How frontier AI companies could implement an internal audit function

TL;DR

This paper explores how frontier AI companies can design an internal audit function to effectively oversee systemic risks, complement external evaluations, and enhance safety governance through tailored organizational strategies.

Contribution

It provides a detailed framework for structuring internal audits in frontier AI firms, analyzing key design choices and trade-offs based on standards and governance literature.

Findings

Internal audits can significantly improve safety oversight in frontier AI.

Designing audits with appropriate scope and access enhances credibility.

Effective audits complement external evaluations and strengthen risk management.

Abstract

Frontier AI developers operate at the intersection of rapid technical progress, extreme risk exposure, and growing regulatory scrutiny. While a range of external evaluations and safety frameworks have emerged, comparatively little attention has been paid to how internal organizational assurance should be structured to provide sustained, evidence-based oversight of catastrophic and systemic risks. This paper examines how an internal audit function could be designed to provide meaningful assurance for frontier AI developers, and the practical trade-offs that shape its effectiveness. Drawing on professional internal auditing standards, risk-based assurance theory, and emerging frontier-AI governance literature, we analyze four core design dimensions: (i) audit scope across model-level, system-level, and governance-level controls; (ii) sourcing arrangements (in-house, co-sourced, and outsourced); (iii) audit frequency and cadence; and (iv) access to sensitive information required for credible assurance. For each dimension, we define the relevant option space, assess benefits and limitations, and identify key organizational and security trade-offs. Our findings suggest that internal audit, if deliberately designed for the frontier AI context, can play a central role in strengthening safety governance, complementing external evaluations, and providing boards and regulators with higher-confidence, system-wide assurance over catastrophic risk controls.