Automation Is Changing What Effective Control Actually Means

Opinion by Garry Costin-Davis

There was a time when effective controls were largely measured through process adherence.

Did approvals happen?

Was evidence retained?

Did the control operate during the testing window?

In many environments, that was enough.

But increasingly, organisations are operating in environments where the pace of change exceeds the pace of traditional assurance. Cloud platforms evolve continuously. Operational systems generate huge volumes of telemetry. AI-assisted tooling accelerates delivery and decision-making. Infrastructure and service dependencies shift dynamically.

Against that backdrop, the idea of "effective control"" is beginning to change.

The organisations that are adapting most successfully are not necessarily adding more controls. They are building environments where controls generate observable evidence continuously as part of operations.

That distinction matters.

From static controls to observable behaviour

Traditional control models often rely heavily on periodic inspection:

• quarterly reviews
• manual attestations
• interview-based assessments
• point-in-time testing

Those approaches still have value, particularly in regulated environments. But they increasingly struggle to keep pace with operational reality.

This is especially visible in large infrastructure, utility, and regulated service environments, where resilience, continuity, and service stability are central governance concerns.

Regulators are moving in the same direction. The FCA's operational resilience framework emphasises firms' ability to remain within impact tolerances for important business services during severe disruption. DORA similarly focuses on ICT risk management, response capability, testing, recovery, and third-party risk.

The underlying theme is clear: organisations are increasingly judged not only on whether controls exist, but whether systems remain operational under pressure.

Why automation is becoming central

Automation changes assurance because it changes visibility.

Historically, many controls depended on people manually validating that activities had occurred correctly. In modern environments, systems themselves can increasingly generate evidence:

• access telemetry
• deployment logs
• automated approvals
• configuration drift monitoring
• recovery testing outputs
• operational health indicators

This allows organisations to move closer to continuous assurance models rather than relying exclusively on retrospective review.

The key shift is this:

The strongest controls are increasingly those that can demonstrate behaviour continuously rather than describe intention periodically.

But automation is not the answer on its own

There is also a risk in over-romanticising automation.

Poorly designed automation can create false confidence just as easily as manual controls can create blind spots.

Dashboards are a good example. Many organisations now have large quantities of operational data available, but visibility does not automatically equal understanding. A green dashboard does not necessarily mean a resilient environment.

Equally, automation introduces its own governance challenges:

• ownership ambiguity
• over-reliance on tooling
• alert fatigue
• degraded human oversight
• AI-assisted decision opacity

This means governance maturity matters more than tooling maturity.

An automated control is only useful if the organisation understands what it is proving, who owns it, how exceptions are handled, and whether the evidence being produced is complete and reliable.

The environments adapting best

The organisations responding most effectively tend to share several characteristics.

They:

• embed controls directly into operational workflows
• prioritise telemetry over attestation
• treat resilience as an operational outcome, not a documentation exercise
• integrate risk, audit, and technology teams more closely
• focus on observable control performance rather than static policy compliance

Importantly, they also understand that resilience is not achieved once.

Control environments require continuous adaptation as systems, dependencies, delivery models, and regulatory expectations evolve.

What this means for enterprise risk

This is changing the role of enterprise risk functions as well.

Risk management is moving closer to operational visibility, data interpretation, and dynamic governance. Increasingly, effective risk teams are not simply documenting risks after the fact. They are helping organisations understand how systems behave in practice.

That requires:

• technical literacy
• strong stakeholder engagement
• operational awareness
• comfort working across technology and business domains
• the ability to challenge control design constructively

It also requires accepting that periodic assurance alone is no longer sufficient in fast-moving environments.

Closing perspective

Automation is not replacing governance.

It is changing what good governance looks like.

The future of effective control is unlikely to be defined by larger policy libraries or heavier review cycles. It will be defined by environments where controls are observable, resilient, and capable of adapting alongside operational change.

The question is becoming less:

"Was the control performed?"

And more:

"Can the organisation continuously demonstrate that the control environment is working?""

Further reading

• FCA ~ Operational resilience framework and impact tolerances
• European Commission ~ Digital Operational Resilience Act (DORA)
• Deloitte UK ~ Hot topics for technology and digital internal audit
• NIST ~ Cybersecurity Framework
• NIST ~ AI Risk Management Framework