A Thematic Qualitative Literature Review of Risk Controls, Compliance Frameworks, and Auditability in Enterprise GRC
DOI:
https://doi.org/10.70715/jitcai.2026.v3.i3.075Keywords:
generative AI, GRC, AI auditability, AI risk management, compliance frameworks, internal controlAbstract
This structured qualitative literature review examines how generative artificial intelligence (GenAI) governance is operationalized in enterprise governance, risk, and compliance (GRC). The review analyzed 37 studies, standards, regulatory materials, scholarly preprints, and professional guidance documents, with substantive GenAI governance and control literature concentrated in 2019-2026. Using an adapted PICO search framework and reflexive thematic analysis, the review identified four themes: framework convergence without control specificity, lifecycle control as the dominant operational model, auditability as an evidence problem, and persistent gaps in accountability and continuous monitoring. Results suggest that modern GenAI GRC has moved beyond principles but remains immature as an assurance discipline because organizations still lack standardized evidence artifacts, control ownership, and continuous testing practices. The review contributes a control-oriented synthesis linking governance frameworks to auditable evidence artifacts and clarifies how enterprise teams can translate legal, standards, security, and audit guidance into practical control work.
Downloads
References
[1] J. Mökander, J. Schuett, H. R. Kirk, and L. Floridi, "Auditing large language models: A three-layered approach," AI and Ethics, vol. 4, pp. 1085-1115, 2024, doi: 10.1007/s43681-023-00289-2.
[2] L. Weidinger et al., "Ethical and social risks of harm from language models," arXiv:2112.04359, 2021, doi: 10.48550/arXiv.2112.04359.
[3] M. Mäntymäki, M. Minkkinen, T. Birkstedt, and M. Viljanen, "Defining organizational AI governance," AI and Ethics, vol. 2, pp. 603-609, 2022, doi: 10.1007/s43681-022-00143-x.
[4] A. Batool, D. Zowghi, and M. Bano, "AI governance: A systematic literature review," AI and Ethics, vol. 5, pp. 3265-3279, 2025, doi: 10.1007/s43681-024-00653-w.
[5] E. Papagiannidis, P. Mikalef, and K. Conboy, "Responsible artificial intelligence governance: A review and research framework," The Journal of Strategic Information Systems, vol. 34, no. 2, Art. no. 101885, 2025, doi: 10.1016/j.jsis.2024.101885.
[6] National Institute of Standards and Technology, "Artificial Intelligence Risk Management Framework (AI RMF 1.0)," 2023, doi: 10.6028/NIST.AI.100-1.
[7] National Institute of Standards and Technology, "Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile," 2024, doi: 10.6028/NIST.AI.600-1.
[8] International Organization for Standardization, "ISO/IEC 42001:2023: Information technology - Artificial intelligence - Management system," 2023. [Online]. Available: https://www.iso.org/standard/81230.html
[9] European Commission, "AI Act enters into force," 2024. [Online]. Available: https://commission.europa.eu/news/ai-act-enters-force-2024-08-01_en
[10] European Parliament and Council, "Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence," Official Journal of the European Union, 2024. [Online]. Available: https://eur-lex.europa.eu/eli/reg/2024/1689/oj
[11] Cloud Security Alliance, "AI Controls Matrix," 2025. [Online]. Available: https://cloudsecurityalliance.org/artifacts/ai-controls-matrix
[12] OWASP Foundation, "OWASP Top 10 for Large Language Model Applications," 2025. [Online]. Available: https://owasp.org/www-project-top-10-for-large-language-model-applications/
[13] J. Laine, M. Minkkinen, and M. Mäntymäki, "Ethics-based AI auditing: A systematic literature review on conceptualizations of ethical principles and knowledge contributions to stakeholders," Information & Management, vol. 61, no. 5, Art. no. 103969, 2024, doi: 10.1016/j.im.2024.103969.
[14] D. S. Schiff, S. Kelley, and J. Camacho Ibáñez, "The emergence of artificial intelligence ethics auditing," Big Data & Society, vol. 11, no. 4, pp. 1-16, 2024, doi: 10.1177/20539517241299732.
[15] V. Braun and V. Clarke, "Using thematic analysis in psychology," Qualitative Research in Psychology, vol. 3, no. 2, pp. 77-101, 2006, doi: 10.1191/1478088706qp063oa.
[16] M. J. Page et al., "The PRISMA 2020 statement: An updated guideline for reporting systematic reviews," BMJ, vol. 372, Art. no. n71, 2021, doi: 10.1136/bmj.n71.
[17] M. Arnold et al., "FactSheets: Increasing trust in AI services through supplier declarations of conformity," IBM Journal of Research and Development, vol. 63, no. 4/5, pp. 6:1-6:13, 2019, doi: 10.1147/JRD.2019.2942288.
