What The New PCI AI Guidelines Reveal About The Future of Governance, Risk and Compliance (GRC)

What this low-key document reveals about where audit, governance, and AI are heading next — and why most organizations aren’t ready.

Photo by Neeqolah Creative Works on Unsplash

My friend recently worked with a company that started using an internal GenAI tool to help its security team generate audit summaries.

Sounded smart.

Until one day, the tool misinterpreted a critical control and flagged it as compliant — even though the system in question had no encryption at rest.

If that summary had been copy-pasted into the report without human review, it could have caused a compliance disaster.

And this isn’t an isolated case.
I’ve heard variations of this from QSA firms, internal audit teams, and even startups building AI tools for governance.

The same tool that saves time can also destroy trust — if you don’t treat it with respect.

Everyone Wants AI in Audits — But Few Are Ready for It

It’s 2025.
We all want AI to make audits faster, cleaner, and more scalable.
But let’s stop pretending we know what we’re doing with it.

The Payment Card Industry Security Standards Council (PCI SSC) just dropped a document that isn’t getting enough attention — but it should.

It’s called: “Integrating Artificial Intelligence in PCI Assessments – Guidelines, Version 1.0.”

https://blog.pcisecuritystandards.org/new-guidance-integrating-artificial-intelligence-into-pci-assessments

At first glance, it might seem like a niche piece of advice for QSAs.

But the real story?
This guidance is a sneak peek at how AI compliance will look in every regulated industry — not just payments.

AI is a Tool. Not Your Auditor.

The central message of the guidance couldn’t be clearer:

“AI is a tool, not an assessor.”

In other words, AI can assist.

But it can’t sign off. It can’t interpret gray areas. It can’t decide.

Yet many teams are already quietly letting GenAI draft major parts of audit documentation — some even go as far as letting it flag controls as passed or failed.

Let me be brutally honest:
That’s a shortcut with a very expensive price tag.

What the PCI Guidance Actually Says

Here are the real takeaways you need to know:

AI Can Be Used For:

• Reviewing documentation and evidence (logs, configs, policies).

• Generating first drafts of work papers or audit summaries.

• Transcribing and summarizing remote interviews.

• Suggesting phrasing for reports.

AI Can Never Be Used For:

• Making compliance decisions.

• Interpreting nuanced controls.

• Signing off reports.

• Replacing human assessors.

And every AI-generated output must go through manual validation and QA.

This isn’t about banning AI.
It’s about using it responsibly, transparently, and with clear oversight.

Client Consent Is Mandatory

One of the boldest parts of the guidance?

If you use AI in the audit process, you must:

• Inform the client,

• Get their explicit consent,

• And explain:

  • How their data will be used,

  • Where it will go,

  • Whether it will be used for training (spoiler: it shouldn’t),

  • What QA controls are in place.

This goes beyond ticking a checkbox.
You need to bake transparency into your audit methodology — or risk breaking trust before you even start.

Most Companies Are Skipping the Hard Parts

Here’s what I see in the real world:

• Teams are using GenAI to speed up control testing but have no idea how to validate outputs.

• Some are feeding sensitive evidence into commercial tools without checking where the data ends up.

• Nobody wants to write AI usage policies — because it feels like red tape.

But here’s the thing:
If you don’t define the rules now, the mistakes will define you later.

And PCI SSC is telling us: the future of compliance requires AI governance just as much as it requires control testing.

So, Where Is This All Going?

The PCI AI guidance may be narrowly scoped to cardholder data, but it's laying the blueprint for every compliance framework that will eventually address AI:

• SOC 2 and ISO 27001 are probably next in line to integrate AI oversight.

• And you can bet that NIST and EU regulators will formalize AI audit rules before long.

Bottom line?

If your audit process involves AI and you don’t have:

• Documented AI roles,

• Human validation steps,

• A QA program,

• Client communication,

• Data handling procedures...

You're not compliant with the direction this industry is heading.

What You Need to Do Now

Here’s your action plan:

1. Create an AI Usage Policy
   Outline what your audit teams can and cannot use AI for. Be specific.

2. Implement AI QA Checks
   Every AI-generated summary or suggestion should be manually validated — ideally by someone who didn’t build or configure the tool.

3. Get Legal and Compliance Involved
   Review where data is going, especially with third-party AI platforms. Stop feeding sensitive audit evidence into tools that train on input.

4. Educate Your Clients
   Be upfront about AI use. Show them your controls. Build trust before they ask.

5. Train Your Teams on AI Oversight
   This is a new skill. Auditors now need to know how to use AI and how to question it.

Final Thoughts

The PCI SSC’s AI guidance isn’t just about payments.

It’s about what responsible AI in compliance looks like — and how far most of us still have to go.

You can ignore it and wait for your first AI audit failure to blow up in your face.

Or you can get ahead of it — now.

Because the future of audit isn’t human or AI.
It’s human with AI — backed by clear policies, strict oversight, and uncompromising standards.

Just like compliance was always meant to be.

---

Thanks for reading this !

If the topic of GRC interests you then check out my course '‘PCI DSS 4.0 Compliance Masterclass - Foundation to Mastery”

This course is designed to provide a deep understanding of the entire PCI DSS audit process end to end

How To Get This Course

There are two ways you can get this course

• DISCOUNTED LINK: You can buy my course on Udemy with an early bird discount by clicking on this link (valid for 5 days)

• FREE: If you are a paid annual subscriber, you get it for FREE. Thanks for supporting this newsletter !

Just click on the link below to redeem the voucher and enroll in my new course

Do not forget to leave a review !