From Guidance to Governance: Applying COSO’s new GenAI Standards with Confidence
Generative AI (GenAI) is being rapidly adopted across organizations far faster than governance structures, internal controls, and risk‑management processes can keep pace. Teams are already using AI copilots, auto‑reconciliation tools, and AI‑generated analysis in day‑to‑day workflows, but many of these capabilities introduce risks that traditional control models were never designed to address.
In response, last week the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released its first GenAI‑specific internal control guidance, Achieving Effective Internal Control Over Generative AI (2026). The publication adapts the COSO Internal Control–Integrated Framework (2013) to the unique risks, behaviors, and scalability of GenAI and introduces an eight‑capability model for organizations to design, implement, and monitor AI‑enabled controls. This is particularly critical when GenAI outputs influence financial reporting, disclosures, or the execution of internal controls over financial reporting (ICFR), where accuracy, reliability, and auditability are essential to support management’s assertions and audit reliance.
Why COSO Issued New GenAI Guidance
At its core, COSO’s new guidance leaves organizations with a simple message: GenAI changes how internal controls need to work. These systems are not predictable, rule‑based technologies; they are dynamic, probabilistic, and can behave differently from one day to the next. COSO highlights that GenAI can be “confidently wrong,” evolve rapidly, scale mistakes as quickly as it scales value, and be used by virtually anyone in the business with minimal barriers.
Because of this, organizations can’t rely on traditional internal controls alone. The new guidance requires organizations to update their control environment, risk assessments, control activities, information flows, and monitoring processes to account for GenAI‑specific risks such as hallucinations, bias, model drift, data leakage, and rapid vendor‑driven changes.
COSO’s message is not “slow down your AI adoption.” It’s the opposite: deploy AI but do it responsibly without compromising accuracy and reliability. That means clearer objectives, stronger governance, better traceability, continuous monitoring, and defined accountability for how AI is used across business processes,enabling GenAI at scale in a risk‑controlled manner.
What Organizations Need to Rethink
GenAI does not replace the COSO framework; it changes how the framework is applied. COSO’s new GenAI guidance raises the bar for internal controls. AI now influences how controls are designed, how evidence is evaluated, and how governance and oversight function. This means rethinking SOX, AI governance, COSO alignment, risk and control design, and enhanced third‑party oversight to keep pace with GenAI adoption.
Here are some key considerations leaders should evaluate:
- SOX / ICFR: GenAI creates new challenges for evidence, review, and reliance. Companies should define when AI is advisory versus relied upon, and strengthen documentation, reviewer competence, and validation practices accordingly.
- GenAI Governance: Effective governance requires named owners, role‑based training, and a forum that can oversee AI risks and approve or unwind changes quickly. The goal is fast, informed oversight that keeps pace with how AI evolves.
- Risk Assessment and Control Design: GenAI introduces risks that traditional controls do not address, so use cases need clear boundaries and controls that assume AI can be confidently wrong. Strong design includes thoughtful human‑in‑the‑loop review points, governed configurations, and testing that accounts for drift and edge cases.
- Vendor and Third‑Party Risk: Model providers operate on their own update cycles, which increases risk when visibility is limited. Organizations should establish monitoring, testing, and contractual guardrails to ensure vendor changes do not undermine control performance.
Six Steps to Apply COSO’s GenAI Guidance
To operationalize COSO’s guidance and strengthen GenAI governance, organizations should focus on six core activities that build structure, transparency, and control around how AI is deployed:
- Establish an AI Governance Structure: Define who owns each AI use case, how decisions are made, and how risks are escalated.
- Inventory GenAI Use Cases: Identify all active and planned AI use cases, including purpose, data sources, owners, and dependencies. This creates visibility into where GenAI is operating and surfaces any shadow usage that may introduce unmanaged risk.
- Evaluate Use Cases Leveraging the COSO Components: Focus on GenAI‑specific risks such as drift, hallucinations, bias, and data exposure, and determine risk criticality.
- Design and Map Controls: Ensure consistency and audit readiness by developing controls that match the level of risk for each use case, including human‑in‑the‑loop checkpoints, validation routines, and governed configurations.
- Implement and Communicate: Deploy the designed controls and train users on how to interact with GenAI responsibly, interpret outputs, and escalate issues or changes that require review.
- Monitor and Adapt: Track performance through defined KPIs and KRIs, and review changes to models, prompts, or data sources regularly.
How Centri Can Help
Centri helps organizations approach AI risk management by building clearer governance structures, updating internal controls, and strengthening processes where AI influences day‑to‑day operations. Our teams work with management to identify use cases, assess how they intersect with key organizational functions, and develop a plan to support reliable performance.
Whether AI tools are built internally or provided by third parties, Centri helps create clarity, consistency, and confidence in how GenAI is used across the business.
Partner | Risk Advisory Practice Leader | CISA
Rich is a Partner at Centri Business Consulting and the leader of the firm’s Risk Advisory Practice. He has more than 17 years of combined experience in risk & internal control consulting, internal audit, IT risk & cybersecurity advisory, Sarbanes-Oxley (SOX) 404 Compliance, Enterprise Risk Management, financial reporting & accounting. He joined Centri in February 2022 and has provided a variety of risk advisory and compliance services for clients across various industries, including insurance, digital assets & fintech, life sciences, financial services, healthcare, technology, and more.. View Rich Sowalsky's Full Bio
Senior Manager | IT Risk & Cybersecurity | CRISC, CISA, AAIA
Ian is a Senior Manager in the IT Risk & Cybersecurity practice at Centri Business Consulting. He has more than 8 years of combined experience in internal control consulting, IT risk, cybersecurity advisory, and risk-based internal audits and accounting. View Ian O’Connor's Full Bio
About Centri Business Consulting, LLC
Centri Business Consulting provides the highest quality advisory consulting services to its clients by being reliable and responsive to their needs. Centri provides companies with the expertise they need to meet their reporting demands. Centri specializes in financial reporting, internal controls, technical accounting research, valuation, mergers & acquisitions, and tax, CFO and HR advisory services for companies of various sizes and industries. From complex technical accounting transactions to monthly financial reporting, our professionals can offer any organization the specialized expertise and multilayered skillsets to ensure the project is completed timely and accurately.
3 Logan Square
26th Floor
1717 Arch Street
Philadelphia, PA 19103
530 Seventh Avenue
Suite 2201
New York, NY 10018
4509 Creedmoor Rd
Suite 206
Raleigh, NC 27612
615 Channelside Drive
Suite 207
Tampa, FL 33602
1175 Peachtree St. NE
Suite 1000
Atlanta, GA 30361
50 Milk St.
18th Floor
Boston, MA 02109
1775 Tysons Blvd
Suite 4131
McLean, VA 22102
One Tabor Center
1200 17th St.
Floor 10
Denver, CO 80202
1-855-CENTRI1
virtual@CentriConsulting.com