[18] P. Cihon, M. J. Kleinaltenkamp, J. Schuett, and S. D. Baum, "AI certification: Advancing ethical practice by reducing information asymmetries," IEEE Transactions on Technology and Society, vol. 2, no. 4, pp. 200-209, 2021, doi: 10.1109/TTS.2021.3077595.
[19] Committee of Sponsoring Organizations of the Treadway Commission, "Achieving effective internal control over generative AI," 2026. [Online]. Available: https://www.coso.org/generative-ai
[20] Cybersecurity and Infrastructure Security Agency and National Cyber Security Centre, "Guidelines for secure AI system development," 2023. [Online]. Available: https://www.ncsc.gov.uk/collection/guidelines-secure-ai-system-development
[21] R. Dotan, B. Blili-Hamelin, R. Madhavan, J. Matthews, and J. Scarpino, "Evolving AI risk management: A maturity model based on the NIST AI Risk Management Framework," arXiv:2401.15229, 2024, doi: 10.48550/arXiv.2401.15229.
[22] European Parliament and Council, "Regulation (EU) 2022/2554 on digital operational resilience for the financial sector," Official Journal of the European Union, 2022. [Online]. Available: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022R2554
[23] European Union Agency for Cybersecurity, "Multilayer framework for good cybersecurity practices for AI," 2023. [Online]. Available: https://www.enisa.europa.eu/publications/multilayer-framework-for-good-cybersecurity-practices-for-ai
[24] T. Gebru et al., "Datasheets for datasets," Communications of the ACM, vol. 64, no. 12, pp. 86-92, 2021, doi: 10.1145/3458723.
[25] Institute of Internal Auditors, "The IIA's Artificial Intelligence Auditing Framework," 2nd ed., 2024. [Online]. Available: https://www.theiia.org/en/content/tools/professional/2023/the-iias-updated-ai-auditing-framework
[26] ISACA, "Artificial Intelligence Audit Toolkit," 2024. [Online]. Available: https://www.isaca.org/resources/artificial-intelligence
[27] KPMG, "COSO releases roadmap on internal control over generative AI," 2026. [Online]. Available: https://kpmg.com/us/en/frv/reference-library/2026/coso-releases-roadmap-internal-control-over-generative-ai.html
[28] T. R. McIntosh et al., "From COBIT to ISO 42001: Evaluating cybersecurity frameworks for opportunities, risks, and regulatory compliance in commercializing large language models," Computers & Security, vol. 144, Art. no. 103964, 2024, doi: 10.1016/j.cose.2024.103964.
[29] MITRE, "MITRE ATLAS," n.d. [Online]. Available: https://atlas.mitre.org/
[30] M. Mitchell et al., "Model cards for model reporting," in Proc. Conf. Fairness, Accountability, and Transparency, 2019, pp. 220-229, doi: 10.1145/3287560.3287596.
[31] J. Mökander and L. Floridi, "Operationalising AI governance through ethics-based auditing: An industry case study," AI and Ethics, vol. 3, pp. 451-468, 2023, doi: 10.1007/s43681-022-00171-7.
[32] National Institute of Standards and Technology, "The NIST Cybersecurity Framework (CSF) 2.0," 2024, doi: 10.6028/NIST.CSWP.29.
[33] OECD, "OECD AI Principles," 2024. [Online]. Available: https://www.oecd.org/en/topics/ai-principles.html
[34] I. D. Raji et al., "Closing the AI accountability gap: Defining an end-to-end framework for internal algorithmic auditing," in Proc. 2020 Conf. Fairness, Accountability, and Transparency, 2020, pp. 33-44, doi: 10.1145/3351095.3372873.
[35] J. Schuett, "Risk management in the Artificial Intelligence Act," European Journal of Risk Regulation, vol. 15, no. 2, pp. 367-385, 2024, doi: 10.1017/err.2023.1.
[36] Securities and Exchange Commission, "Cybersecurity risk management, strategy, governance, and incident disclosure," 2023. [Online]. Available: https://www.sec.gov/rules-regulations/2023/07/s7-09-22
[37] L. Waltersdorfer, F. J. Ekaputra, T. Miksa, and M. Sabou, "AuditMAI: Towards an infrastructure for continuous AI auditing," arXiv:2406.14243, 2024, doi: 10.48550/arXiv.2406.14243.
Downloads
Published
Data Availability Statement
This manuscript is a structured qualitative literature review examining how generative artificial intelligence governance is operationalized in enterprise governance, risk, and compliance. It synthesizes 37 publicly available sources, with substantive GenAI governance and control literature concentrated in 2019-2026. The article does not involve human participants, private data, clinical data, or experimental intervention; therefore, ethics approval was not required. The author declares no competing interests.
Issue
Section
License
Copyright (c) 2026 Ian Herzing (Author)
This work is licensed under a Creative Commons Attribution 4.0 International License.
