AI Leadership: Building the Technology Roadmap
FEATUREDINTERNAL AUDITBUSINESSRISKSOXCOMPLIANCE
In order to be driving an AI strategy, you need to build your own technology roadmap. Leaders can’t rely on IT to support your AI journey.
This is part of an ongoing series of articles for Internal Audit Next that I am writing about the impact AI will have on business teams and leaders in the weeks, months, and years ahead. The focus of these articles is to identify ways of thinking that can help leaders successfully navigate the AI-driven business landscape. If you haven’t read it yet, check out my first article in the series, AI Leadership: Focus on the Operating Model.
Technology Beyond the Tool
Let’s face it, we have spent the last 20 - 30 years of our careers thinking of technology as a means to an end. The GRC space is not known for innovative technologies and there are only a handful of players who serve the audit, risk, compliance, and governance space. The emphasis is on data repository tools and work-flow management. Most of us know that the technologies in the GRC space aren’t going to light the world on fire, they just need to get the job done. Some of us — and you can be forgiven for being in this category — don’t spend a great deal of time thinking about the tools you and your team use every day. Others of us — if you are in this category, you may want to pay close attention — often try to guide the technologies you do use to fit the processes you have been executing, managing, and leading over the last decade or two, or three.
All of that has to change. Tomorrow. Not next week. Not when you have time. For better or worse, the pace of technological change is reaching a velocity that the GRC leader has to both acknowledge and have a plan for how to process new inputs and manage that change. In every industry, GRC professionals need to understand what technologies your companies are using, how they are being used, and why it matters. On top of this, auditors — in particular — need to understand how the technologies will be used in the years ahead within their companies. If they don’t, they will be ineffective at their jobs. If you haven’t figured it out, it means that technology is going to be a core part of being a leader in the GRC space. Full stop. If you are not technology savvy, now is the time to start learning.
Building a Technology Roadmap
My recommendation is that you begin with the technology roadmap. For a few reasons:
A roadmap is a mature concept that most IT shops have put into practice - you won’t be starting from scratch.
A roadmap forces you to ask the question, “what am I trying to achieve?”
A roadmap forces you to think ahead in terms of months and years.
A roadmap is the perfect framing device to help you think about AI.
Leveraging Work Already Done
Most IT organizations have a technology roadmap. Each year they should be looking at mission critical technologies and determining what their teams need to work on. This is usually driven by business needs, internal team objectives, and a healthy understanding of how work is getting done. Here is an a-ha moment for you. A good technology roadmap depends on an understanding of the people and processes needed to get the job done. In my prior article, I talked about the operating model. When you are building a technology roadmap, you should have that locked down for your team. If you don’t, take a pause from the technology roadmap and get that done first.
Spending time with your CIO (or IT leader) can help you understand how they think about technologies in the enterprise and how they plan for maximizing their resources. Use their templates and processes if they have one in place. You can always refine and improve upon the approach in future years. Now isn’t the time to reinvent the wheel. There is no time for that.
The Goals
“What am I trying to achieve?” The truth is, the buzz around AI is all about efficiency. Whether we like it or not, many of us haven't necessarily been emphasizing that on our teams. For many years audit, compliance, and risk leaders thought of their teams as growing with the company or, at a minimum, maintaining the existing team. We generally did things the same way each year. Domain IV: Managing the Internal Audit Function of the IIA latest standards call out the following principles:
Principle 9: Plan Strategically
Principle 10: Manage Resources
Both emphasize effectiveness, but there isn’t much guidance on efficiencies. I did a search of the IIA standards and the word “efficiency” appears 20 times in the standards. Almost always mentioned with effectiveness. In my years of working in GRC and working with GRC teams, I have rarely seen any GRC leader emphasize efficiency as a top-priority.
AI is changing the game for us now. Efficiency should be at the top of your list of objectives. All of the audit, compliance, and risk leaders I have spoken to in the past 6 months have stated that they have been directed to find efficiencies on their teams. If not explicitly stated, it has been heavily implied that leaders should think about how AI will help them reduce headcount. In some cases, leaders are being told they will not receive backfills when team members leave.
When thinking about the technology roadmap, consider what the goals are of what you are trying to achieve. If finding efficiencies isn't there, put it at the top of your list. AI is making us all rethink “how it has been done” in favor of “finding new ways,” when it comes to the work we do day in and day out.
The Future
It is honestly hard to predict what our business environments will look like in the next one to three years. That doesn’t mean we, as leaders in the GRC space, should not be thinking about it. By assessing the goals you can map a set of activities that make sense to achieve those goals. As you monitor the pace of change you can regularly check-in to see if your future goals align with where things are going. If the universe of possibilities starts to change, you can revise your own goals. These will feed what your roadmap looks like and anchor your decision making process. Like it or not, you need to start thinking about more than one path. I recommend picking, at a minimum, three scenarios. Now more than ever, leaders need to think like futurists and consider possible outcomes. Your planning, in this case the technology roadmap, will be a reflection of what that could look like.
