As EY showcases its AI audit platform ‘Canvas’ in the Big 4 AI arms race, the UK’s Financial Reporting Council (FRC) has barely had time to publish its first guidance on generative and agentic AI. I see a familiar tension emerging, innovation is accelerating faster than the mechanisms designed to trust it. As I have written about before – Trust is the Real Currency of AI.
So we arrive at the modern audit, a room full of highly paid professionals, diligently reviewing the conclusions of a machine they neither fully understand nor are willing to fully distrust, while regulators peer over the same output, quietly upgrading their own software and guidance in the forlorn hope of keeping up. The accountants spreadsheet has been replaced by a black box, the sample by the entire dataset and professional judgement by ‘the’ human in the loop. Progress, we are told. One can only assume that when it all goes wrong, the post-mortem will confirm what we already know, the AI was wrong, the humans were accountable and everyone involved was, of course, entirely compliant.
The FRC’s framing is deceptively simple, AI can fail in three ways. It can produce incorrect outputs (bad inputs or flawed models), its outputs can be misunderstood or it can underperform relative to the standard expected of a human auditor. On the surface, this reads like a control checklist. In reality, it is something more fundamental: a statement that AI does not remove accountability, it concentrates it.
“You can’t blame it on the box,” as the Executive Director of the FRC Mark Babington put it. Quite right, but that assertion quietly shifts the burden of proof. Audit firms are no longer just verifying financial truth; they are now also validating the integrity of the systems that help them do so. The audit opinion becomes a composite judgement comprising part financial, part technological, part epistemological. This is where trust becomes strained.
Traditional audit models were built on sampling and professional scepticism. AI disrupts both. It enables full-population analysis, anomaly detection at scale, and pattern recognition beyond human capability. Yet the paradox is obvious, the more we rely on systems that see everything, the harder it becomes to understand how they see it. Explainability lags capability and assurance lags adoption.
The FRC’s guidance rightly stops short of prescription. It cannot do otherwise. Codifying how much checking is enough in a world of rapidly evolving models would be obsolete on arrival. Instead, regulators are signalling a shift toward principles based oversight; iterative, adaptive and necessarily incomplete.
However, this creates a second-order risk, inconsistency. If assurance is left to interpretation, trust becomes uneven. One firm’s ‘sufficient validation’ becomes another’s regulatory exposure.
Audit firms, understandably, want flexibility. They argue, correctly, that rigid rules will freeze innovation and degrade quality. Yet the counterpoint is uncomfortable without enforceable standards, trust risks becoming self-certified.
The real issue is not whether AI can be trusted, as I have discussed previously there are solutions to support this. It is whether trust itself has been re-engineered. In an AI-augmented audit, trust is no longer derived solely from human judgement or regulatory compliance. It must be constructed across a chain including data integrity, model behaviour, interpretability and oversight.
This is why I suspect we will need to see regulators do more than supervise, they must proactively compete. The US Public Company Accounting Oversight Board (PCAOB) chair’s call to enhance technological capability is not administrative housekeeping; it is existential. A regulator that cannot interrogate AI cannot regulate it.
The future of audit will not be defined by whether AI is used but by who holds authority over its outputs. Afterall, the market does not buy audits it buys confidence. The kicker though is confidence, unlike computation, does not scale automatically.
Posted on April 3, 2026
0