AI Governance
AIIA's AI features are built on strict governance principles that ensure RBAC compliance, full auditability, and alignment with IIA International Professional Practices Framework (IPPF).
Core Principles
1. Suggestions Only
AI outputs are never written directly to official records. Every AI-generated content is presented as a suggestion that requires explicit human action:
| Action | Result |
|---|---|
| Apply | Content is written to the record (logged) |
| Edit then Apply | Modified content is written (logged as modified) |
| Reject | Content is discarded (rejection logged) |
| Ignore | No action taken (interaction still logged) |
2. RBAC Enforcement
The AI Gateway enforces the same RBAC rules as the UI:
Key constraints:
- AI retrieves only data the user is authorized to access
- Cross-organization data is never included in AI context
- Cross-role data leakage is prevented at the retrieval layer
- Permission-aware RAG passes
user_rolesandorg_idto the retrieval engine
3. Full Audit Trail
Every AI interaction generates an AuditLogEvent:
| Field | Description |
|---|---|
event_type | AI_ACTION |
user_id | Who made the request |
action | SUGGEST, APPLY, REJECT, QUERY |
ai_model | Model and provider used |
input_summary | Sanitized request summary |
output_summary | Generated response summary |
confidence | AI confidence score (0-100) |
citations | Source references included |
applied | Whether the suggestion was accepted |
target_entity | What record was affected |
timestamp | When the interaction occurred |
4. Citations Required
All AI outputs that reference organizational data include citations:
- Workpaper references — links to specific workpapers
- Finding references — links to historical findings
- Policy references — links to internal policy documents
- Standard references — IIA IPPF, NCA ECC standards
5. Confidence Scoring
| Score | Meaning | UI Indicator |
|---|---|---|
| 80-100% | High confidence — reliable suggestion | 🟢 |
| 60-79% | Moderate confidence — review recommended | 🟡 |
| 40-59% | Low confidence — significant review needed | 🟠 |
| 0-39% | Very low confidence — treat with caution | 🔴 |
IPPF Alignment
AIIA's AI features align with IIA Standards:
| Standard | How AI Complies |
|---|---|
| 1300 Quality Assurance | AI interactions auditable; QA can review AI usage |
| 2040 Policies & Procedures | AI follows organizational methodology templates |
| 2200 Engagement Planning | AI suggestions require CAE/Manager approval |
| 2300 Performing | AI assists but doesn't replace professional judgment |
| 2400 Communicating | AI-drafted reports require human review |
| 2500 Monitoring | AI actions tracked in governance dashboards |
AI Policy Configuration
Administrators can configure organizational AI policies:
- Navigate to Administration → Settings → AI Policies
- Configure:
- Minimum confidence threshold — reject suggestions below threshold
- Auto-logging level — what AI interactions to log
- Allowed providers — restrict which AI models can be used
- Data sensitivity — what data can be sent to cloud AI
- Usage quotas — limit AI requests per user/day
Reviewing AI Activity
- Navigate to Audit Logs
- Filter by
event_type = AI_ACTION - View:
- Who used AI and when
- What was requested and generated
- Whether suggestions were applied
- Which AI model/provider was used
- Confidence scores and citations