This article offers a step-by-step guide to applying COSO's Internal Control Framework as a practical roadmap for managing AI risk across the enterprise.

Posted In:

Compliance Week
March 23, 2026
Share

AI presents compliance leaders with an extraordinary opportunity — and an equally extraordinary liability. Organizations increasingly expect compliance to oversee AI risk in its entirety, and when AI fails, the post-mortem questions are predictable: Who assessed the risk? Who tested the controls? Who approved deployment?

The good news: a roadmap already exists. In 2021, COSO published guidance on applying its Integrated Internal Control and Enterprise Risk Management Frameworks to AI — before generative AI became a boardroom fixation. StoneTurn Partners Jonny Frank and Michael Costa walk through how compliance practitioners can put that guidance to work today.

Their step-by-step approach covers each component of the COSO Internal Control Framework as applied to AI risk:

  • Control Environment — Leadership must make AI risk management an enterprise priority, requiring that all AI use cases be disclosed, inventoried, and subject to risk review.
  • Risk Assessment — Organizations cannot manage what they cannot see. Building a comprehensive AI inventory, defining risk appetite, and identifying potential failure events are foundational steps.
  • Control Activities — The focus should be on the effectiveness of the full control suite, not isolated controls in isolation — and whether, taken together, they bring residual risk within appetite.
  • Information & Communication — Reporting on AI performance is not a check-the-box exercise, and organizations should also develop crisis communications protocols before they need them.
  • Monitoring Activities — AI systems evolve, data changes, and risk profiles shift. Control effectiveness must be tested regularly, alongside ongoing monitoring of data quality and model performance.

In a period when compliance’s relevance is questioned and budgets tighten, AI risk management offers a concrete opportunity to demonstrate indispensable value. COSO provides the architecture — and the documentation trail — to meet that moment.

Read the full article in Compliance Week.

If you have any questions or would like to discuss how we can help, reach out to Jonny Frank or Michael Costa.

To receive Insights, sign up for our newsletter.

Meet the Authors

Jonny Frank StoneTurn

Jonny Frank

Partner
StoneTurn Parter Michael Costa

Michael Costa

Partner
Share

About the Authors

Jonny Frank StoneTurn

Jonny Frank

Jonny Frank brings over 45 years of public and private sector and law and business school teaching experience in forensic investigations, compliance, and risk management. He helps organizations and counsel […]

Read Bio
Read Bio
StoneTurn Parter Michael Costa

Michael Costa

Michael Costa, a Partner with StoneTurn, has deep experience in data analytics and data science, financial crime, investigations, complex litigation, and compliance matters. He leverages artificial intelligence and advanced analytics […]

Read Bio
Read Bio

Related Insights