Top Risk Areas for Internal Audit: TMT

Internal audit plays a critical role in helping technology, media, and telecommunications (TMT) organizations manage evolving risks that affect innovation, compliance, and resilience. As 2026 approaches, emerging technologies, stricter regulations, digital monetization, and geopolitical shifts are reshaping the risk landscape.

In TMT, where disruption is constant and digital is core, these trends introduce complex, fast-moving risks that require proactive, cross-functional internal audit engagement. From protecting AI intellectual property (IP) to navigating tech nationalism, internal audit must assess increasingly interconnected challenges.

Five priority risk areas for internal audit to address in 2026 planning include:

• AI risks: Beyond bias, AI introduces several concerns, such as model security, data provenance, IP leakage, and shifting regulations. Internal audit should assess how AI is governed, secured, and ethically applied, internally and in customer solutions.
• Digital identity and synthetic media: Threats such as deepfakes bring fraud, reputational, and operational risk. Internal audit can evaluate detection systems, response plans, and awareness efforts.
• Fintech and regulatory convergence: TMT companies entering digital payments now face know your customer (KYC), anti-money laundering (AML), and capital oversight standards. Internal audit teams must confirm these are integrated into governance and business models.
• Talent shortages: Gaps in AI, cloud, and cybersecurity expertise affect scalability and resilience. Internal audit can review staffing, third-party reliance, and the sustainability of control environments.
• Tech nationalism and regulatory fragmentation: Cross-border restrictions, data localization, and export controls raise compliance risks. Internal audit can embed geopolitical awareness into ERM and assess global policy alignment.

As TMT companies innovate amid regulatory complexity, internal audit must expand its focus to provide insights that support strategy and resilience.

AI risks

Internal auditors of tech companies need to be at the forefront of risk identification and risk mitigation. Risks related to AI are abundant, but we highlight a few areas for consideration.

Security and IP risks

AI assets represent valuable IP. At the same time, they introduce various threats, including:

• Model inversion attacks in which adversaries extract sensitive information from models.
• Prompt injection and data poisoning, which involve manipulating model inputs or training data to produce malicious outputs.
• IP theft and code leakage, which are especially relevant when open-source AI frameworks or third-party APIs are integrated.

Data management and integrity

AI’s reliability depends on high-quality, representative data. Tech companies often aggregate vast, multisource datasets, which creates exposures such as:

• Bias and fairness issues: Training data might unintentionally reinforce societal or user biases.
• Data privacy risks: AI models trained on personal or sensitive information risk breaching privacy regulations, such as the European Union’s (EU’s) General Data Protection Regulation and the California Consumer Privacy Act.
• Data provenance gaps: Limited transparency into data origin or transformation can hinder explainability and compliance.

Compliance and ethical use

As AI regulation accelerates with, for example, the EU AI Act, technology companies must ensure compliance for internal use and for customer-facing AI solutions.

• Regulatory uncertainty: Ambiguity in global standards can cause inconsistent compliance practices.
• Ethical use and transparency: Failure to disclose AI-driven decision-making in products could create reputational harm.

Next steps for internal auditors

• Security and IP protection: Confirm that AI models and pipelines are covered by cybersecurity programs, penetration testing, access controls, and IP safeguards.
• Data governance and integrity: Review lineage documentation, consent management, and bias mitigation. Verify that AI data use aligns with enterprise data policies.
• Compliance and ethics: Assess whether compliance covers emerging AI regulations and if ethical principles are embedded in product and operational design.

Digital identity and synthetic media

Digital identities have enhanced global connectivity, but as they become more detailed, they also introduce growing vulnerabilities that are reshaping the risk landscape.

Each social media post, comment, or data breach increases the information available to threat actors. Combined with AI, this data is fueling the rise of synthetic media and AI-driven impersonation that range from deepfakes in internal communications to attacks on biometric authentication systems.

Traditionally, phishing and whaling schemes relied on email impersonation, and controls such as callback verification were in place. Now, attackers can mimic voices and faces, bypass those controls, and increase the risk of fraudulent payment requests or unauthorized access.

Beyond financial fraud, these technologies pose broader risks, such as spoofing biometric systems to access restricted areas or creating fake social media posts, that damage brand trust, destabilize organizations, and undermine confidence in digital identity safeguards.

