Companies seeking to manage risks tied to generative artificial intelligence can now use new guidance anchored in a widely adopted internal control framework. The Committee of Sponsoring Organizations of the Treadway Commission has released Achieving Effective Internal Control Over Generative AI, which applies COSO’s Internal Control-Integrated Framework to the design and oversight of generative artificial intelligence programs. The framework’s five components, control environment, risk assessment, control activities, information & communication, and monitoring activities, are used as the organizing structure for governance and assurance.
The guidance is positioned as a response to the rapid adoption of generative artificial intelligence in core business processes and decision making. COSO leaders describe the technology as reshaping how organizations work while introducing a new class of risks that require disciplined oversight. By grounding generative artificial intelligence governance in established internal control principles, the publication aims to help organizations implement responsible use practices that support reliable operations, reporting, and compliance, while keeping systems adaptable and audit-ready as the technology evolves.
A central feature is a capability-first taxonomy that groups generative artificial intelligence use cases into eight capability types: ingestion, transformation, posting, orchestration, judgment, monitoring, regulatory intelligence, and human-AI interaction, with each category linked to tailored control considerations across the data-to-decision lifecycle. For each capability, the report offers audit-ready control mapping that includes examples, minimum control expectations aligned to all five COSO components, and illustrative metrics that can support both operational monitoring and audit evidence collection. Practical implementation artifacts, such as starter risk assessment matrices, control testing procedures, and metric dashboards, are designed to accelerate deployment and reduce time-to-value. Building on COSO’s earlier Realize the Full Potential of Artificial Intelligence report, the new guidance is authored by academics and practitioners from Arizona State University, the University of Duisburg-Essen, EY, Meta, and Brigham Young University.
