If you want to build a house in one year’s time, how much time would you spend in the design phase versus the build phase? Anyone will agree: You can’t afford to delay construction too long.

But when the “house” in question is our Internal Audit or SOX team’s AI adoption plan, many of us are still stuck in analysis paralysis. We know the clock is ticking, but we hesitate to start building until we’re confident we have the skills, knowledge, and tech for the “perfect” blueprint. 

When it comes to AI adoption, there’s no such thing as perfect. 

Nobody has all the answers. We’re all learning as we go. It’s gonna be messy.

That’s okay, because here’s the truth: The knowledge and skills you need to adopt AI in Internal Audit or SOX only come from hands-on learning. That means making an imperfect plan and breaking ground. It means digging in and getting a reality-check on how a plan works in the real world.

Industry surveys keep showing that most Internal Audit and SOX teams are still either not using AI in their work or conducting only informal, individually driven experimentation. 

To move the needle, these teams need to start thinking differently about AI adoption. 

That’s what motivated the Internal Audit Collective’s AI Advisory Working Group to develop a simple framework capturing the front-line perspectives and practical guidance teams need to make incremental but meaningful progress on their AI journeys. We’re grateful to Ashes Basnet, Alan Maran, and Kaine Kenerly for their insights, time, and leadership in creating the framework, which they originally shared during a March 26, 2026, webinar. 

In particular, I want to give a huge shout-out to Ashes, who invested considerable thought and heart into ideating this framework. Ashes has quickly distinguished himself with his willingness to lean in and help his peers be successful in implementing AI. His passion is real and his ideas reliably actionable, so I encourage you to sign up for any Internal Audit Collective event Ashes is holding.

No matter where you are in your maturity journey, adopting AI primarily requires four key components: Time and Capacity, Leadership Buy-In, Structure and Guidance, and Skills and Confidence. Address all four, and meaningful adoption and sustainable skills will follow.

Inevitably, providing the uber-critical time and capacity and leadership buy-in is up to you and your team. But when it comes to structure and guidance and building the skills and confidence to put them into practice, the Internal Audit Collective's AI Maturity Framework is here to help.

THE MISSION: Make Real Progress (or Just Get Started)

Every Internal Audit team’s AI journey is different. We’ve all got different constraints and priorities. 

Some teams feel hindered by understandable governance concerns (e.g., data privacy/security, unclear guidance or policies, legal or ethical issues). Others point to limitations in available AI tools, or concerns about audit quality or reliance. The #1 challenge for most teams, however, still comes down to a simple lack of skills or training. 

Whatever hurdles you’re facing, it helps to get your head around the big picture of AI adoption: 

• What activities will help you build a foundation for responsible, sustainable AI use? 
• What needs to happen next to help your AI program structure and scale? 
• How can you set the stage for increasing automation and ongoing innovation? 

THE FRAMEWORK: The AI Maturity Framework

To be clear, there’s no be-all, end-all solution for advancing AI maturity. Anyone trying to sell you that may also have some oceanfront property in Arizona they’d be willing to sell you. 

But it’s helpful to have a roadmap that helps you understand where your team is now, as well as where you’d like to be in the future. 

That’s what our AI Maturity Framework is for. Each stage’s activities are a straightforward, plain-English playbook for reaching that stage and those that follow.

We’ll share more detailed stage-specific playbooks and auditor tips for ALL stages in an upcoming eBook. Today, however, we’ll focus on (1) the overall framework and (2) practical early-stage tactics.

The Big Picture: Three Stages of AI Adoption

Our maturity framework keeps it simple: What are the key activities? How do they differ across stages? Most teams readily fit in one of three buckets: early, intermediate, or advanced.

Early Stage: Explore & Experiment

This is where most teams are today. 

Teams at this stage are aware of and exploring core AI tools (e.g., GPTs, add-ons to enterprise software). But experimentation is most often driven by individual auditors getting curious and taking the initiative. Sometimes, experimentation is happening without the team’s knowledge. 

This stage typically ranks high on chaos and low on structure and standardization. Auditors have tons of questions and precious few answers. Again, that’s totally okay. 

You’ll find more early-stage guidance further along in this article. But first: What do the other two stages look like? 

Intermediate Stage: Structure & Scale

This is where most Internal Audit and SOX teams hope to get to in 2026 or 2027. The challenge now is moving from isolated, individually driven experimentation to repeatable, structured, governed AI use across the team. 

Leaders at this stage are investing in training, carving out time for more targeted experimentation, embedding standard AI procedures into workflows, and starting to measure AI metrics. They’re building momentum while establishing critical governance. 

Alan’s team’s experience reinforces our thesis that time and leadership are critical for driving adoption. Alan proactively reset expectations with management and the Audit Committee, explaining that the team would conduct fewer audit projects in the coming year so they could devote more time to AI experimentation. After that, said Alan, “It’s just getting organized.” Whereas previously, everybody had been doing their own AI experimentation, the team began identifying where efforts were similar, standardizing prompts, assessing their implementation goals, and aligning efforts accordingly. 

Alan explained, “The first thing we did was map an entire audit lifecycle in my organization… and identify where AI could create most of the time savings in each phase.” They prioritized the list by task frequency and time investment to create a strategic AI investment roadmap.

Teams report that this is when AI’s true potential and impact start to feel real. As Ashes put it, “If you ask me what the one metric is that changes behavior the fastest, it’s time. So we need to start measuring it. When your team sees that an AI-assisted workpaper takes two hours instead of six, the adoption conversation becomes very different.”   

Advanced Stage: Automate & Innovate

Very few teams have reached this stage. But we’ll have an even harder time getting there if we don’t know what “there” looks like. 

