The Five Commandments of AI Auditing

Document everything – and treat AI agents like human insiders

By Jeff Copeland

At the recent ISACA Europe 2025 conference in London, SAFE’s Director of Community and Education, Meghan Maneval, was interviewed by Infosecurity Magazine on emerging best practices in AI risk management. Meghan laid down Five Commandments of AI Auditing – read the article AI Agents Need Security Training Just Like Your Employees for a complete look at her Thou Shalts and Shalt Nots. Here’s a quick summary: 

1. Write Everything Down

Document everything from tool inventories and model logs to data access and decision flows. Meghan observes: Capturing the full lifecycle of AI systems in writing gives auditors traceability and context — without it, you’re auditing in the dark.

2. Don’t Start with Checkboxes

Be more intentional than following an audit script. Dig into AI’s inner workings, such as validating the training data or identifying the biases and weaknesses in the model outputs. Understand that “AI agents need to be trained” on your company’s policies. 

3. Treat Any AI Application Like a Human

AI tools, especially agentic systems, live in your environment much like a human employee would. Meghan emphasizes: “AI agents are now insiders…You know that humans can’t go and do whatever they want across your network…Neither should that AI agent.”

SAFE offers autonomous cyber risk management reinvented with agentic AI. Schedule your 30-minute demo now. 

4. Combine Monitoring Techniques

A single audit approach won’t cut it. Meghan insists that effective oversight blends system log analysis, behavioral analysis, AI drift detection, and anomaly detection – or, over time, you may be generating “data that exists but isn’t actually useful”

Meghan Maneval presented at the recent ISACA 2025 Europe Conference >>

5. Build Controls and Audit Them Too

Controls aren’t set-and-forget; they must be built, tested, audited, and refined. An AI auditor should evaluate security guardrails, access controls, and data leakage protection built around the AI tools or embedded into the model used by the organization. “It’s about learning how the system works so we can help it do the right thing.”

Learn more about SAFE’s AI strategy in this blog post by Saket Modi, Co-Founder and CEO: AGI’s Wild Future Needs a Tamer: Meet Cyber AGI