B (2:11)

And as we've talked about it seems.

A (2:12)

Like every single week employees are absolutely using unapproved tools. And I was talking to friend of the show, Michelle Velez. We had her on the audit podcast I think about a year ago. And so we were just kind of catching up. And she would look at, I think it was P card spin. But either way she was looking at these basically chat GPT subscriptions and seeing which employees were putting those on their corporate credit cards. And this was before they had an approved AI or approved LLM tool within the organization. And so once they did move to an approved tool, she said you could start to see those subscriptions starting to dip off. And so now people were using the approved LLM or the approved AI tool as opposed to going outside. Obviously the there's still going to be shadow AI that's going to be used even when you have those approved tools. But if you're in that organization that still, for whatever reason, for whatever reason, has not implemented a tool or doesn't have some kind of AI governance committee AI governance policy. Please share this report with those that need to know. I would argue that if you don't have an AI governance policy, even if you are quote, blocking AI, you're not. But if you don't have an AI governance policy AI governance committee and you're the audit leader listening to this, I would immediately type up a memo, say it's a finding and hand it over. There's no hard and fast rule or control it's going to prevent shadow AI, but certainly help as we're in the field, maintain that inventory and share that. If you have an AI governance committee, share that with them. When you're coming across tools that maybe they aren't aware of. It's one of the toughest things for AI governance to account for is what tools are being used. This is where audit can immediately help.

B (4:10)

All right, so to tie back in to the previous story, this is from inside publicaccounting.com Eisner Amper survey finds as employees embrace AI, employer oversight lags so reading directly from the article, it says that while 80% of employees report a net positive experience using AI at work, just 36% indicate their company has a formal AI policy in place.

A (4:37)

I'll be honest, I didn't dig through this survey.

B (4:39)

So I don't know what the population.

A (4:41)

Of organizations or companies that they had as part of this. Your maybe small, medium sized business probably wouldn't expect that larger organizations that have.

B (4:51)

An internal audit department, I would expect that number to be significantly higher than that, 36%.

A (4:57)

But like I said, there are organizations that we talk to and we talk, we ask about AI governance. It's one of the things that we talk about with everybody and there's still some that go we have nothing. Or it's yeah, I mean we kind of have something, but it's not super specific and it's pretty broad.

B (5:17)

So anyway, it goes on to say despite 84% of managers acknowledging some level of AI use among their teams, only 41% of employees inform their manager or seek permission before using AI. Notably, 60% of employees rely on free AI platforms rather than internally developed platforms or external AI tools paid for by the company. And 28% admit they would use AI at work even if it were banned.

A (5:44)

I gotta think that 28% isn't right for those that are using it daily and are maybe you consider yourself AI literate. Imagine if they just stripped away all your AI tools and went, all right, get back to work like you used to. No way somebody wouldn't immediately download these apps on their phone and start using them.

B (6:02)

And so I'm reading these stats as.

A (6:04)

Support for if you don't have a robust AI governance policy. Specifically within this it says notably, again.

B (6:12)

Notably, 60% of employees rely on free AI platforms rather than internally developed platforms or external AI tools paid for by the company.

A (6:21)

And I know I mentioned earlier what Michelle said and that did decrease it, but also like I followed that up, it's still going to happen. You're still going to have people using these shadow AI systems. I think education around these risks is absolutely critical. Even setting expectations, which we're about to kind of get into on this next story, can be helpful. Also, I know we've talked to organizations that go, hey, we're just going to take all of our work papers and we're going to put them into this tool and then it's going to assess it and then it's going to spit out the answer. Or we're going to put all of our reports into a tool and then when we do an audit, we're going to put the support in there and then it's going to spit out an audit report just like all the other ones. And that's not exactly how it works. So there's this unrealistic expectation of what I can do. More so from the ease in which work like that can be done, those projects are absolutely possible. There's definitely audit teams that are doing that, vendors are doing that. But being able to quote, just throw it into the tool and it do it is not going to happen very often. Create an rcm pretty okay at being able to do something like that, Write my email, something like that.

B (7:31)

Absolutely fine. But some of these more complex, you're.

A (7:34)

Going to need to be a little bit more involved on the engineering side. So definitely I would highly recommend implementing suggesting an AI governance or AI risk training. You can develop that internally. I would make it a requirement of every single employee so that they really understand what's going on. I also think it's important for folks to understand this is setting the realistic expectations how these tools actually work.

B (8:03)

I did a webinar with Audit board. So Today is the September 3, 2025 episode.

A (8:12)

We did it. Either Last week or the week before. So two weeks ago and the first, I don't know, maybe 15 minutes we pull up and show how these tools actually work. And the most like the easiest way I explained it in such a way that I felt like some like AI literate people were sitting there going, this is not right at all. It is more analogous than anything. But you can check that out. It's on demand. If it's not on demand yet, it will be soon. And again, just those first 15 minutes, I think that's critical to be able to understand how these tools work, to understand and set expectations for yourself and the rest of your organization of how these work and to ease the AI anxiety or AI anxiety, as we've been saying recently on the threat of AI2 jobs.

B (9:02)

So we talked about kind of the hype and the what's realistic with AI right now. So this is from CFO dive.com that's CFO dive.com AI startup reaped millions using bogus claims FTC suit says. So to kind of summarize this article, the FTC shut down or made a move to shut down Air AI who alleged that the company misled small business customers with false promises, that it's conversational AI. Quote, conversational AI service could replace human agents and generate huge profits, defrauding clients of roughly 19 million.

A (9:43)

This is what is referred to as AI washing. And so it is propping up this idea that AI is going to solve all your problems, buy our thing, you'll be good to go. When that's really not the case.

B (9:55)

From the AI.

A (9:56)

I'm sorry, from the internal audit side. So for the vendors that are selling into internal audit with their AI tools, I haven't seen anything that made me go, you're absolutely full of it. They all seem pretty legitimate that I've seen. So I think for us it's pretty okay. It's the rest of the organization that I have a little bit more fear of something like this potentially getting them.

B (10:21)

And this comes back to no surprise.

A (10:25)

AI governance and vendor onboarding, I forget the stat. I think it's going to be something like 80% of vendors are going to have AI in their tools by 2026 or 20 in 2026. So this isn't something that is just going to go away, obviously. But as part of your vendor onboarding, there has got to be some kind.

B (10:48)

Of AI assessment as part of that.

A (10:50)

To understand security safeguards for the vendor that you're using, evidence of those safeguards.

B (10:58)

And then also the other note on this is to consider reviewing your own.

A (11:02)

Organizations, like AI related marketing and customer promises, and make sure this isn't something that's happening at the organization that you're currently working at. Thank you for listening, and be sure to follow the link to greenskiesanalytics.com in the show notes and subscribe Schedule time to see how green Skies can make the hype of AI a reality in your internal audit department. All right, that's it for this week. We don't really have a catchy slogan.

B (11:28)

To end the show yet, so if if you have one and you want to send it to us, we'll be happy to include it.

A (11:33)

And if we get a bunch, we'll just do a different one every single time. But until then. Well, I don't know until then, because we don't have anything to leave the folks with yet.

B (11:39)

So have a good week.