Next steps for internal auditors

• Security awareness: Evaluate training programs for employees and third parties to confirm readiness to identify and respond to suspicious communications.
• Social media policy review: Assess policies and procedures to limit social engineering risks via social media and provide guidance on synthetic media threats.
• Synthetic media risk assessment: Identify the organization’s exposure to deepfakes or manipulated content, especially in areas such as executive communication, approvals, onboarding, crisis response, or investor relations.
• Crisis response readiness: Determine whether incident response plans address synthetic media risks and include monitoring of brand and executive channels for compromise.
• Anomaly detection: Review fraud monitoring systems to make sure they detect impersonation attempts, not just technical breaches.

Fintech and regulatory convergence

As TMT firms expand into digital payments, they increasingly take on responsibilities traditionally held by financial institutions. This convergence brings new risks tied to financial regulation, fraud monitoring, and KYC and AML compliance. Internal auditors must understand how these risks reshape operational controls and require more advanced governance frameworks.

Financial regulatory risks

TMT companies entering payment processing, digital wallets, or embedded finance face financial regulatory scrutiny, often for the first time. Regulations involve licensing, reporting, and consumer protection obligations typically reserved for banks and fintechs. Operating across multiple jurisdictions, such as the U.S., EU, and emerging markets, adds complexity due to differing rules regarding payments, data, and digital assets. Internal audit should assess whether companies have registered appropriately, maintain sufficient capital and controls, and embed compliance into digital offerings from the outset.

Fraud monitoring and transaction integrity

High transaction volumes on digital platforms make TMT companies prime fraud targets. Legacy systems built for subscriptions or content might lack the real-time analytics and anomaly detection needed for financial transactions. Poor monitoring increases the risk of account takeovers, synthetic IDs, or payment diversion. Internal audit should evaluate fraud governance, data analytics, escalation workflows, and coordination between risk and engineering. It also should verify that tools evolve with new features to protect transaction integrity and customer trust.

KYC and AML compliance risks

Facilitating payments introduces strict KYC and AML duties. TMT companies can lack experience in customer due diligence, transaction screening, and suspicious activity reporting. Reliance on third-party processors adds complexity and shared accountability, and control failures by third parties can result in enforcement action. Internal audit should review team expertise, system capabilities for identity verification, and the strength of monitoring processes. Investments in compliance automation and training can mitigate risk and support a stronger control culture.

Next steps for internal auditors

• Regulatory compliance: Assess management’s understanding of financial regulations and confirm that licensing, capital, and reporting requirements are integrated into governance. Evaluate how payment operations are incorporated into enterprise compliance programs.
• Fraud monitoring: Review whether fraud detection systems meet payment industry standards, including real-time monitoring, alerting, and escalation protocols.
• KYC and AML controls: Confirm that customer due diligence, sanctions screening, and transaction monitoring are in place. Evaluate training, technology, and oversight supporting AML compliance.

Talent shortages

Internal auditors in technology-driven organizations must remain alert as workforce shortages in AI and machine learning, cybersecurity, and cloud engineering continue to threaten operational scale and weaken control environments. As digital transformation accelerates, a lack of specialized talent poses significant risks to strategic execution and resilience.

Operational and strategic risks

Skill shortages delay critical projects, hinder system integration, and stall digital initiatives. Overreliance on a few specialists creates knowledge silos and turnover risks. Many organizations use third-party vendors to fill gaps, but doing so can reduce visibility, introduce control inconsistencies, and raise data protection concerns. Limited internal talent slows innovation, impedes automation, and reduces agility in responding to market or regulatory changes.

Control and security risks

Understaffed technical teams often result in degraded control environments. Cybersecurity teams might miss patching or delay incident responses. AI and machine learning teams might lack resources to test for bias, model drift, or data quality issues. In cloud operations, talent shortages increase the risk of misconfigurations, weak access controls, and missed encryption protocols, all of which raises the likelihood of breaches or outages. As digital complexity grows, these risks compound.

