Throughout my career, I’ve met many audit leaders. They’re smart, experienced, and know risk inside out. When AI comes up, the conversation usually goes in one of two directions.

Some are enthusiastic and already experimenting with AI. Others are more cautious and prefer to wait and see. Interestingly, both groups usually have one thing in common: neither has actually measured where they stand.

This isn’t a criticism. It’s simply the current state of the profession.

From my hands-on work with AI tools in audit, compliance, and business operations, I’ve noticed that using AI isn’t the same as being ready for it. A team might use ChatGPT every day but still lack governance documentation, a validation protocol, or clear guidelines for staff on what they can share with a language model. The real risk lies in the gap between casual use and true capability.

"The 2024 IIA Global Standards didn't soften the language on this. Documented proof of how AI is being used, governed, and disclosed isn't a future requirement. It's a current one."

Before talking about tools, training, or transformation, it’s important to start with a simple question: What does your function actually look like today, measured across the key areas of data access, technology, staff skills, policy, leadership, and methodology?

I’ve been developing an AI readiness practice for internal audit teams, and I’ve found that most teams overestimate their readiness until they see the scorecard. This isn’t due to carelessness, but because they’ve never had a structured baseline to measure against.

Worth reflecting on: Where your function stands on AI readiness isn't just a technology question. It's also a governance question. And the answer to it matters more now than it did a year ago.