By Yasmine Abdillahi, 27 January 2025
The era of artificial intelligence (AI) adoption is testing the old ways of doing compliance, underscoring the need for continuous monitoring. Compliance isn’t a one-and-done activity, but sometimes organisational incentives and goals fail to prioritise the importance of this.
While your organisation may only need to conduct an audit annually, compliance is a continuous process. Factors are constantly changing, whether it’s new regulations, the adoption of new technologies, or new threats arising.
As organisations rapidly adopt AI, a host of new security risks and compliance concerns proliferate, and leaders across the spectrum are quickly trying to put guardrails in place.
A proven approach to staying ahead is continuous controls monitoring (CCM). When leaders have visibility into the compliance posture of information and technology they own, they are empowered to make better tech decisions.
The evolving world of risk & compliance
AI adoption is happening at breakneck speeds. In the latest McKinsey Global Survey on AI [1], 65% of respondents reported that their organisation regularly used generative AI, nearly double the percentage from the same survey conducted ten months prior.
This adoption often happens without putting the security guardrails in beforehand. In many cases, security happens in parallel or as an afterthought; in some situations, it’s ignored or overlooked altogether.
Another security concern around AI is that without clean data to train AI models, organisations can face additional risks. Putting frameworks and guardrails in place to help ensure quality data is quickly becoming another facet of compliance.
New regulations and compliance mandates are also being developed and introduced, including the Securities and Exchange Commission’s cybersecurity disclosure rules [2] for publicly traded companies, not to mention a number of industry-specific requirements.
AI is also quickly shifting the seas. Although there’s currently no overarching regulation for AI in the US, we should assume that more AI regulation is coming, especially with the European Union’s AI Act [3] coming into force in August. The new regulation attempts to crack down on or regulate AI development and usage in the EU despite how difficult it will be to enforce. [4]
Emerging AI Risks
This advice on AI comes as a NatWest survey revealed AI-powered scams are rapidly increasing, including the worrying rise of AI voice cloning scams.
NatWest's research [5], which combined industry data with a national survey of 2,000 British adults, found that AI voice cloning was the third fastest growing scam of 2024. Fraudsters are using the technology to create realistic audio impersonations of trusted individuals or authorities, in order to solicit sensitive information and/or secure authorisation for fraudulent transactions.
In total 86% of respondents to the survey said they are concerned that rapid developments in AI will give criminals new ways to con people.
The role of continuous controls monitoring
One of the best ways to stay on top of all the different regulations – especially amid the adoption of new tools and the emergence of new risks – is to make compliance an ongoing process.
Compliance is becoming a scenario where you can’t just check the boxes once or twice yearly to meet audit requirements. The digital world has begun moving too fast for that. Compliance is like a continuously exercised muscle that must adapt to new and evolving factors.
CCM can play a critical role. This emerging governance, risk, and compliance (GRC) technology automates controls monitoring and helps reduce audit stress. It helps organisations improve their overall risk management by identifying gaps and anomalies, and by raising alerts when issues are found.
This empowers GRC teams to go beyond security and compliance to support strategy and drive outcomes. Most importantly, it enables leaders who own technology assets, sensitive data flows, and external relationships to make better technology decisions by having ongoing visibility into the security and privacy posture.
Best practices for CCM success
Look for solutions that take a cohesive approach. One way to do this is through a data fabric platform that gathers data from enterprise cybersecurity and IT solutions and then enriches that data with business data. This allows companies to conduct data analytics that help them measure internal control effectiveness and compliance with current laws.
You need an approach that will deliver consistent and accurate compliance dashboards and reports that measure risks and control effectiveness against the benchmarks you’ve established for your business.
Placing cleansed and enriched data at the core will enable GRC teams to offer quick compliance answers and resolutions, and can reduce the time spent on audit preparedness.
You’ll also need to prioritise data quality and governance over a fancy visualisation layer. Structured and streamlined data will drive adoption throughout your three lines of defence; the first line being operational managers, the second the teams responsible for risk management and compliance functions, and the third being the internal audit process.
This approach also helps sustain the use of CCM in a scalable manner. Gradually build your CCM capabilities by prioritising specific areas and going through the entire cycle with data providers, control owners and auditors. Driving maturity and adoption is like planting seeds and growing them into healthy, thriving plants; it doesn’t happen overnight, and it requires a careful process with constant attention. And the benefits can be harvested on an ongoing basis and in the long run.
Laying the foundation for compliance success
Compliance monitoring sounds like a straightforward concept. However, meeting compliance requirements can feel like trying to hit a moving target, especially when new policies and technologies abound.
As organisations rapidly adopt AI, compliance is becoming increasingly important, but in many ways, the rules are still being written along the way. CCM can provide a strong foundation for companies looking to stay compliant and secure despite the rapid changes.
About the author
Yasmine Abdillahi, Executive Director of Security Risk and Compliance and Business Information Security Officer at Comcast, is an expert in governance, risk, and compliance (GRC). She brings a wealth of knowledge and experience to the table, having led the implementation of successful GRC programmes for large global companies. Yasmine’s passion lies in bridging the gap between the technical and business aspects of cybersecurity, ensuring that risk management strategies are aligned with organisational objectives.
This article has been republished with permission from Compliance Week, a US-based information service on corporate governance, risk, and compliance. Compliance Week is a sister company to the International Compliance Association. Both organisations are under the umbrella of Wilmington plc. To read more visit www.complianceweek.com