Young people having business meeting in modern office

COSO 2026 and the governance shift in AI-enabled decision-making

Authors

7 minute read 25 Jun 2026

COSO 2026 redefines internal control, focusing on real-time oversight, traceability and accountability for AI-driven decision-making.

In brief
  • COSO 2026 shifts control upstream, requiring real‑time evidence of how AI shapes judgments — not just validation of final outputs.
  • Governance must capture decision paths, enforce guardrails, and ensure traceability, accountability and timely oversight across roles.
  • Leaders must align systems, risk and assurance to reflect continuous, AI‑driven decisions in fast, interconnected environments.

Internal control expectations change when decision-making changes. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has evolved to clarify accountability, evidence and assurance as business models and risk profiles shift. The February 2026 release of Achieving Effective Internal Control Over Generative AI marks another inflection point. While framed around generative AI, the guidance addresses a broader issue: judgment is increasingly shaped by automated, probabilistic and continuously changing systems. Control can no longer focus only on recorded outcomes. It must extend to how decisions are formed.

How EY can help

AI now influences estimates, classifications, forecasts and recommendations before transactions are recorded and before traditional controls operate. Many organizations can control the final output but cannot consistently evidence the decision path — including inputs, model output, human review, exceptions and changes — that led to that outcome. COSO 2026 responds by moving control expectations upstream. Effective control depends on contemporaneous evidence that AI-influenced judgments were reviewed, challenged and constrained by defined guardrails. Timing, traceability and accountability become part of control design, not documentation assembled after the fact.

 

This aligns with how risk materializes in non-linear, accelerated, volatile and interconnected (NAVI) environments. Risks propagate faster, cross-functional boundaries and surface between review cycles. Operating models built around periodic reviews struggle to keep pace. Organizations that perform better in these conditions surface issues earlier, clarify decision ownership and retain decision‑level evidence as judgments are formed.

 

COSO 2026 reframes the central question from whether downstream controls exist to whether disciplined oversight is applied at the point where judgment is formed. Governance, evidence, risk sensing and assurance span multiple roles, and weaknesses in any one undermine confidence in the whole. This reflects how risk materializes in non‑linear, accelerated, volatile and interconnected (NAVI) environments, where risks propagate quickly, cross-functional boundaries and surface between review cycles. Operating models built around periodic reviews struggle to keep pace.

 

What follows is how this shift shows up, in practical terms, across key leadership roles.

How EY can help

Boards and audit committees: oversight for where judgment is formed

Boards and audit committees increasingly rely on analysis shaped by AI, often without treating that reliance as a distinct governance consideration. Forecasts, scenario analyses and risk assessments may incorporate AI-assisted reasoning at multiple stages, even when the final materials appear conventional.

 

COSO 2026 brings this reliance into the scope of oversight. Expectations extend to understanding how AI-influenced judgments are produced, what constraints apply to their use, and how changes in assumptions or performance are surfaced over time. The focus is not technical validation, but confidence in decision quality under changing conditions.

 

Oversight effectiveness increasingly depends on defined parameters. When acceptable AI usage, tolerance thresholds and escalation expectations are explicit, boards receive earlier signals and clearer context. When they are not, issues tend to surface during audit or regulatory review — when response options are narrower and stakes are higher.

Key takeaways for boards and audit committees

  • Clarify where AI influences judgments relied upon for oversight.
  • Define acceptable parameters and tolerance levels for that use.
  • Require reporting that supports timely escalation as boundaries are approached.

CIOs: control begins with system design

For technology leaders, COSO’s shift upstream makes system architecture a governance issue, not just an engineering choice.

For AI-enabled decisions, the ability to govern and assure outcomes depends heavily on system design. Architectural choices determine whether evidence exists, whether dependencies are visible and whether change can be detected while it still matters.

COSO 2026 reflects this dependency by linking internal control expectations directly to AI system architecture. Model lineage, deployment approvals, decision logs and dependency mappings become part of production readiness, not artifacts assembled after the fact.

These design choices also affect operating speed. Event- and trigger-based governance relies on reliable signals — and those signals only exist when systems are instrumented to capture and surface them consistently.

Key takeaways for CIOs

  • Embed governance logging and traceability into AI system architecture.
  • Establish documented deployment gates for AI that influences controlled processes.
  • Maintain AI dependency mapping as a production-level artifact.

