This article argues that frontier artificial intelligence (AI) developers need an internal audit function. First, it describes the role of internal audit in corporate governance: internal audit evaluates the adequacy and effectiveness of a company's risk management, control, and governance processes. It is organizationally independent from senior management and reports directly to the board of directors, typically its audit committee. In the IIA's Three Lines Model, internal audit serves as the third line and is responsible for providing assurance to the board, while the Combined Assurance Framework highlights the need to coordinate the activities of internal and external assurance providers. Next, the article provides an overview of key governance challenges in frontier AI development: dangerous capabilities can arise unpredictably and undetected; it is difficult to prevent a deployed model from causing harm; frontier models can proliferate rapidly; it is inherently difficult to assess frontier AI risks; and frontier AI developers do not seem to follow best practices in risk governance. Finally, the article discusses how an internal audit function could address some of these challenges: internal audit could identify ineffective risk management practices; it could ensure that the board of directors has a more accurate understanding of the current level of risk and the adequacy of the developer's risk management practices; and it could serve as a contact point for whistleblowers. In light of rapid progress in AI research and development, frontier AI developers need to strengthen their risk governance. Instead of reinventing the wheel, they should follow existing best practices. While this might not be sufficient, they should not skip this obvious first step.

翻译：本文主张前沿人工智能（AI）开发者需要建立内部审计职能。首先，文章阐述了内部审计在公司治理中的作用：内部审计评估公司风险管理、控制及治理流程的充分性与有效性。它在组织上独立于高级管理层，直接向董事会（通常是其审计委员会）汇报。在国际内部审计师协会的“三道防线”模型中，内部审计作为第三道防线，负责向董事会提供保证；而综合保证框架则强调需要协调内部与外部保证提供者的活动。接着，文章概述了前沿人工智能开发中的关键治理挑战：危险能力可能以不可预测且未被察觉的方式出现；难以防止已部署模型造成损害；前沿模型可能快速扩散；评估前沿人工智能风险本身具有固有难度；且前沿人工智能开发者似乎未遵循风险治理的最佳实践。最后，文章探讨了内部审计职能如何应对部分挑战：内部审计可识别无效的风险管理实践；确保董事会更准确地理解当前风险水平及开发者风险管理实践的充分性；并可作为内部举报者的联络点。鉴于人工智能研发的快速进展，前沿人工智能开发者亟需加强风险治理。与其重复造轮，他们应遵循现有的最佳实践。尽管这可能仍不足够，但他们不应跳过这一显而易见的首要步骤。