An Auditor's Mindset in an AI Driven World

First line: Management (process/model owners) has the primary responsibility to own and manage risks associated with development and day-to-day operational activities. Management should have a baseline understanding of risks in AI applications and where they manifest themselves in the specific models and data relevant to the organization's use cases. Second line: Risk management provides oversight in the form of frameworks, policies, procedures, methodologies, and tools. The second-line function should have a deep understanding of the AI-specific risks and related controls and mitigation. In assessing the first-line functions, internal audit should assess whether AI development and monitoring adheres to the organization's policies, best practices for model development and relevant regulations.