Jordan Richards and Yohannes Fassika
AI relies on organisational knowledge; internal audit must ensure that knowledge is accurate, governed, and AI-ready.
Organisations are rapidly deploying AI to improve efficiency, decision-making, customer experience, and operations. However, many rely on knowledge environments not designed for machine interpretation, where documents are incomplete, lessons are missing, and decisions record outcomes but not reasoning. In this context, AI can create an illusion of organisational understanding while amplifying weak knowledge practices. Internal audit therefore plays a critical role, not in slowing innovation, but in ensuring the knowledge foundations AI depends on are trustworthy, governed, and fit for purpose.
The AI Deployment Rush is Now an Assurance Issue
AI is no longer experimental; it is embedded in core business functions such as finance, operations, customer service, procurement, compliance, and executive decision-making. Organisations, especially in emerging economies, are adopting it to improve productivity, reduce inefficiencies, and scale expertise with limited resources. Market signals reinforce this shift. Gartner (2026) reports that most CEOs expect AI to significantly transform operational capabilities, while the World Bank highlights uneven adoption due to gaps in institutional readiness, data maturity, and digital infrastructure.
However, AI deployment is often treated as a technology initiative focused on models, platforms, and vendors. While important, these are not sufficient. The critical requirement is knowledge readiness, the organisation’s ability to ensure its information and experience base is structured, complete, and reliable enough for accurate AI interpretation and decision-making.
AI Depends on Institutional Knowledge, Not Just Data
A common misunderstanding in AI deployment is that success depends mainly on data quality. In reality, AI in organisations draws on far more than structured data, including policies, reports, emails, procedures, project documentation, standards, and informal workflow knowledge.
Institutional knowledge is often unevenly captured: some is explicit, but much is tacit and contextual. Decisions may lack alternatives, procedures may ignore exceptions, and project records often omit risks and judgement. When AI relies on fragmented knowledge, it may appear capable but lacks context, summarising only what is recorded, not what is missing.
The Hidden Risk: AI Can Accelerate Knowledge Decay
A key risk is not that AI produces incorrect answers, but that it produces plausible ones based on incomplete knowledge. In organisations, this plausibility can reduce scrutiny and increase overconfidence. This contributes to knowledge decay, where AI appears to capture and transfer organisational knowledge, while only processing surface information.
The underlying reasoning, experience, and context remain missing. As a result, organisations may increasingly rely on AI outputs without understanding the quality of the knowledge behind them. Over time, this can lead to repeated mistakes, inconsistent decisions, and duplicated work. AI does not remove knowledge gaps, it often masks and amplifies them.
Figure 1: The AI Knowledge Risk Chain
How incomplete organisational knowledge can move through AI systems and become decision risk.
Why This Matters More in Emerging Economies
This challenge is global but more pronounced in emerging economies, where organisations often have fragmented systems, limited documentation, and reliance on individual expertise rather than structured knowledge management.
Rapid digital transformation can also outpace governance maturity. In these contexts, AI is attractive as a way to address skill gaps and inefficiencies. However, without strong knowledge foundations, it risks automating confusion instead of solving it. Leaders must therefore consider not only which AI use cases to deploy, but also what knowledge AI depends on and whether that knowledge is reliable and properly validated.
Internal Audit’s Expanding Role: From Technology to Knowledge Assurance
Internal audit is well positioned to address this emerging risk. Traditionally focused on governance, controls, and risk assurance, it must now also consider the knowledge systems that underpin AI outputs. This does not mean becoming a technology function or AI developer, but providing independent assurance that organisational knowledge is reliable enough for AI-enabled decisions.
This requires linking knowledge management and AI governance. Knowledge management ensures knowledge is captured, structured, and maintained, while AI governance ensures safe and controlled use of AI systems. These domains are now interdependent. If organisations cannot govern the knowledge feeding AI, they cannot fully govern AI itself.
What Internal Audit Should Examine
Internal audit should broaden its risk lens to include:
- The quality and completeness of source knowledge used by AI systems
- Ownership and accountability for knowledge assets
- Processes for updating and validating knowledge repositories
- Traceability of AI outputs back to source material
- The organisation’s ability to detect outdated or incomplete inputs
- User behaviour and reliance on AI-generated outputs
A practical audit approach includes mapping knowledge sources, assessing governance structures, reviewing validation mechanisms, and testing how AI outputs align with expert judgment and operational reality.
Figure 2: Internal Audit Across the AI-KM Governance Lifecycle
Where internal audit can provide assurance, challenge and advisory insight across AI-enabled knowledge use.
