Deloitte dropped their 2026 Internal Audit Hot Topics report in January. It’s 19 pages covering where they think Internal Audit can deliver the most impact this year. Here’s what’s in it.
Key Takeaways#
- Agentic AI is Deloitte’s “mega hot topic” for 2026: autonomous agents can initiate actions outside established approval chains, creating fraud exposure and accountability gaps most audit functions aren’t equipped to assess
- DORA is now live for EU financial services; the UK Critical Third Parties framework is operational; third-party risk is no longer just an operational concern — it’s a live regulatory compliance issue
- Most organizations haven’t started cryptographic migration planning; NIST’s 2030 deadline for deprecating current standards is closer than most teams are accounting for
- “Harvest now, decrypt later” attacks — where adversaries collect encrypted data today to decrypt once quantum capability matures — make quantum readiness time-sensitive right now, not in 2029
- AI is accelerating every risk vector in both directions; Deloitte’s prescription is for audit to become an early adopter of agentic AI internally while building the governance muscle to audit it in the business
The Big Picture#
The framing is that Internal Audit is entering its “most transformative era” — the expectation is a shift from lagging assurance to strategic partnership. The backdrop driving that: economic instability, geopolitical tension, AI acceleration, and a pace of regulatory change that shows no sign of slowing.
The report splits into three buckets: one mega hot topic, seven operational priorities, and seven IT/cyber priorities.
Mega Hot Topic: Agentic AI#
This is the headline theme and it’s getting its own section for good reason. Agentic AI — autonomous systems that plan, execute, and adapt with minimal human oversight — is expected to be embedded across business functions by 2026. Unlike traditional generative AI that responds to prompts, these systems act more like digital employees: connecting across systems, making decisions, initiating tasks.
The risks Deloitte flags:
- Accountability gaps — when an agent acts independently, it’s often unclear who owns the outcome
- Decision-making errors at scale — biased or incorrect autonomous decisions can compound fast
- Control bypass — agents can initiate actions outside established approval chains, creating fraud and financial misstatement exposure
- Adversarial attacks — prompt injection, model poisoning, and system exploitation are active threat vectors
- Shadow AI — business units deploying agents without enterprise oversight, creating parallel uncontrolled processes
- Data privacy — agents can inadvertently access or exfiltrate sensitive data
What IA should be doing:
Deloitte’s recommendation is for audit to govern agentic AI and use it. On the governance side: assess accountability frameworks, audit shadow AI deployment, review human-in-the-loop architecture, and test cybersecurity controls around AI systems. On the adoption side: pilot agentic AI internally for continuous control monitoring, dynamic audit planning, controls rationalization, and quality assurance automation.
The closing line here is direct: “Agentic AI will be both a game changer and a governance challenge.” Boards are going to start asking for assurance over AI governance specifically, and most audit functions aren’t ready to provide it.
Operational Hot Topics#
| # | Topic | What’s Driving It |
|---|---|---|
| 1 | M&A | Accelerating deal activity and heightened regulatory scrutiny on integrations |
| 2 | Business & System Transformation | AI-era modernization creates value, but controls are routinely deprioritized |
| 3 | Capital Program Assurance | Competing funding priorities, greenwashing risk on sustainability disclosures |
| 4 | Supply Chain & Tariffs | Geopolitical volatility, tariffs, forced labor regulations reshaping sourcing |
| 5 | Regulatory Compliance Readiness | AI, sustainability, data privacy rules accelerating across jurisdictions simultaneously |
| 6 | Resilient Business | Boards demanding embedded resilience, not just documented response plans |
| 7 | Third-Party Risk Management | Complex partner/JV/fourth-party ecosystems + DORA and UK Critical Third Parties requirements |
A few of these deserve more than a table row.
Supply Chain & Tariffs is getting elevated attention because the combination of tariff volatility and forced labor legislation (UFLPA in the US, similar frameworks emerging in the EU) means supplier governance is now a legal liability issue, not just an operational one. Audit’s focus areas include supplier onboarding controls, ongoing ethical compliance monitoring, and cybersecurity of digital logistics platforms.
Third-Party Risk Management is being pushed by regulatory pressure as much as operational reality. DORA is now live for EU financial services. The UK Critical Third Parties framework is operational. US banking guidance is tightening. The common thread: regulators want to see that organizations have genuine visibility into their extended ecosystem — subcontractors, fourth parties, JV partners — not just a tier-one vendor list.
IT & Cyber Hot Topics#
| # | Topic | What’s Driving It |
|---|---|---|
| 1 | Vulnerability Management | AI-driven attacker tooling weaponizes exploits at machine speed |
| 2 | Identity & Access Management | Identity is now the primary attack entry point across cloud and hybrid environments |
| 3 | Quantum Computing | Quantum breakthroughs threaten current encryption standards — migration to quantum-safe crypto is urgent |
| 4 | OT/IT Convergence | IoT and industrial automation expose legacy OT infrastructure to modern cyber threats |
| 5 | Cloud Governance & Security | Hybrid/multi-cloud complexity, misconfiguration risk, data sovereignty requirements |
| 6 | APIs | Unmanaged API sprawl creates blind spots and unmonitored attack surface |
| 7 | Network Security | AI-powered attacks outpacing traditional perimeter-based defense models |
The quantum computing flag is the most forward-leaning item in the report. Most organizations haven’t started cryptographic migration planning, and the report positions this as already urgent — not a future concern. The specific focus areas are quantum readiness roadmaps, encryption transition governance, and third-party vendor readiness. The “harvest now, decrypt later” attack model (where adversaries collect encrypted data today to decrypt once quantum capability matures) is the underlying threat that makes this time-sensitive even before quantum computers are practical.
OT/IT convergence is worth watching if you’re in manufacturing, energy, utilities, or any sector with physical infrastructure. The convergence of operational technology and enterprise IT — while operationally efficient — means legacy industrial systems are increasingly reachable from the broader network. These systems were never designed with modern cybersecurity in mind, patching cycles are slow, and an outage can have physical safety consequences.
So What#
The throughline across every category in this report: AI accelerates every risk vector, in both directions. Attackers are using it to move faster; defenders have the same capability available but are slower to adopt it. Deloitte’s prescription for IA is to close that gap by becoming an early adopter of agentic AI internally while simultaneously building the governance muscle to audit it in the business.
The items I’d prioritize reading the full section on if you’re in audit or security leadership: agentic AI governance, TPRM regulatory requirements (especially DORA if you touch EU financial services), and quantum readiness — because that one has a longer lead time than most teams are accounting for.
Source: Deloitte, 2026 Internal Audit Hot Topics (January 2026)