Guides

KPMG highlights COSO’s new framework for governing generative AI

COSO’s GenAI roadmap turns AI governance into a control question, not a hype question, and KPMG says that shift is already reshaping client conversations.

Marcus Chen··6 min read
Published
Listen to this article0:00 min
KPMG highlights COSO’s new framework for governing generative AI
Source: kpmg.com

COSO’s GenAI framework gives leaders a control lens for a fast-moving technology

KPMG is pointing clients to a simple but consequential idea: if your team wants to use generative AI at scale, you need to govern it the way you govern other material business processes. COSO’s new roadmap, *Achieving Effective Internal Control Over Generative AI*, released on February 23, 2026, applies the familiar internal-control model to a technology that is already changing how work gets done, how decisions get made, and how information moves through the enterprise.

AI-generated illustration
AI-generated illustration

That matters inside a Big 4 environment because genAI is no longer a side experiment tucked into innovation labs. It is showing up in audit procedures, tax analysis, advisory deliverables, and internal knowledge work, which means the burden is shifting from curiosity to accountability. The key question for leaders is not whether employees will use these tools. It is whether they can explain where the tools are used, who owns the risks, and what controls stand between a prompt and a client-facing output.

Why COSO’s framework is getting attention now

COSO’s guidance is built on the Internal Control-Integrated Framework, the same foundation that was originally issued in 1992 and refreshed in 2013. The new roadmap is explicitly described as applicable to all entities, which is part of what makes it useful for firms like KPMG and for clients that span regulated industries, consumer businesses, and fast-scaling technology groups.

The framework does not treat genAI as a single monolithic risk. Instead, it organizes use cases into eight capability types: ingestion, transformation, posting, orchestration, judgment, monitoring, regulatory intelligence, and human-AI interaction. That distinction is more than academic. A tool that ingests data into a draft memo creates different risks from one that makes a judgment recommendation or one that interacts directly with employees or customers.

COSO also maps genAI to the five core internal-control components: control environment, risk assessment, control activities, information and communication, and monitoring activities. For workplace leaders, that is the governance message in practical form. You do not need a brand-new AI policy sitting apart from the rest of the control structure. You need to ask how AI fits into the control environment employees already work in, how risks are assessed, what checks are built into the workflow, how information is communicated, and how the system is monitored after launch.

The control questions leaders should answer before scaling genAI

The most useful part of COSO’s roadmap is that it forces management to move from enthusiasm to specifics. Before asking employees to rely on genAI at scale, leaders should be able to answer a set of control questions that map to the framework’s 17 principles.

  • Where is genAI already being used, including in pilot projects, productivity tools, and unofficial shadow usage?
  • Which use cases are limited to drafting and summarization, and which touch judgment, approvals, or external communications?
  • Who owns each use case when something goes wrong: the business leader, the control owner, IT, legal, or a combination?
  • What review burden will fall on managers, audit teams, and client service teams if AI output still needs human validation?
  • How will the firm explain whether an AI-assisted conclusion was tested, challenged, and approved?

Those questions sound basic, but they are exactly where trust is won or lost. If employees are told to use genAI for speed while reviewers are not given enough time, guidance, or authority to challenge the output, the organization quietly creates a new form of risk debt. That debt shows up later as rework, reputational damage, weak documentation, or a control failure that senior leaders have to explain after the fact.

What the roadmap means for audit, risk, and advisory teams

For KPMG professionals, COSO’s roadmap is especially useful because it gives teams a common vocabulary for client discussions. Audit, risk, and advisory practitioners can use the capability taxonomy to map where AI lives inside a process and then ask what controls should exist at each point. That makes the conversation less abstract and more defensible in front of a board, an audit committee, or a skeptical controller.

Deloitte’s analysis of the guidance says it can be used by management, internal auditors, IT risk, legal, boards, and external auditors, which underscores how cross-functional the issue has become. Deloitte also lays out a six-step implementation roadmap: govern, inventory, assess, design, implement, and monitor. For client teams, that sequence is important because it mirrors how real control work gets done. First you establish ownership, then you find the use cases, then you assess the risks, then you design controls, then you roll them out, and only then do you monitor whether they actually hold up.

That structure also reflects the biggest GenAI risks Deloitte identifies: rapid change, limited explainability, and uncontrolled adoption, often called shadow AI. Those risks are familiar to anyone who has seen a promising tool spread faster than the surrounding process can absorb it. In professional services, where deliverables often move quickly from draft to client-ready form, the temptation to use AI as a shortcut is obvious. The governance challenge is making sure speed does not outrun evidence, review, or accountability.

The cultural stakes inside a firm like KPMG

This is where the issue becomes more than a policy exercise. GenAI changes team behavior. It changes how associates draft, how managers review, how partners sign off, and how much confidence people place in work that no human wrote line by line. If governance is weak, employees learn that the fastest answer matters more than the verified one. If governance is strong, they learn that AI is a tool inside a supervised process, not a substitute for judgment.

KPMG’s own board-oversight work shows why the stakes are rising. The firm says the market is moving from experimentation toward company-wide use and potential transformation. It also says two-thirds of C-suite executives surveyed planned to invest more than $50 million in genAI over the next 12 months, while 51% of directors said their companies were actively exploring GenAI in selective pilots and proofs of concept, nearly 20% had started scaling it broadly, and 4% saw it as core to business operations.

Those numbers show that the pressure is not hypothetical. Boards are being pushed to accelerate experimentation and build guardrails at the same time. That tension lands directly on the people doing the work, especially in a profession where promotion cycles reward judgment, quality, and the ability to supervise others. If genAI increases throughput without increasing control discipline, it can quietly raise the review burden for managers and partners. If it is governed well, it can reduce low-value effort and leave more time for higher-order analysis.

From a framework to daily practice

COSO’s roadmap is effective because it is not trying to reinvent internal control. It is extending a familiar structure to a new operating reality. The real test is whether organizations can turn that structure into day-to-day habits: inventories that stay current, escalation paths that people actually use, documentation that survives review, and monitoring that catches drift before it becomes a problem.

For KPMG teams, that means the conversation with clients should not begin with “What can AI do?” It should begin with “What are you willing to trust it to do, and what controls prove that trust is deserved?” That is the governing question behind the framework, and it is the one that will shape how AI changes work across audit, consulting, and every other function that now wants the speed without losing the controls.

This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.

Did this article answer your question?

Discussion

More KPMG News