About a year ago, a risk analyst on one of my client teams told me she had just reviewed a 94-page SOC 2 report in twelve minutes. She used Claude. She did it at her kitchen table at 9 PM because she had two kids and the workday had long since ended.
The response to my session at Icon 2026 reminded me of something I have seen many times in this field. Organizations are not struggling to agree with the argument for supplier risk management. They are struggling to act on it. In the latest piece on my website, We Are Measuring the Value of TPRM Wrong, I argued that the business case for supplier risk management has been framed too narrowly and too focused on workflow, controls, and compliance, and not nearly enough on avoided disruption, avoided loss, and the confidence to move through uncertainty.
For decades, anti-money laundering compliance has been defined by accumulation. More alerts, more filings, more controls, more documentation. Each layer added with the quiet understanding that no one would be faulted for doing too much, only for doing too little. The result was not failure, exactly, but a kind of defensive equilibrium. Programs became expansive, but not necessarily incisive. Activity was measurable. Effectiveness was not.
In this article, Norman Marks explores what the future holds for internal auditing as AI, automation, and rapidly evolving business processes begin to reshape the very foundations of risk and control. Drawing on a real-world anecdote, he challenges auditors to rethink not just their tools, but their purpose, urging the profession to move beyond incremental change and confront the deeper question of what meaningful assurance looks like in a world where the rules are being rewritten in real time.
Organizations today exist within ecosystems defined by volatility, complexity, and interconnectedness. Traditional risk management models, designed for slower and more predictable environments, rely on retrospective analysis and periodic assessment. They tell leaders what went wrong after the fact, but they struggle to foresee emerging vulnerabilities or cascading effects. As data volumes expand and the pace of change accelerates, enterprises require a new approach that shifts risk management from static oversight to continuous foresight. The concept of the digital twin offers that shift; a way to understand, anticipate, and influence organizational risk in real time.
Across large enterprises, boards are approving AI governance frameworks. The policy approval meeting has become a standard board agenda item: AI use case register, model risk policy, ethics principles, human oversight requirements. The vote passes. The governance record is clean.
There is a date that does not yet appear on any calendar. Cybersecurity experts refer to it as Q-Day, the moment when a quantum computer becomes capable of breaking the encryption that protects nearly all sensitive digital communications worldwide. No one knows the precise timing. Estimates vary from a few years to possibly a decade or more.