In September 2025, Deloitte Australia faced public scrutiny after the Department of Employment and Workplace Relations (DEWR) discovered major factual errors in a government-commissioned report on the future of work. Portions of the report had been produced using generative AI tools based on Microsoft’s Azure OpenAI platform, including fabricated legal citations and non-existent sources.
As reported by The Guardian and ABC Australia, the government requested a refund of part of the AU$442,000 contract, and Deloitte admitted that its internal review and quality assurance processes had failed.
This was not an AI malfunction; it was a control failure. The incident illustrated that artificial intelligence is no longer just a technology issue—it is a core operational risk. The absence of human validation, documentation, and governance transformed an innovative tool into a reputational and contractual liability.
AI as a new face of operational risk
Operational risk has long been defined—under Basel III and ISO 31000—as the risk of loss resulting from failed processes, systems, or human actions. When AI becomes embedded into those processes, it introduces a hybrid layer of risk: one that combines automation with opacity.
In Deloitte’s case, the errors stemmed from process weakness (over-reliance on automated outputs without human review), model risk (lack of validation of AI-generated content), and reputational exposure (public loss of confidence). The same pattern could unfold in banking, insurance, or healthcare if organizations deploy AI systems without proper governance.
The Philadelphia Federal Reserve has already demonstrated that weather-related operational events can measurably raise losses across U.S. banks; similar research is now focusing on AI and algorithmic risk, where failures in data quality, explainability, or oversight can have comparable operational effects.
In short, AI doesn’t just automate decisions—it automates risks. And unmanaged automation amplifies the probability of loss.
The regulatory shift: from innovation to accountability
Across jurisdictions, regulators are drawing clearer lines between experimentation and governance. In the European Union, the AI Act, adopted in 2024 and entering phased enforcement through 2027, classifies AI systems by risk level—prohibiting those considered unacceptable, requiring transparency for general-purpose AI, and mandating human oversight and documentation for high-risk use cases.
In the United States, the NIST AI Risk Management Framework (RMF) and the White House OMB Memorandum M-24-10 outline expectations for AI use in federal agencies: maintaining inventories of AI systems, assessing their impact on privacy and safety, and publishing annual risk reports. While directed at the public sector, these standards are shaping private-sector due diligence and vendor expectations.
Meanwhile, the ISO/IEC 42001:2023 standard provides a formal structure for AI management systems, integrating governance, risk assessment, and supplier oversight within the same logic as ISO 31000. Financial and insurance regulators, including the New York Department of Financial Services (NYDFS) and the National Association of Insurance Commissioners (NAIC), have also issued sector-specific guidance on algorithmic bias testing, documentation, and governance.
These initiatives converge on one message: innovation is welcome—but uncontrolled innovation is no longer acceptable.
Mapping AI risks within operational risk management
For organizations, the first step is to treat every AI system as a risk asset—subject to identification, assessment, control, and monitoring like any other operational process.
Mapping begins by identifying where AI is used: report generation, customer interactions, credit scoring, fraud detection, HR analytics, or predictive maintenance. Each use case should be assigned a risk owner and documented within the enterprise risk register.
Once mapped, the organization must evaluate exposure. The most common failure points include hallucination or factual errors, bias or discrimination, data leakage, and vendor dependency. Controls should be designed accordingly:
- Human review of AI outputs in high-impact contexts.
- Validation of training data and version tracking of models.
- Documentation of assumptions, prompts, and model lineage.
- Independent audits to detect drift or bias over time.
- Vendor governance clauses ensuring transparency and fallback options.
Risk monitoring should be continuous. Incident logs for AI errors, periodic stress testing, and clear escalation channels are as essential as those used in cybersecurity or business continuity. The NIST AI RMF emphasizes iterative management—govern, map, measure, and manage—an approach that mirrors the operational risk cycle.
Turning governance into advantage
Paradoxically, organizations that invest early in AI governance stand to gain a competitive advantage. Robust risk management builds trust by design: regulators, partners, and clients can rely on the integrity of outputs. It also accelerates innovation by creating a safe framework for experimentation and deployment.
In sectors such as finance, healthcare, and logistics, resilient automation—AI integrated within defined controls—reduces rework, prevents reputational crises, and attracts customers who value transparency.}
As Deloitte’s incident demonstrated, reputational damage spreads faster than any algorithmic output. Having traceability and documented oversight can mean the difference between a public correction and a public crisis.
How Pirani helps operationalize AI risk governance
AI risks cannot be managed in isolation. They belong inside the same operational risk ecosystem that governs processes, compliance, and resilience.
With Pirani, organizations can:
- Register every AI use case as an operational risk.
- Assign owners, controls, and verification stages.
- Document model versions, data sources, and testing results.
- Track incidents and corrective actions.
- Generate dashboards for board and regulatory reporting.
By embedding AI into the broader Enterprise Risk Management (ERM) framework, Pirani helps convert uncertainty into actionable oversight—making AI not a vulnerability, but a managed capability.
Learn more: Request a demo
The Deloitte case stands as an early warning in a new age of automation: the most sophisticated tools fail when governance fails.
As AI systems permeate daily operations, governance, traceability, and accountability will define the boundary between progress and risk.
For leaders in risk management, the mandate is clear—treat AI as part of your operational resilience strategy. What begins as a source of uncertainty can become the foundation for trust and innovation, if—and only if—it is governed with the same discipline as any critical system.
FAQ
Why should AI be treated as an operational risk?
Because it can directly cause process failures, reputational damage, or compliance breaches. Under Basel and ISO definitions, any loss resulting from failed systems or processes—including AI—is operational risk.
What does the Deloitte case teach about risk controls?
It shows that automated outputs must be validated, reviewed, and documented. Without human oversight and clear accountability, AI errors become organizational failures.
Which frameworks guide AI governance today?
Key references include the EU AI Act, NIST AI RMF, ISO/IEC 42001, and the OMB M-24-10 policy in the U.S., all emphasizing governance, transparency, and continuous monitoring.
How can companies prevent AI-related losses?
Through validation protocols, version control, bias testing, and incident reporting integrated into the existing risk management system.
What is the opportunity behind AI risk management?
Proper governance turns compliance into trust and innovation into resilience—allowing organizations to innovate responsibly while protecting reputation and value.
Try Pirani now, create your free account 👇
Want to learn more about risk management? You may be interested in this content 👇
Get to know the fundamental principles of Basel in banking
6 Practical Examples of Risk Management in Action
When the Storm Hits: Managing Operational and Climate Risks Effectively
How AI & Machine learning are shaping the future of Risk Management
5 tips for avoiding financial fraud
No Comments Yet
Let us know what you think