Cybersecurity vulnerabilities, data governance and regulatory compliance are three of the most common risk areas expected to be included in 2026 internal audit plans, according to Gartner, a business and technology insights company.
“The rapid rise of AI is driving acute issues for organizations in terms of cybersecurity, data governance and regulatory compliance,” said James Bourke, Director, Research in the Gartner Assurance Practice. “Internal audit teams are very likely to be covering these areas in their audit plans for 2026, although with muted confidence in their ability to provide assurance over cybersecurity and data governance risks given how rapidly these areas are evolving.”
Gartner’s report, 2026 Audit Plan Hot Spots, is based on a survey of 160 chief audit executives (CAEs), taken May through June 2025, as well as structured interviews with CAEs and IT audit leaders, and data and insights from cross-functional Gartner research. The report highlighted four main themes for audit plans for 2026: geopolitical volatility, cost reduction pressure, ensuring security and resilience in uncertain times, and rapid AI developments.
1. Cybersecurity Vulnerabilities
Ninety-six percent of survey respondents have activities planned to provide assurance over cybersecurity vulnerabilities in 2026, making it a top area of focus in audit plans for next year.
“Cybersecurity is a major risk area, especially as organizations depend more on third-party vendors who can introduce vulnerabilities,” said Bourke. “At the same time, cybersecurity teams are stretched thin and struggling to respond to the speed and volume of advanced threats such as AI-driven attacks and disinformation.”
This intersection of factors has impacted the confidence CAEs have in providing assurance over cybersecurity vulnerability risk, with less than half (48%) highly confident in their ability to do so. The focus will be on assessing how prepared organizations are for cyber threats, the strength of their controls, and their oversight of third-party relationships. Strong governance, integrated risk management, and robust controls are emphasized to protect against operational, financial, and reputational harm.
2. Data Governance
Ninety-four percent of CAEs have coverage for data governance in their planned activities for 2026, making it another key area that internal audit will be providing assurance over. “Organizations’ data governance efforts face new challenges for managing the volume and classification of AI-generated outputs, as well as heightened risks related to data localization and sovereignty as regulations proliferate,” said Bourke.
Gartner experts recommend that organizations strengthen their data governance by ensuring AI policies adequately address risks related to AI-generated outputs. Effective controls must be in place for the retention and deletion of AI-generated data, integrating new AI applications and assigning appropriate management roles. Further, robust frameworks are needed to classify and monitor sensitive AI-generated outputs, preventing misclassification or unauthorized access.
3. Regulatory Compliance
This is another critical area of most 2026 audit plans, with 97% of CAEs having coverage planned. Organizations are navigating a clouded and uncertain information environment, forcing them to scramble to adapt and maintain an adequate compliance posture.
“Amid a deregulatory push from the current U.S. administration, organizations must confront significant policy uncertainty, as well as increased pressures on ethical behaviors,” said Bourke. “Misconduct by employees, agents and third parties is more likely amid a weakening macroeconomic environment and organizational change.”
