Artificial Intelligence has ceased to be just another technological tool to become a strategic pillar of organizations, with implications that transcend operational efficiency: it directly impacts risk management, fraud prevention, and regulatory compliance. However, the most alarming fact is that 97% of organizations lack access controls for AI, according to the IBM 2025 report, exposing companies to risks ranging from security breaches to significant legal sanctions.
In this context, the responsibility falls on two key corporate governance bodies: the Audit Committee and the Board of Directors.
The Role of the Audit Committee
The Audit Committee has the essential function of overseeing that the organization's internal control and risk management systems are effective. With AI adoption, this responsibility expands to:
1. Supervising AI Governance
The Committee must ensure that clear policies exist on AI use, including access controls, security protocols, and mechanisms to detect and mitigate algorithmic biases.
2. Verifying Regulatory Compliance
AI is subject to an emerging regulatory framework (such as the European Union's AI Act and data protection laws in Mexico). The Committee must monitor that the technological tools used comply with local and international regulations, reducing the risk of sanctions.
3. Fraud and Cyberattack Prevention
A recent report from ESED (2025) warns that AI-driven cyberattacks have increased exponentially. The Audit Committee must require periodic cybersecurity assessments and incident reports to anticipate vulnerabilities.
The Role of the Board of Directors
For its part, the Board of Directors has the strategic responsibility of guiding the organization toward ethical and efficient AI adoption:
1. Defining AI Strategy
Technology must be aligned with long-term corporate objectives. The Board must ensure that investments in AI not only pursue efficiency but also sustainability and responsible management.
2. Promoting a Culture of Integrity
The 97% of organizations without AI access controls reveals a lack of organizational culture around responsible technology. The Board must promote training programs, ethical awareness, and the development of a code of conduct for the use of technological tools.
3. Emerging Risk Management
AI can identify threats before they materialize, but it can also generate risks if not properly supervised. The Board must include AI in its strategic risk matrices.
AI as an Ally in Risk Prevention and Sanctions
Far from being a problem, well-implemented AI can be a fundamental ally for:
- Detecting unusual operations or fraud patterns through predictive analysis.
- Anticipating regulatory non-compliance by automating transaction and report supervision.
- Strengthening internal control with continuous audits based on machine learning algorithms.
However, without proper oversight, AI use can lead to serious consequences:
- Regulatory sanctions for mishandling personal data or algorithmic discrimination.
- Reputation loss due to technological practices perceived as irresponsible.
- Legal liability of board members and executives in case of negligence in technology governance.
Conclusion
The IBM data—97% of organizations without AI access controls—should be a wake-up call for Audit Committees and Boards of Directors. It's not enough to adopt AI; it must be governed with the same rigor used to manage financial and human resources.
At ASG Risk, we accompany organizations in developing technology governance frameworks, assessing emerging risks, and creating robust internal controls so that AI becomes a value driver, not a contingency generator.
References:
- IBM. (2025). AI Security and Governance Report 2025.
- ESED. (2025). Cyberattacks 2025: New AI-driven threats.