Rusty and yellow links of a heavy chain glisten with water drops in the rain

How organizations are turning risk into resilience

Authors

  • Daryl Box

    EY Americas Assurance Technology Risk Leader

  • Jim Okas

    EY Americas Deputy Technology Risk Leader

Contributors

6 minute read 14 Oct 2025

The 2025 EY Technology Risk Pulse Survey shows how governance, controls and assessments are valued for helping to mitigate technology risks.

In brief
  • EY survey shows that organizations recognize and value compliance and technology governance as they develop trusted, confidence stakeholder relationships.
  • IT compliance, AI integration and cybersecurity are top areas of investment for technology risk management.
  • Risk mitigation helps organizations to confidently confront technology challenges.

As digital transformation accelerates, the IT infrastructure supporting businesses and their operations will become increasingly complex. As a result, technology risks, controls and integrity will require even more robust oversight mechanisms. Despite these challenges, advanced technological tools offer new opportunities to drive innovation, enhance security and build resilience.

The 2025 EY Technology Risk Pulse Survey reveals several encouraging trends in the technology risk landscape. Organizations are proactively investing in compliance, advanced technology integration and cybersecurity to strengthen their resilience and security posture.

One of the notable positive trends is the recognition of the importance of technology governance and compliance. This approach is essential in demonstrating a commitment to risk management and due diligence.

John McLain

EY Americas Technology Risk AI Leader

1. Technology governance and compliance are recognized as essential in demonstrating trust and confidence to stakeholders.

Regulations and global frameworks remain a primary focus as organizations work to address challenges posed by technology transformation. When it comes to projecting trust and confidence to stakeholders, 81% of respondents rank the Sarbanes-Oxley Act (SOX) and Internal Control over Financial Reporting (ICFR) as very or extremely important, and 78% consider System and Organization Controls (SOC) reporting as a matter of high importance in the support of their financial statement audits.


Survey respondents also recognize the importance of governance and aligning their programs with global standards, such as AICPA Trust Services Criteria (SOC 2), International Organization for Standardization (ISO) and National Institute of Standards and Technology (NIST), as well as regulations such as General Data Protection Regulation (GDPR) and the Network Information Security Directive 2 (NIS 2).

Many organizations view cyber program maturity assessments and AI impact assessments as essential tools to boost their defenses and assist with governance and regulatory compliance.


2. Decision makers are worried about the potential negative impacts of new technologies on their organization.  

C-suite respondents across industries are highly concerned about the effect of new technologies on their organization.

More than two thirds of respondents view the impact on cybersecurity as the top risk facing their organization, with perimeter breaches (57%) and cloud security risks (53%) as the biggest cybersecurity concerns today. Half (50%) of decision makers believe AI-generated attacks are among the most significant cybersecurity risks.

System integration, audit, Sarbanes-Oxley Act (SOX), Internal Control over Financial Reporting (ICFR) and System and Organization Controls (SOC) reporting also ranked as areas that may be negatively impacted by new technologies.


3. Organizations are investing in IT compliance, AI integration and cybersecurity to strengthen integrity and risk management.


More than half of the decision makers anticipate leveraging artificial intelligence for use in IT infrastructure (59%) and cybersecurity (58%) within the next 18 to 24 months. However, while organizations are heavily investing in IT compliance/assessments and AI, the challenge is complicated by talent and resource shortages. Only 23% of survey respondents reported investing in people as a primary concern.

The integration of AI into IT infrastructure and cybersecurity operations is complex and complicated further by a shortage of talent, and the mismatch of skillset and job requirements.

Jaime Kipnes

EY Americas Technology Risk Cybersecurity Assurance Leader

How EY can help

As firms prioritize investment in IT compliance, assessments and integrating new technologies, a parallel focus on people strengthens a company’s ability to keep pace with advances in AI and cybersecurity for sustained success. This bears out in a separate poll. The 2025 EY Cybersecurity Study found that C-suite leaders whose organizations have adopted AI into cybersecurity practices are more likely to say that their organization’s cyber budget should prioritize investment in people over new technology. 

