Mapping AI risk to your SOX controls
Here's the shift most banks haven't internalized: the moment an AI system influences a number that flows into financial reporting, it becomes a SOX-relevant control. "The AI generated it" is not a defense to an auditor. The good news is you don't need a brand-new rulebook — you need to extend the controls you already run.
Treat the AI like any other reporting control
SOX and your IT general controls already cover the things AI threatens; they just weren't written with probabilistic, autonomous systems in mind. Map AI to them directly:
- Data integrity → the data feeding the AI must be complete, accurate, and traceable (lineage), exactly as your reporting data already must be.
- Change management → a model update is a change. Version it, test it, document it, approve it — like any release that touches financial systems.
- Access controls → least privilege applies to AI agents and service accounts, not just people.
- Evidence & auditability → every AI-generated figure should carry provenance (sources, definitions, as-of date) and leave an audit trail.
- Human oversight → high-stakes outputs that hit the reporting pack get a human check. Accountability never disappears; it relocates.
If your model influences a financial figure, it's in scope. Govern it with the controls a CFO and an auditor already understand.
Where model risk fits
If you have a model-risk function (SR 11-7), AI extends it rather than replacing it: model inventory, validation, monitoring, and documentation all apply — now including generative and agentic systems. The win is integration: one control environment, AI included, evidenced as you operate rather than reconstructed in a pre-audit fire drill.
Is your data ready for AI reporting?
Take the free 4-minute readiness assessment and get your maturity level with prioritized fixes — instantly.
Take the free assessment Or request a full, expert-led assessment →