Why GRC is the Wingman for AI Risk

Artificial Intelligence (AI), who would have imagined it would become so prominent in our daily lives? Humans have always had high expectations for AI, as evidenced by fictional characters like Rosie, the model XB-500 robot from "The Jetsons." Rosie was a valued member of the Jetson family, serving as their maid and housekeeper. Today, we have various AI systems, including Claude, Gemini, ChatGPT, and many others, operating across the open web, as well as the deep and dark web. 

AI has transitioned from a futuristic concept to an integral part of modern enterprise. For certified public accountants (CPAs) and finance professionals, the question is no longer if AI will impact financial reporting, but how to manage its inherent risks responsibly. While the notion of fully automated financial reporting might feel unsettling, embracing a thoughtful, strategic approach is essential. The key is to balance AI's transformative power with a robust Governance, Risk, and Compliance (GRC) framework. 

The Rise of AI in Financial Reporting 

AI is rapidly transforming traditional finance functions, offering unprecedented opportunities for enhanced efficiency, accuracy, and insight. AI models have the capacity to manage vast volumes of data, identify complex patterns, and produce high-accuracy forecasts, making them powerful tools for predictive analytics and fraud prevention. 

Current applications of AI in finance and security include: 

• Predictive Analytics: Forecasting for credit risk analysis and portfolio management. 
• Fraud and Anomaly Detection: Monitoring transactions for payment and credit card fraud, and assessing claims in insurance. 
• Security and Trust: Powering scam detection and conducting legitimacy analysis of websites and vendors. 

This growing adoption fundamentally changes the risk landscape for financial reporting. New capabilities inevitably introduce complex risk profiles that demand proactive management from a GRC perspective. 

Understanding and Mitigating the AI Risk Landscape 

Before we can effectively manage AI risk, we must first understand its various dimensions. From a GRC perspective, I have seen four key areas of concern for AI operators and their customers: 

• Data Risk: Issues related to data quality, privacy, security, and bias. 
• Model Risk: The risk of AI models producing inaccurate or biased outputs due to flawed design or assumptions. 
• Operational Risk: Failures that occur during the day-to-day use of an AI system. 
• Ethical and Regulatory Risk: The danger of non-compliance with new regulations or engaging in practices that harm stakeholders. 

Let's focus on Operational Risk with a short anecdote. 

"A large corporation implemented an AI bot to automate its bank reconciliation process, handling thousands of transactions daily. The finance team, impressed by its initial 99.5% accuracy rate, reduced human oversight to a brief spot-check at the end of the month. A subtle, unnoticed change in the bank's data reporting format caused the bot to miscategorize a small but growing number of transactions each day. By the end of the quarter, this seemingly minor error had compounded into a multi-million dollar discrepancy, leading to a significant and embarrassing financial restatement." 

This failure was a direct result of a lack of human oversight. The team's over-reliance on the AI and their inability to maintain a "human-in-the-loop" for continuous verification led to a critical operational failure that a human likely would have caught much earlier. 

While this anecdote seems to have the "doom and gloom" outlook this is not too far from current metrics and surveys.  A 2025 IMCT Survey highlighted that nearly 44% of financial firms had not validated the quality of their AI tools or predictive models. This is a startling number, and unless significant focus is injected into AI usage, the industry is going to have a lot of heartburn over the next few years. 

Figure 1: 2025 IMCT Survey 

The Benefits of a Proactive GRC Approach 

By adopting a proactive GRC approach to AI in financial reporting, an organization can unlock a multitude of benefits. It mitigates significant financial and reputational risks, helps avoid costly errors, and ensures compliance with evolving regulations. A strong GRC framework improves auditability and transparency, building greater confidence in AI-generated financial insights. 

The following steps provide a practical roadmap for implementing this GRC framework: 

1. Inventory & Assess Current AI Use: Begin by creating a comprehensive catalog of all AI and machine learning tools currently used or in development within the finance department. 
2. Develop AI-Specific Policies: Draft and implement clear policies covering data governance, model validation standards, and responsible AI use. 
3. Integrate AI Risk Assessments: Embed the evaluation of AI risks directly into your existing enterprise risk management (ERM) framework. 
4. Enhance Data Quality & Governance: Make bias detection, data lineage tracking, and data integrity a primary focus of your data governance efforts. 
5. Implement Model Validation & Monitoring: Establish a robust, independent model validation process for all new AI systems and implement tools for ongoing performance monitoring. 
6. Strengthen Human Oversight & Training: Upskill finance teams to understand AI's capabilities and limitations, and clearly define the points where human intervention and approval are required. 
7. Ensure Robust Audit Trails & Documentation: Mandate that all AI systems create detailed, unchangeable logs of their operations and decisions to ensure transparency and accountability. 

As the AICPA has noted in its recent AI advisory, “Financial professionals must combine innovation with accountability. AI can enhance reporting accuracy, but only when aligned with strong governance practices.”  

This approach fosters responsible innovation. It does not stifle AI adoption but rather enables the organization to integrate AI safely and ethically, enhancing stakeholder trust and providing a clear strategic advantage. Leveraging AI's benefits securely and sustainably turns a potential risk into a competitive differentiator.