Compliance and resilience risks

Talent gaps also impair compliance and resilience. Limited staffing reduces the ability to interpret and apply evolving privacy, cybersecurity, and AI regulations. Compliance programs might shift to reactive remediation while continuity planning and disaster recovery efforts become deprioritized. Under pressure, ethical and governance shortcuts might occur, which damages trust with regulators, customers, and employees and increases exposure to enforcement and reputational harm.

Next steps for internal auditors

• Operational and strategic planning: Evaluate workforce planning and talent management for critical tech functions. Review reliance on contractors and the strength of oversight mechanisms.
• Controls and security: Assess staffing levels and monitoring for cybersecurity, AI and machine learning, and cloud controls. Confirm that segregation of duties and incident response remain effective under current constraints.
• Compliance and resilience: Review readiness for regulatory demands and continuity planning amid staffing gaps. Verify that governance includes escalation pathways for workforce-related risks.

Tech nationalism and regulatory fragmentation

As global regulations shift, the rise of tech nationalism is reshaping risk for TMT companies. With major economies emphasizing technological sovereignty, new rules now restrict the transfer of semiconductors, AI, and telecommunications infrastructure in order to protect national interests and reduce foreign reliance. For global TMT companies, these changes demand greater internal audit focus. Regulatory compliance is no longer peripheral; it’s a core element of risk oversight.

Export controls and governance

Internal audit should assess whether governance frameworks account for complex export controls and trade compliance. Key areas include policies for cross-border data transfers, dual-use technologies, and restricted-party screening. Given the continued use of decentralized or manual compliance processes, internal audit teams should evaluate whether systems are configured to flag high-risk activities in real time and confirm that supply chain visibility and data governance are effective.

Localization and operational fragmentation

Data residency laws and domestic research and development (R&D) mandates are pushing TMT companies to localize operations. While this move supports regional compliance, it can create fragmented systems and diverging controls. Internal audit can assess whether these risks are addressed through defined ownership, regional resourcing, and strong global oversight, which is critical in a landscape where strategies must adapt by jurisdiction.

Intangible asset controls

Export controls now cover intangible assets like source code, AI models, and technical knowledge. Internal audit should review protections for these assets, especially in joint ventures or offshore development. Focus areas include third-party access, data segmentation, and tracking protocols for sensitive information.

Geopolitical risk in ERM

Tensions between regulatory regimes, like U.S. export rules and China’s market conditions, create added complexity. Internal audit should assess whether enterprise risk management (ERM) frameworks include geopolitical risk assessments and whether management monitors global regulatory shifts. Scenario planning and forecasting can provide proactive insight into operational or compliance impacts.

Proactive risk intelligence

As global tech regulation grows more fragmented, internal audit must go beyond compliance checks to deliver forward-looking risk intelligence. By embedding geopolitical and regulatory risk into internal audit planning, teams can support more resilient, well-informed decision-making.

Next steps for internal auditors

• Export control governance: Evaluate policies for cross-border data, dual-use tech, and restricted-party screening for regulatory alignment.
• Tech classification and monitoring: Assess procedures for identifying export-controlled technologies and the ability to flag high-risk transactions in real time.
• Localization oversight: Review governance of region-specific operations, such as data hosting and R&D, for consistency across jurisdictions.
• Intangible asset safeguards: Examine controls for protecting AI models, source code, and technical knowledge, especially in third-party or offshore environments.
• Geopolitical risk in ERM: Verify that geopolitical and regulatory risks are integrated into ERM through scenario planning and trend monitoring.
• Global compliance alignment: Assess whether regional compliance teams are well-resourced and aligned with enterprise oversight to manage regulatory divergence.

Looking ahead

As TMT organizations navigate rapid innovation, shifting regulations, and geopolitical complexity, internal audit remains pivotal in safeguarding trust, value, and resilience. By focusing on five priority areas – AI governance, digital identity integrity, regulatory convergence, talent resilience, and geopolitical compliance – internal audit can help TMT leaders balance innovation with control.

Embedding cross-functional collaboration, data-driven insights, and continual learning into internal audit programs will be essential to keep pace with technological change. Ultimately, a forward-looking internal audit function not only identifies vulnerabilities but also enables confidence in transformation so that TMT companies can innovate securely, operate ethically, and remain resilient in an increasingly complex digital economy.