 

4. Risk mitigation empowers organizations to confidently confront technology challenges and adapt to an ever-changing digital environment.

 

Organizations that engage their auditors to provide technology risk mitigation services, identified cybersecurity, data security/digital resilience, IT system implementation assessments and SOC reporting as highly rated services.

 

Among the most valued technology risk mitigation services, 69% of respondents were cybersecurity program assessments. These proactively aim to identify vulnerabilities and protect against threats that, if undetected, could directly impact business operational resiliency and damage customer and investor trust. Support for cybersecurity program assessments was even higher among Chief Information Officers and Chief Risk Officers.

 

Overall data security and digital resilience ranks as a top three risk reduction reasons to engage an auditing firm for 65% of all respondents, and nearly three in four Chief Technology Officers.

 

While it is expected that cybersecurity and data security will continue to be top of mind, the pulse poll shows that organizations also highly value assessments and attestations (e.g., SOC reports) that support broader risk management and providing a structured approach to identify potential data and privacy risks and control recommendations. IT system implementation assessments, which evaluate the potential impacts and readiness of technology changes before they are fully implemented, are particularly lauded by CISOs and Controllers. Among other leadership roles, we found that Chief Compliance Officers consider SOC reporting and ISO certifications among the key technology risk management services worth seeking from an auditor.


It is encouraging to see that respondents appreciate the value of IT system assessments. By prioritizing planning and governance, companies can navigate technology changes confidently.

Ed Campbell

EY Americas Technology Risk Expanded Assurance Leader

Tips for building resilience and trust

Organizations that embrace rigorous assessments, governance frameworks and regulatory compliance can transform risk into resilience. Here’s how:

  • Invest in proactive compliance measures to promote adherence to IT-related laws and regulations.
  • Prioritize the development of a comprehensive cybersecurity risk management strategy.
  • Establish clear AI governance frameworks to build trust with stakeholders and mitigate risks associated with AI integration.
  • Include SOC reporting and ISO certification among core practices to strengthen oversight of controls.
  • Conduct IT system implementation assessments to evaluate the readiness and impact of technology changes before full deployment.

Building resilience and trust is an ongoing commitment. Organizations are encouraged to continually and proactively evaluate emerging technologies and invest in skilled personnel and resources to position themselves to withstand disruption and become more resilient. By staying informed and investing in robust IT risk management strategies, businesses can navigate the complexities of the digital age with confidence.

About the survey: In June 2025, the EY Technology Risk Pulse Poll surveyed 403 executive decision makers from US organizations with annual revenues of $1 billion or more. The survey aimed to capture the perspectives of influential roles such as CFOs, CIOs, CTOs and compliance officers.

Summary 

The inaugural EY Tech Risk Pulse Survey highlights how organizations are steering investments toward AI-driven infrastructure, security and audit-ready controls. Our survey results show the critical need for organizations to prioritize governance, compliance and cybersecurity to mitigate emerging risks. Assessing and addressing security gaps, integration risks and skilling talent remain key areas of focus.

About this article

Authors

  • Daryl Box
    EY Americas Assurance Technology Risk Leader
  • Jim Okas
    EY Americas Deputy Technology Risk Leader

Contributors

Related topics
Technology risk
Assurance
Audit

Related articles

How to build trust and confidence in technology through assurance reporting

SOC attestation and certification reports communicate trust and confidence. Read takeaways from the 13th annual EY SOC conference. Learn more.

Brandon Miller

Why technology implementations call for proactive risk assessments

Technology risk management practices help identify, address and mitigate IT risks. Learn more.

Edward Campbell

How responsible AI can unlock your competitive edge

Discover how closing the AI confidence gap can boost adoption and create competitive edge. Explore three key actions for responsible AI leadership.

Sinclair Schuller

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.