ISACA COBIT 2019 (AI & Enterprise Governance) the audit profession's control framework, applied to AI governance

Why it matters for NETEVO

COBIT 2019 is the framework the audit profession actually tests governance against — the control-objective language ISACA, CISA-certified auditors, and internal audit functions apply when they examine how an enterprise governs its IT, and now its AI. For an organisation preparing for an AI assurance review, that makes COBIT the measuring stick, not a nice-to-have.

It completes the audit spine, from board to control. Where the Three Lines model names who is accountable, COBIT names what each line is measured against: governance and management objectives, each carrying practices, activities, and metrics. Its EDM domain (Evaluate, Direct and Monitor) is the established machinery on which a governing body's AI-specific duties actually run — the duties ISO/IEC 38507 overlays for AI. Citing the two together connects the AI-governance standard to the enterprise-governance framework boards already operate.

Its goals cascade is the recognised form of the NETEVO Law-to-Code Methodology. The cascade — enterprise goal to alignment goal to governance objective to practice to metric — is the same "encode obligations into auditable, evidenced controls" pattern, authored by the audit profession rather than asserted by us. NETEVO operationalises that cascade for AI: each AI obligation delivered as a control inside the COBIT machinery an organisation already runs, emitting the evidence an auditor expects rather than an attestation produced after the fact.