“The New Audit Risk: AI Without Proof”
The Evidence Problem
This summer the UK’s Financial Reporting Council (FRC) issued a blunt warning. The country’s biggest audit firms, including Deloitte, EY, KPMG, PwC, BDO, and Mazars, are embedding AI across their audit workflows without properly monitoring its impact on quality. The FRC noted that while firms are using AI to scan transactions and review contracts, few have established clear measures of performance, oversight, or accountability.
For an industry that is supposed to safeguard trust, the lack of transparency is striking. If the firms responsible for checking the books cannot show how AI affects audit quality, what does that mean for the companies that rely on them?
The warning is not isolated. In law, a lawyer was sanctioned after submitting fake case citations produced by a large language model. In healthcare, advisors have cautioned that AI-generated compliance documentation, if not verified, could create privacy violations or fines. And across industries, experts point to the same pattern: speed gains without proof, automation without evidence.
The Hallucination Trap
The legal case illustrates the problem clearly. At first, asking AI to draft a court filing seemed efficient. Yet without proper controls, the tool fabricated precedent out of thin air.
To humans this was obviously non-compliant. To the AI it was not lying. It was simply completing the task in the most direct way.
In compliance, that shortcut is unacceptable. Regulators do not care if a document looksconvincing. They care whether it can be traced back to verifiable evidence.
What Is Going Wrong
Audit Firms: AI embedded in audits without monitoring or KPIs. Consequence: regulatory scrutiny and reputational risk.
Legal Industry: AI-generated fake case citations. Consequence: sanctions and mandatory training.
Enterprises: Over-reliance on generative AI with no explainability. Consequence: data breaches and compliance violations.
Healthcare: AI tools producing inaccurate documentation. Consequence: operational and regulatory risk.
Efficiency Without Trust
These cases share a common pattern. Enterprises are adopting AI in compliance but failing to put the same rigor into oversight that they apply in other areas of risk management. The result is efficiency that undermines trust.
The irony is hard to ignore. Compliance is built entirely on evidence and verifiability, yet much of today’s AI adoption overlooks those foundations. “The AI said it was true” is not, and will never be, a defense in front of regulators or enterprise customers.
What Getting It Right Looks Like
There is another approach. Instead of treating compliance as a generative exercise, where the goal is to produce text that looks right, AI can be used as an evidence engine.
That means mapping regulatory frameworks directly against a company’s policies and procedures, identifying gaps where documentation is missing, and generating responses to audits or questionnaires that link back to real evidence.
This approach does more than cut weeks of manual work. It restores the chain of trust between compliance teams, auditors, and regulators. Some platforms, such as Roz, are already following this path by focusing on evidence-backed automation rather than text generation. The emphasis is on making audits faster while keeping results defensible.
The compliance AI failures of the past year are not just embarrassing headlines. They are early warnings. Without validation, oversight, and most importantly evidence, AI in compliance creates more risk than it removes.
The answer is not to slow down adoption, but to adopt it responsibly. Compliance leaders need tools that accelerate audits while keeping evidence front and center. Speed matters, but only if the results can be proven.
