How Audit, Risk, and Compliance Can Bridge the Promise and Perils of Generative AI

Midway through 2024, generative AI continues to dominate discussions with contrasting narratives about its transformative potential and inherent risks. Is it the revolutionary game-changer that will reshape our world or an overhyped technology fraught with unforeseen dangers? The truth likely resides somewhere in between. What is evident is that we are at a crucial juncture in understanding and leveraging generative AI.

Audit, risk, and compliance professionals are pivotal in navigating this landscape. We serve as both guardians of governance—ensuring AI adoption doesn’t expose organizations to undue risks—and as enablers, helping to harness AI’s potential for innovation and value creation. This dual role presents a unique opportunity to balance the promise and perils of generative AI. Achieving this balance requires close collaboration with business leaders to chart an optimal digital risk path, recognizing AI’s potential impact within the broader context of digital risk realities.

To aid organizations in navigating the complexities of generative AI, I have successfully employed two frameworks designed to help distinguish hype from reality and provide a structured approach to understanding and managing risk.

Gartner’s Hype Cycle: Insight for Navigating the Hype

The first framework is Gartner’s Hype Cycle, an invaluable tool that depicts the market hype surrounding various technologies. This cycle helps organizations determine when to manage deployment within their specific business and industry context. During my tenure as a global research leader and market analyst at Gartner, I helped craft many of these reports, guiding organizations through the five phases:

1. Innovation Trigger: New technologies garner significant media attention, sparking widespread interest, though practical applications remain limited.
2. Peak of Inflated Expectations: High levels of publicity create lofty expectations. Initial implementations may fail to deliver, leading to disillusionment. (Generative AI currently resides here.
3. Trough of Disillusionment: Interest wanes as technologies fail to meet expectations. However, substantial development occurs as providers refine products.
4. Slope of Enlightenment: Technologies improve, and use cases increase, showcasing potential benefits. Adoption increases as benefits become more evident.
5. Plateau of Productivity: Technologies achieve widespread adoption as their benefits are broadly understood and realized.

Gartner’s 2023 Hype Cycle for Emerging Technologies presents a diverse landscape of technologies, many still in the early stages.

Adoption and Maturity: A Nuanced Lens on AI’s Potential

Two critical but often overlooked factors in the Hype Cycle are the adoption rate and speed to maturity. These factors offer a more balanced perspective on generative AI’s potential.

• Rate of Adoption: This metric gauges how quickly a technology is embraced across markets. Rapid adoption can expedite movement through the Hype Cycle, while slow adoption may indicate a prolonged stay in the Trough of Disillusionment. Goldman Sachs economists forecast that generative AI could add 1.5% to annual U.S. productivity growth over the next decade post-mainstream adoption. With the Federal Reserve projecting long-term U.S. growth at 1.8%, this could nearly double growth—but only after widespread adoption.

• Speed to Maturity: This metric measures how quickly a technology evolves to where its benefits are broadly realized. While some technologies linger, others rapidly ascend the Slope of Enlightenment. Gartner estimates generative AI’s average adoption rate to be 1–5%, with maturity to mainstream adoption (over 50%) expected within three to six years. Given the current pace of technological advancements and increasing integration of AI into various sectors, it’s reasonable to project generative AI’s widespread adoption and maturity extending into 2027.

Generative AI in the Digital Risk Cycle for 2024

The Hype Cycle provides valuable insights but leaves risk considerations unaddressed. To address this, I developed a practical roadmap inspired by Gartner’s Hype Cycle called the Digital Risk Cycle, outlining five phases to trace the optimal digital risk path. I have successfully used this digital risk cycle to help organizations better understand the challenges they face when creating new digital products and services. For 2024, generative AI is positioned between the Pinnacle of Peril and the Pit of Empty Promises, with projections extending this progression into 2025:

1. Risk Catalyst: Organizations have identified numerous digital risks associated with generative AI, such as data bias and misinformation.
2. Pinnacle of Peril: As generative AI’s hype peaks, the potential impacts are not fully understood, necessitating thorough risk assessments and enhanced controls.
3. Pit of Empty Promises: Reality sets in as some generative AI implementations fail to meet expectations. Organizations must now implement risk responses, reassess risks, and adapt controls to mitigate unforeseen issues. This phase is projected to continue into 2025 as more organizations face the realities of AI implementation.
4. Incline of Integration: As generative AI technologies improve and use cases become clearer, organizations will expand risk scenarios and align risk management strategies with broader business goals. This phase is projected for late 2025/2026.
5. Mesa of Mitigation (Projected for 2027 and beyond): With risks fully managed, risk management strategies will be embedded in operational processes, realizing the full potential of generative AI.

While personal use cases for generative AI have proliferated, enterprise use cases are still developing. These enterprise applications require secured, specialized models that operate exclusively within the bounds of the business to prevent data corruption and information leaks. This additional layer of complexity is why the enterprise adoption timeline extends further.

Implications of the EU AI Act

Adding to the complexity is the rollout of the European Union’s landmark AI Act, set to take effect next month. This comprehensive legislation sets a global benchmark, emphasizing trust, transparency, and accountability in AI usage. It imposes strict transparency obligations on high-risk AI systems while imposing lighter requirements on general-purpose AI models. The Act restricts real-time biometric surveillance in public spaces to specific severe cases and bans AI applications like social scoring and predictive policing. With fines for violations ranging from 7.5 million euros to 35 million euros or up to 7% of global turnover, the AI Act underscores the critical need for robust risk management and compliance frameworks.

The Act’s global reach means that companies outside the EU using EU customer data in their AI platforms must comply, likely influencing other regions to adopt similar standards. This regulatory environment further underscores the need for integrated risk management practices as organizations navigate the evolving landscape of generative AI.

Integrated Risk Management (IRM): Connecting the Dots

As organizations progress along the optimal digital risk path, the need for integrated risk management becomes evident. Risks are not siloed; understanding how AI-driven digital risks interconnect with others across the organization is crucial. IRM technologies are essential for this holistic view. For instance, AuditBoard’s connected risk platform now integrates AI capabilities to enhance efficiency cross-functional visibility, and provide actionable insights.

Audit, risk, and compliance professionals have a unique opportunity to bridge generative AI’s promise and perils. Ensure your organization adopts a balanced view and an IRM approach to capitalize on AI’s transformative potential while managing its risks effectively.