How should risks from emerging technologies such as IoT, OT, and AI influence cybersecurity audit planning?

Emerging technologies create new risk landscapes that require auditors to expand beyond traditional IT controls. IoT devices and OT systems introduce a vast, diverse attack surface, with insecure-by-design tendencies and real-world safety implications that can disrupt operations. AI adds concerns around data governance, privacy, model integrity, and lifecycle management, including potential data leakage and adversarial manipulation. Because of these nuances, audit planning must map these unique threats, uncover governance and risk-management gaps, and design procedures that specifically assess how these technologies are secured and sustained over time. This means building tests and checks that cover asset discovery, secure development and supply chain practices, access controls, continuous monitoring, incident response capabilities, and resilience measures, ensuring controls are effective in practice, not just in theory. Ignoring IoT and AI, assuming they are secure by default, or sticking only to existing standards compliance would miss critical risk areas and leave the organization vulnerable.