AI Adoption Presses on Even as Controls Lag

CCI staff share recent surveys, reports and analysis on risk, compliance, governance, infosec and leadership issues. Share details of your survey with us: editor@corporatecomplianceinsights.com.

Deloitte: AI governance lacking across industries

Nearly two-thirds of organizations have adopted generative AI without establishing proper governance controls, highlighting a significant gap between implementation and oversight, according to new research from Deloitte.

While 58% of organizations are currently using generative AI to some degree, the study found that 21% of extensive AI users and 41% of limited AI users have no controls in place. This governance gap persists even as AI adoption expands, though it narrows somewhat with more extensive AI use.

“It is critical that organizations adopting GenAI tools also adopt corresponding guardrails to govern its use — ideally before implementation,” said Casey Kacirek, internal audit managing director at Deloitte & Touche LLP. “Organizations that are already using GenAI without a controls framework should prioritize putting the necessary controls in place to minimize unintended consequences of the technology and protect the integrity of outputs.”

Other key findings:

• Only 47% of AI governance professionals express confidence in their organization’s ability to adapt controls in response to evolving marketplace risks.
• Organizations with robust AI controls show 3.2 times higher confidence in their control programs compared to the baseline.
• Data governance emerged as the top controls gap for most organizations, while ethical and responsible AI guidelines were the primary concern for extensive AI users (46%).

The August 2024 survey polled more than 430 professionals involved in their organizations’ AI governance activities.

Nearly 80% of finserv firms see AI as vital but lack governance programs

Most financial services firms view artificial intelligence (AI) as critical to the industry’s future, yet only 32% have formal AI governance programs in place, according to new research from Smarsh, a communications data and intelligence firm.

While 81% of large firms report feeling pressure to adopt AI to remain competitive, many are proceeding cautiously amid regulatory uncertainty and rising concerns about unauthorized “shadow AI” use by employees. The survey found that 33% of firms plan to continue restricting generative AI use entirely in 2025, while others expect to pursue adoption around specific, controlled use cases.

“While regulation often lags innovation, the absence of established AI governance poses significant risks,” said Neva DePalma, general counsel at Smarsh. “We believe in responsible AI that can deliver immense business value and enhanced productivity, while simultaneously preserving the integrity of the firms that leverage it and the entire financial system.”

Other key findings:

• Exposure of proprietary information to AI systems (45% and AI-powered cyber threats (44%) rank as top concerns, with AI model risk (11%) following.
• The majority of firms (67%) aim to leverage generative AI in 2025, with document search and retrieval automation (36%) and communications surveillance (31%) as priority use cases.
• Beyond compliance, organizations are exploring AI for revenue opportunities (18%), insider threat detection (16%) and HR policy monitoring (7%).

The October 2024 survey polled compliance and IT professionals from over 250 financial services institutions, including registered investment advisers, broker-dealers, global banks, private equity firms and insurance providers.

AI-enhanced attacks strike 1 in 4 companies

One in four organizations have already experienced AI-enhanced security threats related to APIs or large language models, according to new research from Kong, a cloud API technology developer.

The study reveals a concerning gap between perceived and actual security readiness, with 85% of organizations expressing confidence in their security capabilities despite 55% suffering an API security incident in the past year. The financial impact is significant, with 20% of organizations reporting API security incidents costing more than $500,000 in the previous 12 months.

“Organizations cannot afford to underestimate their own security risks — especially in the age of AI,” said Marco Palladino, chief technology officer and co-founder of Kong. “As AI continues to advance, not only will companies create more vulnerabilities within their own organizations, but attacks will become more sophisticated.”

Other key findings:

• Organizations are responding with increased monitoring and traffic analysis (66%), staff education on AI threats (60%) and AI-driven threat detection systems (51%).
• While 88% cite API security as a top priority, only 35% are adopting zero-trust architecture, and just 3% view shadow APIs as a significant threat.
• Nearly half (45%) of organizations dedicate at least 20% of their cybersecurity budgets to API security, yet 41% doubt their investment is sufficient.

The October-November 2024 survey polled 700 IT professionals and business leaders across the U.S. and UK.

94% of financial institutions expect data budgets to rise in 2025

Nearly all financial institutions (94%) expect to increase their data budgets next year, yet only 21% track data costs in real-time, according to new research from Gresham, a data integrity and control solutions provider.

The study of 200 senior data decision-makers in UK and U.S. financial services firms found that 34% face hidden cost surprises in data management, while 44% still rely on manual processes to track costs from different sources and reconcile vendor invoices. Most firms (42%) only monitor data consumption and costs monthly, limiting their ability to control expenses effectively.

“While it’s encouraging that almost all financial institutions are investing more in data management, there’s a crucial concern about how these funds are being utilized,” said Neil Vernon, chief technology officer at Gresham. “Is this increased spend a strategic investment to drive innovation, or are firms simply losing control over their costs due to hidden expenses and inefficiencies?”

Other key findings:

• Only 21% of firms track data consumption, allocation and costs in real-time.
• 42% of organizations monitor data costs on a monthly basis.
• 44% still use manual processes to track costs and reconcile vendor invoices.
• 34% report hidden cost surprises as a serious business issue.

Experienced auditors deliver better value, finds UC Riverside study

Audit partners with extensive industry experience provide higher-quality audits at lower costs, while less experienced auditors often employ deceptive “lowballing” practices that result in higher long-term fees, according to new research from UC Riverside’s School of Business.

The study of 32,000 audit engagements reveals that auditors with at least 15 years of industry experience charged consistently lower fees without compromising quality, while less experienced auditors initially offered discounted rates but significantly increased fees in subsequent years. Companies using experienced auditors saw fee increases of just 3% after the first year, compared to 15% increases from less experienced auditors.

“Expertise matters. An experienced audit partner in your industry can navigate complexities more efficiently, saving costs while ensuring better quality,” said Birendra Mishra, professor of accounting at UC Riverside and study co-author. “Think of an audit partner like a skilled surgeon — the more experience they have, the quicker and more precise they are, and that efficiency translates to savings for clients.”

Key findings:

• Partners with industry experience of 15 firm-years or more were least likely to engage in fee increases after initial discounts.
• Experience-based fee discounts did not compromise audit quality, while lowball pricing was associated with lower quality audits.
• Institutional investors showed greater confidence in audit partners with higher industry experience, as evidenced by lower voting dissent on auditor appointments.
• Client companies of experienced auditors demonstrated stronger links between earnings and stock prices, suggesting increased investor trust.

The research, published in Auditing: A Journal of Practice & Theory, analyzed data from India, where regulations requiring disclosure of lead auditors enabled tracking of industry-specific experience.