How EY can help

CFOs: evidence is a reporting‑period issue

For finance leaders, the implications surface most clearly at close — when judgment turns into reported numbers and evidence becomes binary.

 

AI now plays a role in many judgments that flow directly into financial reporting, particularly estimates and classifications. In this context, the quality and timing of evidence directly affect exposure.

 

COSO 2026 clarifies that documentation for AI-assisted judgments must exist within the reporting period in which those judgments are relied upon. If the record does not exist contemporaneously, explanations after close do not substitute for evidence.

 

This shifts attention earlier in the reporting cycle. Alignment on evidence standards increasingly needs to occur before close and before audit fieldwork begins — when options for adjustment still exist.
 

Key takeaways for CFOs

  • Treat AI-related documentation as period-specific evidence.
  • Align early with technology teams on what must be captured and retained.
  • Set expectations with auditors ahead of close on AI-related evidence standards.

CROs: AI risk evolves continuously 

For risk leaders, COSO 2026 reinforces a reality already visible in practice: AI risk does not wait for the next assessment cycle.

AI risk changes through model updates, data drift, autonomy adjustments and vendor releases. These changes often occur outside traditional risk assessment cycles and without formal escalation.

COSO 2026 situates AI risk firmly within enterprise risk management and favors governance models that respond to change as it occurs. Event- and trigger-based mechanisms become central to keeping risk views aligned with operational reality.

This approach mirrors how risk increasingly manifests in practice, where shifts in underlying systems matter more than static classifications.

Key takeaways for CROs

  • Shift AI risk governance toward event-driven reassessment.
  • Define triggers that require escalation or control adjustment.
  • Ensure risk registers reflect actual AI usage patterns, including informal deployments.

CAEs: assurance focused on decision quality

For internal audit, the shift is less about adding new subject matter and more about changing where assurance looks for confidence.

Internal audit is increasingly asked to provide confidence over outcomes shaped by AI-influenced judgment. Traditional audit approaches — focused on process execution and approval — struggle to address this shift.

COSO 2026 expands assurance expectations to include the quality of oversight and challenge applied to AI-assisted decisions. Audit scope and methodology evolve to reflect where judgment occurs, not just where transactions are processed.

For audit committees, confidence increasingly depends on whether assurance reflects how decisions were made and governed — not simply whether controls were followed.

Key takeaways for CAEs

  • Include AI systems with Internal Control over Financial Reporting (ICFR) impact explicitly in the audit universe.
  • Evolve testing approaches to assess meaningful oversight and challenge.
  • Anchor assurance conclusions in decision quality and governance effectiveness.

Closing perspective

COSO 2026 brings internal control closer to where judgment occurs. Evidence, accountability and tolerance definition move upstream into the AI-influenced decision layer.

Organizations that align governance and assurance models with this reality experience fewer evidential gaps, more predictable audit outcomes and greater confidence when decisions are tested. In a NAVI environment, that alignment supports faster response without sacrificing control.

For risk, finance, technology and assurance leaders, the work ahead is practical rather than theoretical. It involves adjusting governance, system design and evidence creation so they reflect how decisions are made today. When that alignment is in place, internal control supports confidence at the moment it matters.

Summary 

COSO 2026 highlights a governance shift driven by AI’s growing role in decision-making, emphasizing stronger AI governance across organizations. Control expectations move upstream, requiring concurrent evidence of how judgments are formed. Traditional review cycles cannot keep pace with rapidly evolving risks, making continuous, event-based oversight essential. Effective AI governance depends on traceability, accountability and integration with system architecture. This transformation affects boards, technology, finance, risk and audit functions, requiring coordinated approaches to governance, evidence creation and assurance to ensure reliable outcomes and sustained confidence in AI-driven decisions.

Frequently asked questions

About this article

Authors

Related topics
Consulting
Risk
AI

Related articles

Understanding the role of ISO 42001 in achieving responsible AI

Learn how ISO/IEC 42001 is shaping the future of ethical artificial intelligence (AI), and how to align AI practices with your goals and mitigate risks.

Sarah Liang

How Microsoft 365 innovates under evolving regulations

Microsoft 365 leverages technology to enhance trust and deliver innovative products with pace. Learn more in this case study.

AI governance as a competitive advantage

Explore how AI deregulation enables companies to create tailored governance frameworks, fostering innovation and competitive advantage in various sectors.

Kapish Vanvaria + 3

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.