Built for the office of the Chief Audit Executive
Purpose-built AI agents, each with a mandatory human gate
Immutable ledgers — every number to a source, every change to a person
Model arithmetic — every score computed in code at temperature 0
Of AI answers cited to evidence or explicitly refused
Continuous risk sensing
Risk doesn’t wait for the annual plan
Every audit function wants to assess risk continuously. Resources and technology make it impractical — so the assessment collapses into a once-a-year ritual that’s stale the day it’s approved. Meanwhile risk arrives at a velocity the annual cycle was never built to track.
Geopolitical instability
Sanctions, elections, trade realignments and policy shocks redraw the risk map between planning cycles.
Armed conflict & supply shocks
Wars and disrupted supply chains create third-party, concentration and continuity exposures overnight.
Climate & extreme weather
Floods, fires and storms turn dormant operational and resilience risks into live ones with little warning.
Technology & the velocity of AI
A landscape that shifts monthly — AI adoption above all — opens new exposures faster than any yearly assessment can capture.
The aspiration
Sense risk continuously
A living view of enterprise risk — revisited as events break, not reconstructed from a blank page twelve months later.
The constraint
Capacity, not will
Re-running the assessment by hand is a quarter-long project no audit team has the people or the tooling to repeat on demand.
The enabler
Northstar IQ removes both
Because the model does the assembling, re-assessing isn’t a project — it’s a re-run. The plan becomes a document you adapt the moment the risk environment shifts.
Agility is the payoff: an audit plan that bends to a fast-changing risk landscape instead of locking in last year’s priorities — and every re-assessment stays cited, logged, overridable, and defensible.
The continuous-assessment dividend
The mandate
From brute force to augmented judgment
Northstar IQ doesn’t change what internal audit is accountable for. It changes where the team spends its judgment.
Today’s world
Manual effort & ad hoc AI
- Risk assessment rebuilt by brute force once a year — stale the day it’s approved, with no capacity to revisit it as the world moves.
- Ad hoc ChatGPT: ungoverned, un-logged, un-cited, unrepeatable. No defensible trail.
- Source data pasted into consumer tools with no tenancy or ownership guarantee.
- Scarce hours consumed producing the plan, leaving little time to challenge it.
Tomorrow’s world
Northstar IQ automates the assessment
- The model drafts the risk register, entity scores, plan, coverage story, and committee narrative — every output a citable, overridable draft.
- The team redirects its energy to the two things only humans own: the quality of the inputs and challenging the outputs.
- Reassess continuously, not once a year — re-run the moment risk shifts and adapt the plan, with the same defensible trail.
- The most efficient, risk-aligned, and agile audit plan the function can produce — defensible to the cent and to the person.
Why Northstar IQ
Three commitments, enforced in the architecture
Not policy left to discipline — mechanisms built into the platform.
Automate the production, elevate the judgment
Defensible by construction
You own the data and the model
The override regime
Every AI output is a draft until a human decides
The draft-to-decision lifecycle is the heart of the platform — and the reason an audit committee can rely on it.
AI draft
An agent proposes a risk, an entity score, or a plan project — with citations.
Reviews
Accept · edit · dismiss. Auditor judgment is applied, never delegated.
Override recorded
Before, after, rationale, person, time — captured as a first-class object.
Defensible record
Every number traces to a source; every change traces to a person.
A cycle with zero overrides is a red flag — it suggests rubber-stamping, not skepticism. The override register is positive evidence that human judgment was applied to the model’s work.
See it in the product
The AI-draft badge is a first-class citizen
The interface always distinguishes an AI draft from a human-approved record. Scores move through a visible lifecycle — AI draft → accepted → edited / overridden — so anyone, including the committee, can see exactly where judgment was applied.
- Composite scores computed in code — the model proposes the 1–5 values and the rationale.
- Overrides captured with before/after, rationale, and owner.
- Reweighting the factor model never silently rescores accepted assessments.
Enterprise risk register
Top risks — FY26 planning cycle
Composite score = impact × likelihood × velocity, computed in code at temperature 0. The model proposes the 1–5 values and the rationale.
Model value
4
Human value
3
Rationale: Compensating controls implemented in Q1 reduce likelihood; verified against change tickets CHG-2231/2240.
A. Rivera, Audit Manager · 13 Jun 2026
Total traceability
Three immutable ledgers make every decision reconstructable
Where ad hoc ChatGPT left no trail, Northstar IQ leaves a complete one — years later.
AI Interaction Ledger
What did the model say, when, on which model?
Every prompt and response is persisted with the agent, model & version, prompt hash, token counts, latency, and cost in USD — attributed to the acting user.
Override Register
Where did we exercise judgment over the model?
Every human change to an AI value, with model value, human value, rationale, person, and time. A cycle with zero overrides is a red flag, not a gold star.
Immutable Audit Log
What changed in the record, and who changed it?
Every data mutation with full before/after JSON diffs, fire-and-forget so it never blocks a request and never silently fails.
The reconstruction test. For any output Northstar IQ ever produced, the function can reconstruct the inputs, the model and settings, the output, the human decision, and every subsequent change. If any link is missing, the output is not defensible — and must not be relied upon for an audit opinion.
Questions audit leaders ask
Frequently asked
Can Northstar IQ support continuous risk assessment?
Yes — enabling continuous risk assessment is its purpose. Because AI drafts the risk register, entity scores, and plan, re-assessing is a re-run rather than a quarter-long manual project. The audit function can re-sense risk whenever the environment shifts — a geopolitical shock, a climate event, a new AI exposure — and adapt the plan accordingly, while every re-assessment stays cited, logged, overridable, and reconstructable.
What is governed AI for internal audit?
Governed AI for internal audit is an approach where every AI-generated artifact — a risk score, an audit plan, a board narrative — is created as a draft with no authority until a human accepts, edits, or overrides it. Northstar IQ enforces this in the platform: AI proposes qualitative judgments while deterministic code computes every number, and every output is cited, logged, and reproducible.
Does Northstar IQ let an AI model decide audit outcomes?
No. The model never finalizes a risk rating, publishes a number, or sets the plan on its own. Auditors and the Chief Audit Executive own every decision through explicit human gates. Accountability for the audit plan and its risk judgments never transfers to the model or its vendor.
How does Northstar IQ prevent AI hallucinations in audit work?
Three mechanisms: answers must cite their evidence by ID or explicitly refuse; all arithmetic is computed in deterministic code at temperature 0, never by a language model; and answers are validated against an adversarial test set. A plausible but uncited answer is treated as a defect, not a feature.
Who owns the data in Northstar IQ?
The Chief Audit Executive. Data is org-scoped by construction, exportable in full on demand, encrypted, and never used to train third-party models. The CAE also configures the risk-factor model, its weights, and its scale anchors.
More in the governance model and resources.