COBIT in an AI World: Reinterpreting Governance for Autonomous Decision-Making

Work with Mark
Here’s a question I keep hearing from IT governance professionals: “Do we need to throw out our governance frameworks now that AI is making decisions for us?” It’s a fair question, and one I suspect many of you are quietly wrestling with. 

My answer surprises people: no, we don’t throw them out. We reinterpret them.

Here’s the contrarian view I keep returning to: COBIT isn’t outdated in the AI era. It’s underutilized. Organizations racing to bolt on new “AI governance frameworks” are often skipping a more important step: verifying whether the governance infrastructure they already have can carry the weight of what’s coming. That distinction matters. It’s the difference between load-bearing and decorative.

And worth pausing on for a moment, COBIT is turning 30 this year. First released by ISACA in 1996, the framework has outlasted entire generations of technology trends, fads, and “next big thing” announcements. That longevity and structured decision accountability isn’t an accident; it’s the result of a framework grounded in something more durable than the technology of the moment. For those who want to revisit the history or explore the current guidance, ISACA’s COBIT hub is the place to start: https://www.isaca.org/resources/cobit.

Governance frameworks were never about the technology; they were about the decisions. COBIT, at its core, has always been a structured way to answer four questions: Who decides? On what basis? With what oversight? And how do we know it worked? Those questions don’t change when the decision-maker is an algorithm instead of a manager. What changes is HOW we answer them… and that’s where most governance professionals are getting tripped up.

When a human makes a decision, accountability is intuitive; a name on the email, a signature on the memo. When AI makes or heavily influences a decision-at-scale, accountability becomes diffused. Was it the model? The data? The prompt? The deployment team? The vendor? The process owner who approved the use case? Without a framework mapping these decision points to accountable roles, organizations end up with what I call “governance by hope,” everyone assuming someone else is watching.

I propose three reinterpretations every IT governance professional should be thinking through right now.

First, treat AI assurance as a first-class control objective, not a side project. Traditional IT assurance asked: did the system do what we told it to do? AI assurance must ask something harder: did the system do what we intended, in conditions we anticipated, with outputs we can defend? That’s a different kind of audit and one many internal audit functions aren’t yet equipped to perform. ISACA’s emerging guidance on AI auditing, combined with NIST’s AI Risk Management Framework, gives you scaffolding. But scaffolding only works if it’s anchored to something solid…which brings me back to COBIT.

Second, redefine “human oversight” before someone defines it for you. Regulators in the EU, UK, and increasingly the US are writing the definition as we speak. If your governance program waits, you’ll inherit a definition that may not match your operating reality. Oversight isn’t binary, it’s a spectrum from human-in-the-loop (every decision reviewed) to human-on-the-loop (sampling and exception review) to human-out-of-the-loop (fully autonomous within defined boundaries). Each tier requires different COBIT-aligned controls. Each carries different risks. And each needs to be a deliberate choice — not a default that emerged because no one asked.

Third, map decision accountability to decision consequence. Not every AI decision deserves the same governance overhead. A model recommending an email subject line does not need the same controls as one flagging an AML (anti-money laundering) transaction or assisting a clinical diagnosis. COBIT’s tiered approach to control rigor — long applied to IT systems by criticality — translates directly. The work is in the mapping. And ALWAYS remember: the consequence of the decision, not the sophistication of the model, drives the control tier.
The uncomfortable truth is this. Most organizations I advise have governance frameworks that look impressive on paper and crumble under AI-scale decision velocity. The frameworks aren’t wrong. They’re just being asked to do something they were never tested for, and no one’s pressure-tested them yet. That pressure test is coming, whether from a regulator, an incident, or an auditor with a sharper question than the one I opened with.

A colleague framed the stakes better than I could. I’ve collaborated with a trusted colleague on this subject for years, and in a recent conversation she put it this way:

“AI amplifies the values, assumptions, and priorities built into it. Its greatest influence is not only in the decisions it makes, but also in the decisions humans fail to question. Governance should not simply evaluate, monitor, and legitimize AI; it should actively preserve human judgment in systems increasingly shaping human choices.”

Kehinde Femi-Adeleye

That last line is the one I keep coming back to. A framework that only legitimizes AI has done half the job. The harder half, the half COBIT was built for, is preserving the human judgment that decides which questions still get asked.

Final Thoughts

The IT governance professionals who will come through this well are doing the harder, less glamorous work of stress-testing what they already have. Here’s where I’d start:

  1. Audit your existing governance framework against AI use cases already in production. Not pilots. Production.
  2. Define your human oversight tiers explicitly, in writing, approved by your governance committee. Don’t let regulators or incidents define them for you.
  3. Map every material AI decision point to an accountable role, not a team. Diffuse accountability is no accountability.
  4. Expand your risk taxonomy to include AI-specific risks.  This includes drift, bias, hallucination, adversarial inputs, third-party model dependencies, and integrate them into your enterprise risk register.  
  5. Treat AI assurance as a recurring reporting item. If it’s not on the agenda, it’s not being governed.

COBIT in an AI world isn’t a relic. It’s a foundation.  IF you’re willing to reinterpret it with the rigor the moment demands. Thirty years in, that foundation is still the one to build on.