Episode 105: Evaluating Risks of Emerging Technologies and Practices
Welcome to The Bare Metal Cyber CISA Prepcast. This series helps you prepare for the exam with focused explanations and practical context.
Emerging technologies present organizations with opportunities for innovation, efficiency, and competitive advantage. But these new tools and practices also introduce unfamiliar and often poorly understood risks. When technologies evolve faster than oversight mechanisms, organizations may adopt systems that lack adequate controls, legal frameworks, or monitoring capabilities. Auditors must evaluate these developments not from a place of fear—but from a place of informed curiosity and risk awareness. Early adoption often means relying on vendor claims or developer assumptions, with minimal standardization or historical data. For CISA candidates, questions related to artificial intelligence, blockchain, IoT, and DevOps are increasingly common. The role of the auditor is not to hinder innovation, but to help organizations adopt new technologies responsibly—by assessing emerging risk profiles and recommending governance strategies that evolve with the environment.
Several emerging technologies are particularly relevant today. Artificial Intelligence and Machine Learning systems are being integrated into decision-making, automation, and security operations. Blockchain and distributed ledger technologies are being explored for supply chain, finance, and identity management applications. The Internet of Things and edge computing expand the boundary of enterprise data collection, bringing intelligence to the far edge of the network. Quantum computing, though still nascent, poses a potential threat to existing encryption methods, prompting early risk planning. Other areas to watch include 5G connectivity, virtual and augmented reality, and the rise of low-code or no-code development platforms. Each of these technologies introduces new architecture, new data flows, and new dependencies. CISA exam questions may not require technical depth—but they will test your understanding of the risks and governance needs that accompany adoption.
Emerging technologies tend to share several common risk patterns. First, they often lack clear regulatory frameworks or widely adopted best practices. This makes compliance assessments challenging and introduces ambiguity about responsibilities. Second, these technologies may expose new attack surfaces—interfaces or processes not yet hardened against malicious behavior. Third, they often come with third-party tools that are difficult to evaluate, leading to over-reliance on vendor claims or solutions with limited transparency. Fourth, issues like algorithmic bias, data privacy, or model governance can create business and reputational risks that technical audits alone cannot detect. Lastly, many of these solutions are adopted in silos—by innovation teams or external partners—without being fully integrated into enterprise governance. For auditors, the challenge is not to wait until standards mature, but to anticipate where oversight is needed and help shape internal controls before risks scale.
Artificial intelligence systems present a range of unique audit concerns. One of the most significant is algorithmic bias, where models trained on historical or incomplete data produce unfair or discriminatory outcomes. Without transparency into how models make decisions, organizations may find themselves unable to explain or defend their outputs—a concept known as the “black box” problem. Auditors must evaluate whether model decisions are explainable and whether training data is validated for quality, completeness, and bias. Another concern is data poisoning, where attackers manipulate training data to influence future outcomes. Over time, models may also drift, reducing accuracy or alignment with regulatory expectations. Governance should include documentation of training sources, version control for model updates, and review of performance metrics. On the CISA exam, candidates may be tested on AI risk categories, governance structures, or impact assessments for systems that make autonomous decisions.
Blockchain and distributed ledger technologies create new data assurance opportunities—but also new risks. One strength of blockchain is its immutability, meaning data cannot be altered after it is recorded. But this also means that mistakes, errors, or inappropriate entries are permanent unless complex corrections are agreed upon across the network. Smart contracts—automated scripts that execute on the blockchain—can contain flaws that lead to financial loss or exploitation if not independently reviewed. Auditors must also consider key management, as private keys control access and, if lost or stolen, may be unrecoverable. Governance of the blockchain network—such as who maintains nodes and who resolves disputes—can be unclear, especially in decentralized environments. The CISA exam may include questions about the auditability of blockchain data, limitations of smart contract validation, or risks associated with immutability and decentralized trust.
The Internet of Things and edge computing introduce risk through massive scale, physical insecurity, and minimal built-in controls. Many IoT devices are inexpensive, deployed in large numbers, and lack the ability to be patched or updated reliably. They often ship with default credentials, unencrypted communications, and limited logging functionality. Because they sit outside the traditional data center, monitoring and inventory become difficult—especially when devices are mobile or embedded in field equipment. Edge computing, which processes data near the device rather than sending it back to a central location, introduces additional complexity. Auditors must evaluate how these devices are segmented from core infrastructure, whether secure provisioning processes exist, and whether lifecycle security is considered—from deployment through to retirement. CISA candidates should be prepared to assess the risks of unmanaged endpoints and the control limitations of constrained devices operating in untrusted environments.
Cloud-native technologies and DevOps practices, while not new, represent a major shift in how organizations develop and deploy systems. Continuous integration and continuous deployment pipelines mean that changes can occur daily, hourly, or even continuously—challenging traditional control points such as change approval boards. Infrastructure as Code allows teams to define systems in text and deploy entire environments with scripts, but this requires version control, secure storage, and automated testing. In fast-moving environments, misconfigurations or overlooked security settings can persist unnoticed. Additionally, many organizations misunderstand shared responsibility models—assuming cloud providers manage security end to end, when in fact customers are responsible for significant portions of the stack. Auditors must assess whether governance keeps up with deployment speed and whether security is integrated into DevOps workflows. On the CISA exam, candidates should be ready to evaluate configuration risk, control automation, and security ownership in cloud-native systems.
Dependencies on third-party services and open-source components are growing rapidly. From SaaS applications to code libraries, few organizations build everything from scratch anymore. This introduces software supply chain risk—where vulnerabilities in dependencies compromise the security of enterprise systems. High-profile examples include the SolarWinds breach and vulnerabilities in Log4j. Licensing, patching, and provenance of open-source components are often overlooked. Many organizations rely on vendor assurances without validating whether proper security and development practices are followed. Auditors must evaluate how external services are vetted, how third-party code is tracked, and whether vulnerability management extends to dependencies. Code scanning, software composition analysis, and vendor due diligence are essential. On the exam, CISA candidates may be asked to identify gaps in third-party security or recommend ways to monitor risk across external platforms and libraries.
Auditing the unknown requires a mindset shift. When formal standards do not yet exist, auditors must use principles-based frameworks such as NIST’s guidance on emerging risk or the COBIT framework to structure their evaluations. Technology pilots or innovation labs should be subject to technology risk assessments that examine data flows, access control, resilience, and privacy impact. Governance should be embedded early in the adoption cycle, even if controls are interim. For example, assigning a single point of accountability, documenting data collection practices, or setting limits on system autonomy may provide initial safeguards. As standards evolve, governance can mature. Auditors should work with business leaders and technologists to balance agility with accountability. On the CISA exam, candidates may be asked to plan audits for emerging areas where no formal checklist exists. Being able to ask the right questions, even without precedent, is a critical auditor skill.
For CISA candidates, evaluating risks of emerging technologies means looking beyond existing control checklists. You must assess how technologies like artificial intelligence, blockchain, IoT, and cloud-native platforms introduce new dependencies, data flows, and attack surfaces. Expect questions on governance models, control responsibilities, and vendor risk. You may also be asked to recommend audit approaches for unregulated or fast-evolving systems. In this space, auditors add value not by controlling every detail, but by ensuring visibility, accountability, and early risk mitigation. Emerging technology audits are forward-looking—they help organizations innovate with confidence. By balancing flexibility with control, and curiosity with rigor, auditors ensure that tomorrow’s technologies do not become tomorrow’s liabilities.
Thanks for joining us for this episode of The Bare Metal Cyber CISA Prepcast. For more episodes, tools, and study support, visit us at Baremetalcyber.com.