Capability Building for Auditors
Auditors do not need to become technical AI specialists, they need sufficient literacy to ask informed questions. This includes understanding how AI systems are trained, how knowledge is curated, and how outputs are generated and validated.
Key questions include:
- What knowledge was included or excluded?
- Who approves knowledge sources?
- How is information updated over time?
- What happens when AI output conflicts with expert judgment?
Frameworks such as ISO 30401 (knowledge management systems) and the NIST AI Risk Management Framework provide useful structure. Together, they help auditors evaluate not only AI models but also the knowledge ecosystems surrounding them.
Audit Planning and Control Readiness
AI and knowledge risks should be explicitly included in the audit universe. In many organisations, especially those early in their AI journey, internal audit may add more value through advisory work and control self-assessment than formal audits.
This includes evaluating data and knowledge readiness, identifying critical knowledge repositories, assessing ownership clarity, and ensuring lessons from pilot AI deployments are captured before scaling.
The goal is not bureaucracy but preventing overreliance on systems built on weak or incomplete organisational memory.
A Staged Approach to AI Deployment
Internal audit should encourage phased AI deployment. High-risk uses such as financial decisions, procurement, safety, and strategic planning require stronger knowledge assurance than low-risk tools like FAQs or basic support. AI should first be deployed in controlled environments where knowledge sources are clear and outputs can be validated. Once reliability and governance maturity are proven, broader rollout becomes safer, reducing systemic risk and building confidence in AI outputs.
The Cultural Dimension of Knowledge Risk
AI introduces not only technical and governance challenges but also cultural ones. If employees assume AI will automatically capture knowledge, they may become less disciplined about documenting decisions, recording lessons learned, or maintaining knowledge repositories.
Over time, this weakens organisational memory and increases dependency on AI systems that may not fully understand context.
Internal audit recommendations should therefore support a culture of active knowledge sharing and stewardship. Knowledge must be treated as operational infrastructure, not an administrative task.
Conclusion: AI Readiness is Knowledge Readiness
AI transformation is also a knowledge transformation. Its effectiveness depends not only on algorithms and data, but on the quality of institutional knowledge behind them. Internal audit helps strengthen this foundation by ensuring AI risk includes the completeness, accuracy, and usability of organisational knowledge, not just cybersecurity, vendors, and model governance.
This is critical in emerging economies, where AI can accelerate progress but also increase instability if knowledge assurance is weak. Success depends on strong governance, disciplined knowledge systems, and understanding what AI learns from.
About the Authors
Yohannes Fassika is an Information Systems Audit Manager and consultant with two decades of experience across telecommunications, information technology, risk-based auditing, risk analysis and information systems assurance. His work focuses on strengthening governance, control environments and technology-related assurance, with a growing interest in AI governance, algorithmic audit, AI ethics and the role of internal audit in managing emerging digital risks.
https://www.linkedin.com/in/yohannes-fassika-93ab1935/
Jordan Richards is a digital strategist and transformation advisor with over 20 years of international experience across technology, enterprise change, government, oil and gas, knowledge management and regulated sectors. He works with senior leaders to connect digital strategy, AI, enterprise architecture, organisational knowledge, operational performance and future-ready business models.
https://www.linkedin.com/in/jordanrichards/
References
Gartner (2026) ‘Gartner Survey Reveals 80% of CEOs Say Artificial Intelligence Will Force Operational Capability Overhauls’, 23 April. Available at: https://www.gartner.com/en/newsroom/press-releases/2026-04-23-gartner-survey-reveals-80-percent-of-ceos-say-artificial-intelligence-will-force-operational-capability-overhauls
International Organization for Standardization (2018) ISO 30401:2018 Knowledge management systems – Requirements. Available at: https://www.iso.org/standard/68683.html
National Institute of Standards and Technology (2023) Artificial Intelligence Risk Management Framework (AI RMF 1.0). Available at: https://www.nist.gov/itl/ai-risk-management-framework
Richards, J. (2026) ‘The Disruption of Intelligence: When Machines Think Faster Than Institutions Remember’. Available at: https://bizrecap.com/the-disruption-of-intelligence-when-machines-think-faster-than-institutions-remember/
World Bank (2025) Digital Progress and Trends Report 2025: Strengthening AI Foundations. Available at: https://www.worldbank.org/en/publication/dptr2025-ai-foundations
World Bank (2025) ‘Strengthening AI Foundations: Emerging Opportunities for Developing Countries’, 21 November. Available at: https://www.worldbank.org/en/news/factsheet/2025/11/21/strengthening-ai-foundations-emerging-opportunities-for-developing-countries
