically outpacing the governance frameworks required to manage it. Discussions at the World Economic Forum 2026 confirmed this growing disconnect between AI operationalization and governance. - A significant challenge for companies is the rise of "shadow AI," where employees use unapproved AI tools, creating risks of data leakage and other security issues. One 2025 report noted that while 40% of surveyed companies had purchased LLM subscriptions, 90% of their employees regularly used them. - The new publication was authored by a team of academics from institutions including Arizona State University and Brigham Young University, alongside professionals from Ernst & Young and Meta. - To make the framework actionable, the guidance includes practical implementation templates, such as risk assessment matrices, control testing procedures, and metric dashboards, to help organizations make their GenAI governance audit-ready.