In the advanced stage, AI is no longer just assisting auditors in completing their work. Teams are now embedding AI to automate parts of the audit lifecycle (e.g., agentic AI workflows, automated testing, continuous auditing), augment their advisory work, and support ongoing innovation. In all cases, auditors are still responsible for ensuring the human in the loop.

Critically, advanced teams (1) have access to mature data and (2) align and benefit from the organization’s overall AI strategy and protocols, including proactively staying in the loop with other organizational stakeholders using AI and seeking to leverage their experience and approaches. 

As Kaine explained, “At this stage, it’s really important to align with your organization’s AI strategy and development standards. I can't emphasize this enough. Doing that allows us to benefit from existing protocols and ensure safe deployment and responsible use. So it’s really important to plug into your existing organizational structure and not just do this in a silo.”

The Early-Stage Playbook: Start Small and Embrace the Chaos

Early on, the goal of your AI program isn’t sophistication. It’s just getting out of the starting blocks. 

A few guidelines from the front lines… 

1. Don’t Wait for Formal Permission or a “Mandate” 

This is one of the most common mistakes Internal Audit and SOX teams make. 

We understand risk. We respect policy. And we’re notoriously slow to adopt new technologies, figuring it’s safer and more efficient to let other teams work out the “bugs.”

That won’t happen with AI. AI is innately buggy, and another team’s problems won’t necessarily be your problems. We have to find and work out our own bugs.

Plus, most likely, you’ve already got AI tools in your toolbox — all you really need to get started in a safe, simple way. Most enterprise software now embeds AI capabilities (e.g., Google Gemini, Microsoft Copilot, Salesforce Einstein, SAP S/4HANA, Oracle NetSuite, ServiceNow Now Assist). 

2. Give Yourself Permission to Experiment in a Safe, Simple Way 

Start by reviewing your organization’s AI usage policy. Then, set and communicate minimum guardrails for safe, confident AI use and commit to using AI responsibly. 

Early on — especially if you’re using enterprise AI tools — you don’t have to anticipate every possible risk scenario. Simple experimentation that stays within the usage policy helps keep risk to a minimum.

3. Start Small

As the saying goes, you have to crawl before you can walk. So start small and keep it simple, progressively building AI literacy. For example:

• Start with the tools you already have. For example, if you have an enterprise instance of Gemini, ChatGPT, or Claude, try using it for simple writing or research tasks. 
• Experiment with existing prompts. Instead of starting from scratch, gain experience by trying out auditor-developed prompts across the audit lifecycle. See what works (and what doesn’t). “Once you start doing it, you’ll get the hang of it,” said Ashes. 
• Start with 2–3 high-frequency, low-risk use cases. At this stage, you’re nowhere near ready to revamp your entire audit lifecycle with AI. Instead, hone in on a few areas that are repetitive and/or text-heavy. What simple AI use cases will have the biggest near-term impact? For example, Alan’s team initially focused on using LLMs to write first drafts (or rewrite existing drafts) of planning documents, RCMs, and audit reports. That helped them notch quick wins and start building real momentum. 

4. Provide Time, Leadership, Guidance, and Inspiration 

Again, these are the four crucial components teams need when adopting AI. If you provide all four, the skills will follow. With that in mind:

• Set the expectation for AI experimentation. Stress the importance of using AI while creating a low-pressure environment that reframes “failures” as opportunities to learn and improve.
• Find ways to carve out time and provide guidance and inspiration. Again, start small. Devoting 1–2 hours a week WILL make a difference. Below are some leading practices. 
  
  • Run a weekly team “AI Sprint.” Consider devoting one hour a week to reviewing one use case and developing one shared reflection. These efforts will ultimately yield prompts that work. 
  • Create a starter prompt library. Collect, quality-check, and share the prompts that work, moving toward greater consistency, repeatability, and quality.
  • Set a baseline for AI literacy. For example, mandate one structured learning module for everyone on the team within a certain time period.
  • Consider leading practices from other teams on the front lines. For example, AI Advisory Working Group member Joe Earl generously shared the five-step approach he used to uplevel his team in AI, which includes guidance on:
    
    • Building a prompt library
    • Encouraging and tracking AI use on every project
    • Discussing AI usage in regular meetings
    • Holding “prompt practice” office hours (directly inspiring the Internal Audit Collective’s ongoing AI Office Hours sessions!)
    • Communicating your upskilling plan to organizational leadership 

THE LAST WORD: Stop Waiting and Start Building

This article is obviously not our last word on the topic of AI adoption. Just as every AI adoption plan will be an iterative work in progress, so will the Internal Audit Collective’s AI-focused guidance. 

The important thing is that, as we’re all learning, iterating, and improving, auditors work together to create the how-to resources we need to keep moving the needle on AI. 

With that in mind:

• An upcoming eBook will provide detailed playbooks for all three maturity stages alongside insights from Internal Audit and SOX leaders and links to free and members-only resources. 
• We’ll keep hosting our Prompt Practice office hours. **Why not assign one team member to cover each one, refine the prompt for your team’s use, and share it back with your team?** 
• We’ll also keep the AI-focused webinars and roundtables coming, and continue developing our fast-growing members-only AI Prompt and Agent Library. 

Again, if you’re not treating AI as the urgent imperative it is — getting started and breaking ground — it’s time to start thinking differently about AI adoption. So in closing, I’m going to let Kaine have the actual last word, because I couldn’t have said it better myself. 

“This digital transformation is unlike anything our industry has ever seen before… Unlike previous digital transformations like data analytics, AI has leveled the playing field to an extent that practitioners at all levels can engage and innovate,” said Kaine. “This opportunity is likely not optional, but rather existential.”

‍