The cybersecurity landscape is undergoing a structural shift. Two powerful technologies, artificial intelligence (AI) and quantum computing are simultaneously strengthening business capabilities and redefining cyber risk. While they promise operational transformation, they also introduce threats that traditional security frameworks were not designed to address. In this evolving environment, internal audit must expand its mandate from compliance oversight to strategic cyber risk assurance.

 

AI-Driven Threats: Smarter Attacks, Faster Exploits

AI is increasingly embedded across business functions, from fraud detection and supply chain optimization to customer engagement and risk analytics. However, the same technology is being weaponized by adversaries.

AI-enabled phishing campaigns can generate highly personalized social engineering attacks at scale. Machine-learning-driven malware can adapt in real time to evade detection. Adversarial attacks can manipulate or “poison” training data, compromising AI models from within.

Internal audit’s role is to independently assess whether organizations are prepared for these evolving risks. Key areas of focus include:

• Robust AI governance frameworks with clear ownership and accountability
• Controls over model development, validation, and monitoring
• Safeguards against adversarial manipulation and data poisoning
• Transparency and explainability of AI-based security tools

AI systems are dynamic; therefore, controls must be continuously evaluated rather than periodically reviewed.

Quantum Computing: A Cryptographic Disruption

While large-scale quantum computers are still developing, their potential impact on cybersecurity is profound. Quantum computing threatens widely used public-key cryptographic systems such as RSA and ECC, which underpin secure communications, digital signatures, and financial transactions.

The risk is not theoretical. Sensitive data intercepted today could be stored and decrypted in the future once quantum capabilities mature, a concept known as “harvest now, decrypt later.”

Internal audit should evaluate:

• The organization’s inventory of cryptographic assets and dependencies
• Exposure to quantum-vulnerable encryption standards
• Readiness and roadmap for adopting post-quantum cryptography
• Executive oversight and funding for long-term cryptographic transition

Proactive planning is critical. Retrofitting security after quantum disruption materializes would be costly and destabilizing.

Why Internal Audit Matters

Internal audit has traditionally been the function that independently evaluates an organization’s risk management, governance, and control processes. In the face of AI and quantum-related threats, internal audit becomes more than a compliance checker, it becomes a strategic safeguard.

The reasons are clear:

1. Emerging Risks Are Rapidly Evolving: AI threats evolve quicker than compliance checklists can be updated. Internal audit’s independent lens provides a fresh, non-biased perspective to identify where controls have become outdated or inadequate.
2. Complexity Requires Expertise: AI and quantum technologies involve advanced mathematics, algorithms, and probabilistic outcomes. Internal auditors must assess not only whether controls exist, but also whether they are fit for purpose in the context of dynamic, self-learning systems.
3. Cross-Functional Dependencies: AI and quantum risks don’t fall neatly into one department. They span IT, data governance, legal, compliance, and business operations. Internal audit is uniquely positioned to view these relationships holistically and recommend integrated solutions.

 

Expanding the Internal Audit Skillset

To effectively audit in this new landscape, internal audit teams must upskill. Understanding emerging risks requires familiarity with:

• Machine learning lifecycle management
• Adversarial AI concepts
• Quantum computing principles and post-quantum cryptography
• Secure software development and Dev Sec Ops

Internal audit teams should also leverage tools such as AI risk assessment frameworks, continuous monitoring dashboards, and third-party threat intelligence sources.

Moreover, collaborating with external specialists such as data scientists, quantum cryptographers, ethical hackers, expands internal audit’s capability without overextending internal resources.

Conclusion: From Gatekeepers to Strategic Partners

The cybersecurity landscape is shifting beneath enterprise feet. AI and quantum computing are not just disruptors, they redefine what “secure” means. Traditional defenses, compliance-focused audits, and static policies are no longer sufficient.

Internal audit must evolve from a retrospective compliance function to a proactive strategic partner in cybersecurity. This challenge isn’t trivial, but it’s necessary. Organizations that recognize and invest in this transformation will not only navigate the emerging threats but also harness these technologies with confidence, resilience, and ethical stewardship.

In the new cybersecurity frontier, internal audit is not just a safeguard, it is a guide through uncertainty.

 

About the author:

Amit Sharma is the Vice President and Head of Audit – APAC at EXL, with over 25 years of experience in internal audits, risk management and compliance. As part of his commitment of giving back to the auditing profession, he also serves on the IIA India Delhi Branch Board of Governors and is the Chairperson of the Publications & Research committee of IIA India Delhi Branch.