One of the most valuable outcomes of thinking ahead is that you will begin to see dependencies that help you identify and mitigate any weaknesses in your technology roadmap. While the specifics of what AI can do will evolve over time, we know that AI overlaps with our use of technology as well as the processes of our people. Looking ahead towards possible futures can help you consider outcomes you might not have considered just 12 months ago.
The Roadmap and AI
Despite the hype, we know that gains from AI will only be as good as our ability to provide assurance that systems are operating as expected. The biggest benefits to be obtained from early adopters is the understanding of the basic principles that drive how AI functions. The most successful enterprise AI companies look very similar to what traditional software companies looked like for the past three decades. Your roadmap should be anchored on testing and evaluating AI technologies. While it sounds great that someone has the ability to vibe code manual processes, how is that going to be tested? What security protocols and systems will be needed to avoid failures or problems? I could spend hours on this topic alone, but you get where I am headed with this line of inquiry.
Most IT roadmaps have been built on foundational goals such as usability, security, integration with existing technology tools in the enterprise, etc. By applying the principles of building a good technology roadmap, you can begin to see AI technologies in a new light. Is it reasonable that your team will be responsible for building and maintaining AI agents to perform mission critical tasks for your team? Probably not.
Given the speed of AI growth, it is safe to say that you should expect that you and your team need to be comfortable with being in perpetual test mode of different AI-related technology tools. In addition, you constantly have to be considering the technology roadmap as impacting your processes. Full-disclosure, I work for an AI-based SOX testing automation company. These types of technologies are already changing the landscape of how SOX teams will operationalize their workload in the months and years ahead. The technology roadmap, with your operating model, is an excellent vehicle to help you think about how your team can evolve to meet the demands of the moment and grow with AI tools in a productive way.
Building Your Technology Roadmap
Standard 10.3 Technological Resources of the IIA Standards states:
"The chief audit executive must strive to ensure that the internal audit function has technology to support the internal audit process. The chief audit executive must regularly evaluate the technology used by the internal audit function and pursue opportunities to improve effectiveness and efficiency."
I would argue that AI has already turned the statement, “the Internal audit function has technology to support the internal audit process,” on its head. The technology, specifically AI, is rapidly becoming what dictates the process and it is already fundamentally changing the role of Internal Audit, SOX testing, Compliance activities, Legal activities, and others.
I recommend you consider the following when getting started on this exercise:
Gather your team and ask the question, “how do we think about technology?” Use the five Whys to help guide this conversation by asking, “why do we think that?” If you have surfaced more questions than answers, you should start working on the technology roadmap for your team.
If you have NOT created an operating model. Do that first. Know what you are trying to do and how you intend to do it.
Leverage best practices from teams (start with IT) who need to build technology roadmaps.
Start asking, “why do we do this that way?” all the time.
Evaluate different home grown usage of AI tools. Such as agentic AI creations members of your team or co-workers in other departments might already be building or have built. Ask the hard questions about each of them. Can these enable me to do tasks with assurances I need to know the company’s interests are looked after?
Start evaluating AI tools offered by existing vendors or companies serving niche areas that impact your stakeholders or your team.
Embrace the scientific process by testing, evaluating, and understanding what AI brings to your team.
Imagine a future with AI in it. If you can’t, then you need to spend more time learning about how AI works and what is possible and what is mostly hype.
Accept that you may be throwing out the current script more often than you imagined and be at peace that it will be OK.
Plan to revisit your technology roadmap every quarter. Truthfully, every month would be best. Engage other leaders in your company and ask them to question your assumptions and underlying logic.
This is an uncomfortable place for most of us. That’s OK. The world is changing and even if the talk of an AI bubble is true, it is clear that AI technologies are here to stay. How you and your team navigate this reality can be something you control, or something that is done to you. I vote for the first option.
Good luck, it’s going to be an interesting ride.
Michael Pellet is currently a Customer Success leader for Petual.ai, an agentic AI SaaS product that automates SOX Testing. He is the former Director of Internal Audit at Lyft and Salesforce and has spent years as a consultant and operational leader in technology companies. You can learn more about Michael on LinkedIn.
These are the opinions of the editors of Internal Audit Next and/or the writer who authored this article. Any use of this copyrighted material without permission of Internal Audit Next - including training for AI Models - is prohibited. Copyright 2026.
Related Articles
Internal Audit Next © 2026
Internal Audit Next is a site containing thought leadership articles for the GRC (Governance, Risk, and Compliance) industry. Staffed and written by volunteers looking to change this industry for the better.