Artificial intelligence is no longer a futuristic concept. It's reshaping how organisations operate today. But the gap between experimenting with AI and truly embedding it into your workflows is wider than most leaders realise. The question isn't whether to adopt AI, but how to do it strategically, safely and sustainably.
Where Are You on the AI Maturity Journey?
Understanding your current position is the first step towards meaningful progress. We've identified five distinct levels of AI maturity that organisations typically move through:
Most small-mid sized organisations today find themselves in the early experimentation phase. The defining characteristic here is individual use rather than team-wide adoption. You'll see people using AI tools to draft documents or refine their thinking through ad-hoc queries, but it's not yet systematic.
Progressive teams are moving into the embedding stage. They're building AI tools trained in their specific reporting styles and tones, establishing clear governance frameworks, and defining concrete use cases.
At the top end of the current landscape, highly skilled teams are developing custom, complex tools and agents that deliver significant efficiency and quality improvements.
Defining Your AI Strategy: Purpose Before Technology
Here's the critical question teams ask: "Where do I want to get to in the next two, three, or five years, and how will AI help me do that?"
What you don't want is to be driven by the fear of missing out, the sense that "everybody else is using AI, so I should too." That's a recipe for wasted resources and effort. AI is undoubtedly becoming more pertinent within organisations, but adoption must be strategic and purposeful.
Equally important is right-sized governance. AI introduces new risks and organisations need assurance that these tools are being used responsibly. The governance framework should match your organisation's risk appetite and stage of maturity, neither so restrictive that it stifles innovation, nor so permissive that it exposes you to unnecessary risk.
The Five Implementation Pillars
To move systematically through the maturity levels, we can frame AI adoption against five critical pillars:
This foundational pillar encompasses your AI usage policy, risk assessment framework, and ethical guidelines. The best teams start by asking where they want to be in the next few years and how AI will help them get there, rather than simply following the crowd.
You need right-sized governance that acknowledges AI's new risks whilst enabling responsible innovation. But it's crucial to think holistically when defining your AI strategy. AI doesn't just introduce new risks, it can also amplify existing ones across your organisation. For example, deploying an organisation-wide AI platform might expose data protection gaps you didn't know existed, increasing the likelihood of inappropriate access to sensitive information. This holistic view should inform your organisation's risk appetite. What level of experimentation and innovation are you comfortable with? Your governance framework must reflect this clearly.
Internal Audit functions: When auditing or implementing AI, make sure that governance and strategy are aligned and right-sized to work together.
Once governance is in place, you need to build capability within your teams. This means comprehensive training on how to use AI tools - not just safely, but effectively.
Much of this comes down to prompt engineering. As we see it, English is becoming our next programming language. We need to learn to communicate with computers the same way we communicate with people to get the most out of them. This requires moving beyond basic tool familiarity to true proficiency.
Training should cover both the essentials of risk management (what not to do) and optimisation techniques (how to get the best results). When embedding AI into specific processes, role-specific training becomes critical.
Internal Audit functions: When considering the effectiveness of AI training, look for coverage of risk essentials (how to safely use AI) and ask if it successfully upskills employees to be able to use AI productively, in alignment to strategy.
When thinking about infrastructure, beware of "shiny brochure syndrome." It's easy to attend a conference, see impressive new technology and think "I need that." The AI space is flooded with vendors eager to sell you solutions.
Instead, pick a solution that works for your organisation, one your team will adopt and use consistently. It's no good having all the bells and whistles if nobody understands how to operate them. Focus on practical tools that align with your specific needs and integrate well with your existing systems.
Key infrastructure considerations include secure AI environment access, robust data governance protocols, and a structured tool evaluation process that includes whitelisting or blacklisting based on your risk appetite.
Internal Audit functions: Whether auditing AI infrastructure or selecting it for the IA team, ask whether the tools chosen genuinely support how your team works today and how you want it to work tomorrow. Are solutions understandable, usable, and trusted by the team, and do access, data handling, and tool approval decisions reflect your risk appetite?
If you want innovation, you need a culture that supports it. People need to feel they can experiment, fail, and learn - and they need dedicated time to do so.
It might be tempting to let junior team members experiment whilst senior leaders stay on the sidelines. However, without senior buy-in, these initiatives often fail. The best approach to innovation and ideation is to have senior leaders carve out safe spaces, set clear direction and provide teams with the support they need.
One effective approach we’ve seen is bringing the team together to workshop problems and ideas, then having a few nominated individuals take those ideas away to develop solutions and finally presenting back to the full team for feedback and refinement.
Internal Audit functions: For example, if you have 25% of your audit files failing quality assurance, set the specific target of building a QA bot using AI to improve quality in approach and documentation. Invest your budgeted QA resources to build it. By framing the question and setting the direction, you provide focus while still enabling creativity.
Integration signals that you're moving beyond experimentation and embedding AI across everything you do. The real payoff is freeing up time to focus on things that truly matter - the high-value activities that require human judgement, creativity and relationship-building.
Beyond internal processes, think about how you integrate with the broader business. If your organisation is dragging its heels on AI adoption, step up to the plate. Implement it safely within your function and become that guiding light for others. Alternatively, if you're waiting for the business to implement technology, get a seat at the table and help them make the change happen properly.
Internal Audit functions: Think about the entire internal audit lifecycle: strategic planning, audit execution, quality assurance. Where can AI add value at each stage? Similarly, consider the three lines of defence and how AI can support creating a single view of risk management across the organisation.
Building Blocks for Effective AI Governance
Strong AI governance rests on several foundational elements:
Risk Management Essentials
Your risk management framework should include several essential policy elements:
To enable safe experimentation, provide sandbox environments for testing, establish clear escalation paths for questions and commit to regular policy reviews as the technology evolves.
Making Time by Investing Time
One of the most common objections to AI adoption is "we don't have time." The reality is that you make time by investing time upfront.
Build AI initiatives into existing budgets rather than treating them as add-ons. Embed AI considerations into your strategy from the beginning. Start small and scale smart - identify quick wins that demonstrate value and build momentum.
The teams that succeed with AI aren't necessarily the ones with the biggest budgets or the most technical expertise. They're the ones that approach it strategically, align it with clear business objectives, manage risks proactively and create a culture where innovation can thrive.
Want to Start Embedding AI Today?
Our upcoming webinar will take you through the practical steps of building AI into your internal audit processes.
Our expert speakers will provide guidance on how to build your first AI report-writing agent, including a live demonstration of:
27 January at 11am | Hosted with Bloch AI
Whether you're just starting out or ready to scale, our team can help you develop the right AI strategy and governance framework for your risk or internal audit function. Get in touch.