Reshaping the org for an AI-driven future

Why hours stopped signaling coverage, and what replaced them.

There is nothing harder than getting an auditor to move past the comfort of precise math.

An audit plan built on hours has been the industry default. Internal auditors, external auditors, and every service-based function runs on hours. Hours are clean math: we spent this much time, we covered this much ground. Hours are a proxy for productivity, not assurance, and the moment AI changes what a team can cover, hours stop signaling what they used to signal.

When hours are no longer a reliable proxy for coverage, you have to move to something else. That is where it gets hard, because the math gets fuzzier.

Every company has a constantly changing set of processes, systems, organizations, and risks. There are no fixed numerators or denominators that tell you what precise fraction of the company you have audited. We wrestled with this problem for nearly a year before landing on a methodology that would give both our team and senior leadership better insight into the company’s risk exposure.

We started with our enterprise risk matrix. For each risk area, we identified the systems, processes, and organizations exposed. Within each, we assessed which were highest priority, such as core systems, versus average or low priority, such as peripheral systems in non-core areas. Then we used the data we had to judge, with experienced eyes, what proportion of those priority areas our work actually covered.

That moves the work from math to judgment. Nothing made the auditors more uncomfortable.

They have the data. They have the knowledge. If you asked a senior auditor approximately how many of the company’s core systems were covered in the year’s cybersecurity assessments, they could answer. An auditor is comfortable when they can show the audit trail: the papers that demonstrate the calculation. Even when they can triangulate their data into an answer, they are not comfortable saying "approximately seventy percent."

I literally had to tell my audit leaders that if their backs were against the wall, if they were on Squid Game, they absolutely could give me a number they felt was accurate. And they agreed. They just hated it.

The outcome is that we can now define our coverage principles: how much of each enterprise risk area we will cover within 12 and 24 months. The Board can now assess whether they have sufficient assurance in each area. That is a different conversation than "we spent X percent of our hours on cybersecurity."

This is what reshaping a function actually looks like in practice. We rebuilt the team’s measurement framework around what assurance actually is, rather than what activity looks like. We trained people to triangulate instead of calculate. We built the systems that bring the data together to support the triangulation. And we helped the team build their judgment muscle.

I am grateful for an extraordinary team. What the coverage framework required of them had no precedent in the industry. They had to work through genuine discomfort, bring real creativity and hard problem-solving to questions that did not have existing answers, and dig deep again and again to build something from first principles. That took skill and courage. Both are visible in the result; only the team saw the cost of getting there.

The Trailblazer recognition is for work that has taken the team most of three years to get right, in the parts no award citation can describe. Adopting new technologies and building new skills was the easy part. Asking trained professionals to operate in approximations, and to trust their approximations as better signal than precise but meaningless calculations, was more challenging.