AI, Assurance and Accountability: Who Really Owns Risk in the Age of Automation?
There is now no doubt that artificial intelligence is changing the way organisations operate.
It is changing how information is processed, how decisions are supported, how communications are drafted and how work moves through businesses at speed. That shift is no longer theoretical. McKinsey’s 2025 global survey found that nearly nine in ten respondents say their organisations are regularly using AI, yet adoption remains uneven and many firms are still struggling to embed it deeply and effectively across workflows.
That combination of momentum and uncertainty is what makes this moment so significant.
AI is clearly delivering value. But as it becomes more deeply embedded in operations, and increasingly present in the hands of individuals across organisations, a more difficult question begins to surface: who really owns the risk when AI influences decisions, actions and outcomes?
That question matters because however sophisticated the technology becomes, organisations cannot currently delegate accountability to artificial intelligence. If something goes wrong, ‘It wasn’t me, AI did it’ will not be an adequate answer. Responsibility still sits with people, management teams and ultimately the organisations themselves. The regulatory direction of travel supports that view: the EU AI Act entered into force on 1 August 2024, establishing a risk-based framework for AI and reinforcing the principle that AI deployment must be governed responsibly.
The pace of change is outstripping the pace of governance
One of the most striking features of the current AI landscape is the imbalance between speed of change and the ability of organisations to build proper frameworks around that change.
Many businesses now accept that AI is transformative. There is a growing recognition that it will reshape operations, careers, decision-making and competitive advantage. But there is much less clarity around what mature governance should look like in practice, especially once AI is no longer confined to a central innovation team and starts influencing everyday communication, judgment and execution across the business. That tension is visible in current research. McKinsey reports that almost all companies are investing in AI, but only 1% consider themselves mature in how they are deploying it, and the firm argues that leadership, not workforce willingness, is the main barrier to scaling responsibly.
This feels important, because the real challenge may not be whether organisations adopt AI, but whether they can do so with enough clarity, ownership and control.
This is not just a technology issue
AI risk does not sit only with technology teams.
AI may be powered by technology, but as we all know and are experiencing, the implications now reach far beyond IT. They touch decision quality, regulation, conduct, data, customer outcomes, operational resilience, model oversight, reputational exposure and governance itself. That is why this increasingly looks like an enterprise risk issue, not a niche technical one.
Boards are being pulled into this conversation at pace for good reason. Deloitte’s global survey of board directors and executives found that almost 50% said AI was not yet on the board agenda, even as the same research points to growing urgency around board-level oversight. PwC similarly argues that board oversight of AI needs to focus not only on innovation and growth, but also on responsible use, strategic impact and risk.
In other words, AI governance is moving rapidly out of the lab and into the boardroom.
Why GRC functions matter more, not less
For professionals in governance, risk and compliance, this is a significant moment.
There is sometimes a fear that AI will reduce the relevance of second- and third-line functions by automating analysis, expanding monitoring capability or accelerating reporting. In reality, the opposite may prove true. As AI becomes more embedded, organisations are likely to need more judgment, not less: more challenge, more cross-functional coordination, more clarity on roles and more confidence that the right questions are being asked before problems emerge.
This is where GRC professionals become especially important.
The real value of strong compliance, risk, audit and controls leaders has never been confined to technical knowledge alone. It lies in their ability to apply judgment in live environments, understand consequences, challenge constructively, interpret uncertainty and help organisations move forward responsibly rather than recklessly.
That human layer matters even more when the technology itself can appear persuasive, efficient and confident.
Human judgment is still the ultimate control
For all the value AI may bring, the human responsibility does not disappear. This may be the most important point of all.
AI can support pattern recognition, produce draft outputs, synthesise information and improve speed. What it does not do, at least not in any accountable organisational sense, is bear responsibility for the outcome. It does not carry fiduciary duty, regulatory responsibility or leadership consequence. People do.
That is why the relationship between humans and technology matters so much. NIST’s Generative AI Profile, released in July 2024 as part of its AI Risk Management Framework, is built around helping organisations identify and manage the distinctive risks of generative AI in line with their own goals, legal requirements and priorities. The implication is clear: AI risk management is not simply about buying tools. It is about building structures for oversight, interpretation and responsible use.
From a career perspective, that makes certain human capabilities even more valuable: judgment, communication, ethical reasoning, contextual awareness, calm decision-making and the ability to challenge without derailing progress.
A balanced interpretation, not a fixed blueprint
It is still early.
That is worth saying clearly. Many organisations are at different stages of maturity. Some are experimenting carefully. Others are moving quickly. Some have strong governance instincts but limited technical depth. Others are advancing technologically while still working out where ownership should sit.
So it is probably too soon to claim that there is one settled model for AI accountability.
But it is not too soon to say that the organisations navigating this well are unlikely to treat AI as a tool that can simply be deployed and left to run. The more embedded it becomes, the more important it will be to define accountability, create oversight mechanisms, involve leadership and ensure that governance evolves alongside capability.
That is why this should remain an open and thoughtful conversation rather than a rigid one.
What this means for individuals building GRC careers
For people working in governance, risk and compliance, the message is not to become alarmist, nor to position themselves as blockers to innovation.
It is to understand where their value is rising.
The World Economic Forum’s Future of Jobs Report 2025 found that analytical thinking remains the top core skill for employers, with resilience, flexibility, leadership and social influence also ranking highly. Those are deeply relevant capabilities for GRC professionals navigating AI-related change.
So the challenge for individuals is twofold.
First, stay educated. You do not need to be an engineer, but you do need to understand how AI is being used, where the pressure points may be, and what responsible deployment means in practice.
Second, invest in the capabilities that make you difficult to replace. Leadership. Judgment. Communication. The confidence to ask difficult questions. The credibility to engage with senior stakeholders. The ability to understand both risk and commercial reality at the same time.
Those qualities are not separate from the AI conversation. They are becoming central to it.
The opportunity inside the uncertainty
It is easy to focus only on the risk side of this debate. But there is an opportunity here too.
As organisations wrestle with speed, uncertainty and accountability, GRC professionals have a chance to reposition themselves very powerfully: not as control functions standing on the sidelines, but as strategic partners helping businesses adopt transformative technologies with maturity and confidence.
That is a meaningful shift.
The firms that get this right are unlikely to be the ones that ignore AI, nor the ones that rush ahead without sufficient guardrails. More likely, they will be the ones that recognise both the opportunity and the responsibility, and that build governance accordingly.
AI may change how decisions are shaped, informed and accelerated. But it does not remove the need for human responsibility. If anything, it makes the quality of governance, judgment and oversight more important than ever.