Audit and security professionals must step up to govern AI – before it governs us

AI is sparking upheaval across business and technology, and organizations aren't ready for the operational or security risks raised by automated exploitation, deepfakes, data leakage, and more. AI adoption is taking off, but AI governance is trailing behind.

To get ahead of the curve, professionals already working in audit and security management need the right skills to build resilience — and they need them now. ISACA, the international professional association covering governance, audit, risk, cybersecurity, and AI, is ready with new credentials to help ensure key auditing and security staff have the additional skills needed to meet that challenge.

Such training opportunities are desperately needed: more than eight in ten professionals polled by ISACA for its 2025 AI Pulse report said their employees use AI already at work – whether or not it's officially allowed – but governance isn't keeping up, with only 33% having a formal AI policy in place.

That readiness gap is already causing concern among security professionals. The ISACA survey revealed that two-thirds of European IT and security professionals are extremely or very concerned that generative AI could be turned against their organizations, and nearly all (95%) believe that the technology will be exploited by bad actors. That means mitigations and protections need to be in place now.

These are serious challenges that need to be met quickly – and the answer to meeting them is skills.

Training to meet the AI challenge

AI brings opportunities to companies, but it also introduces risks. Understanding those challenges is key to taking advantage of this nascent technology. That means putting in place the necessary governance, policies, and security measures to mitigate the potential downsides while enabling innovation – imperatives that will naturally fall to audit professionals and the security team.

The ISACA AI Pulse survey suggests that most audit and security professionals don't yet feel up to the challenge, however, and they've wisely recognized they need more training to build upon their existing credentials. The poll revealed that 42% of European IT and business professionals believe that they will need to increase their skills and knowledge in AI within the next six months in order to retain their job or advance their career. Most (89%) of those asked recognize that this will be needed within the next two years.

The poll also revealed that despite the fact that 71% of companies believe that AI skills are very or extremely important right now, 29% of respondents said they have no formal AI training in place for employees, with 32% saying it's limited to IT staff. For AI to be implemented securely, training needs to widen to include those in charge of governance, too.

Accelerate AI rollout and be audit-ready

With governance and risk already core to their roles, established auditors and security managers are well placed to lead AI assurance. Targeted upskilling — through role-relevant training or certification — builds on their existing qualifications to close the skills and readiness gap.

By building on their existing qualifications, such professionals can help bridge the skills and readiness gap.

To support that upskilling, ISACA offers two role-specific credentials. The first is focused on AI auditing, governance, and frameworks, while the second was created for security management professionals. Both are designed to help organizations prepare themselves to lead the rollout of AI, while preparing staff to be ready to spot and mitigate the potential risks.

The ISACA Advanced in AI Audit (AAIA) credential is the first and only advanced audit-specific AI certification for accredited audit professionals, offering training in key areas such as AI governance and risk, AI operations, and the use of auditing tools that feature AI.

This program is designed for experienced auditors holding certifications such as CISA, CIA, CPA, or an equivalent.. It aims to build upon their existing experience in order to address challenges raised by AI integration and the technology's use in organizations. Beyond that, the credential reveals how to enhance audit processes using AI-powered insights, adding an extra dimension to the training.

Harnessing AI needs governance, and that comes with skills, as well as practical support in the form of assurance frameworks and audit tools. And that means working together across all sections of an organization and collaborating across teams on privacy, cybersecurity, and even legal to ensure AI systems are not just innovative, but responsibly managed.

Helping security managers step up to the AI challenge

Then, there's the newly introduced Advanced in AI Security Management (AAISM) certification – the first and only AI-focused security management certification. AAISM validates knowledge across AI governance and programme management, AI risk management, and AI technologies and controls—helping experienced practitioners manage evolving AI risks and implement policies so AI is used responsibly and effectively across the organisation.

Information security managers are already well aware of the existing threat landscape and how to manage the risk profile, but AI changes the game; it introduces a wide range of new threats, including the use of AI chatbots to find information about a company for targeting phishing attacks, no-code ransomware personalised to an industry or even individual, and voice generation for scam calls.

Not all companies are ready, or even know what they need to do to prepare. For example, seven in ten industry professionals polled by ISACA expect deepfakes to get better and more widespread during 2025, yet despite these concerns, only 18% of organizations are investing in deepfake detection tools, potentially causing a significant security gap.

Information security managers need the credentials to give them the skills, but also the sway in their company, so their warnings about the risks — and the mitigations to put in place — are heard.

The AAISM helps security professionals with existing expertise – those who hold a Certified Information Security Manager (CISM) or Certified Information Systems Security Professional (CISSP) – and builds upon that knowledge to help spot AI threats and mitigate the dangers, while also making use of AI in their own security operations.

AAISM ensures that professionals understand the necessary architectures and designs, policies and procedures, data management controls, and monitoring tools to help keep ahead of the challenge.

Future-proof your career

Beyond benefiting organizations, upskilling with AI certification is a smart career move: research shows that having AI skills raises salaries and ensures a professional stays in high demand when job cuts are looming.

For security and audit professionals, these certifications help build upon the credentials they already have in place. Letting them step up to gain these AI skills in a proven way will make professionals even more in demand as AI continues to sweep the business world, expanding on their existing credentials to take advantage of the opportunities offered by AI disruption.

With these skills in place, organizations not only gain the AI governance capabilities necessary to keep control of these cutting-edge systems and mitigate against risks, but they also learn how best to take advantage of the opportunities AI could offer.

It's not just about avoiding risk, but taking advantage of the promise of AI — both need governance and security, and that means professionals with the right skills.

Find out more about training for the AAIA and AAISM credentials at ISACA.

*The AAIA certification is designed for those with existing auditing expertise, notable those with advanced certifications including: Certified Information Systems Auditor (CISA) from ISACA, Certified Internal Auditor (CIA) from Institute of Internal Auditors (IIA), and Certified Public Accountant (CPA) from American Institute of Certified Public Accountants (AICPA), as well as ACCA Chartered Certified Accountant (ACCA) or ACCA Fellow Chartered Certified Accountant (FCCA) from the Association of Chartered Certified Accountants (ACCA); Canadian Chartered Professional Accountant (Canadian CPA) from Chartered Professional Accountants of Canada; CPA Australia Certified Practicing Accountant (CPA) from CPA Australia; CPA Australia Fellow Certified Practicing Accountant (FCPA) from CPA Australia; and Japanese Certified Public Accountant (Japanese CPA) from the Japanese Institute of Certified Public Accountants (JICPA).