Insights

In this article, Norman Marks explores what the future holds for internal auditing as AI, automation, and rapidly evolving business processes begin to reshape the very foundations of risk and control. Drawing on a real-world anecdote, he challenges auditors to rethink not just their tools, but their purpose, urging the profession to move beyond incremental change and confront the deeper question of what meaningful assurance looks like in a world where the rules are being rewritten in real time.

Organizations today exist within ecosystems defined by volatility, complexity, and interconnectedness. Traditional risk management models, designed for slower and more predictable environments, rely on retrospective analysis and periodic assessment. They tell leaders what went wrong after the fact, but they struggle to foresee emerging vulnerabilities or cascading effects. As data volumes expand and the pace of change accelerates, enterprises require a new approach that shifts risk management from static oversight to continuous foresight. The concept of the digital twin offers that shift; a way to understand, anticipate, and influence organizational risk in real time.

Across large enterprises, boards are approving AI governance frameworks. The policy approval meeting has become a standard board agenda item: AI use case register, model risk policy, ethics principles, human oversight requirements. The vote passes. The governance record is clean.

There is a date that does not yet appear on any calendar. Cybersecurity experts refer to it as Q-Day, the moment when a quantum computer becomes capable of breaking the encryption that protects nearly all sensitive digital communications worldwide. No one knows the precise timing. Estimates vary from a few years to possibly a decade or more.

There was a time, not long ago, when sustainability lived comfortably in the realm of language. It was shaped in marketing decks and annual reports, polished into pledges and promises that felt, if not always precise, then at least directionally virtuous. Companies spoke of pathways and commitments, of journeys toward net zero and stewardship, and for a while that was enough. The words carried weight simply because they were spoken.

Corporate governance has not failed because of a lack of rules. It has failed because it has lost sight of its purpose. That is the central argument of my new book, Mission Critical Governance: Focusing Management and Boards on What Matters Most, a work shaped by decades of experience and a growing recognition that modern governance systems are not delivering what boards, investors, and society now expect.

AI isn’t waiting for governance to catch up and that gap is quickly turning into one of the most serious risk challenges organizations face today. As companies push ahead with more advanced, increasingly autonomous AI systems, many are doing so without the controls needed to manage them effectively. What was once a manageable oversight issue is becoming something more structural. Agentic AI is beginning to operate beyond traditional human decision loops, and the longer governance lags behind, the harder it becomes to rein it back in.