As internal auditors and risk professionals, we are trained to scan the horizon for looming threats. Every year, headlines are filled with familiar risks—cybersecurity, economic volatility, geopolitical unrest, regulatory change. These are important, and rightly command our attention. But what about the risks that aren’t dominating the headlines? The ones that aren’t part of boardroom agendas, risk registers, or scenario planning models?

In my experience, the most dangerous risks are often those that catch us by surprise—not because they were unpredictable, but because we weren’t scanning the horizon in the right places. As I look ahead to the coming year, I believe there are several potential or emerging risks that are largely absent from mainstream dialogue. These are the quiet risks—subtle in nature, yet capable of profound disruption.

Here are five key risks in the year ahead that, in my view, aren’t getting the attention they deserve:

1. “Compliance Fatigue” Within Organizations

In an era of expanding regulations and growing scrutiny, organizations have invested heavily in compliance functions. While this is commendable, I’m seeing signs of what I call compliance fatigue—a growing weariness and even apathy among employees toward the sheer volume of policies, training, and monitoring that’s become part of the daily grind.

What makes this dangerous is the complacency it breeds. Employees who are overwhelmed or disengaged may start treating compliance as a box-checking exercise—or worse, ignore it altogether. This is especially concerning in sectors with high regulatory exposure like finance, healthcare, and manufacturing.

Internal audit must be attuned to this risk. We should assess not just whether compliance programs exist, but whether they are effective, understood, and embraced across the organization. The greatest compliance risk isn’t always the absence of a control—it’s the erosion of a culture that supports it.

2. The Decline of Institutional Knowledge

In the wake of the pandemic and the rise of hybrid work, many organizations have undergone massive workforce shifts. Baby boomers are retiring at record levels. Younger generations are changing jobs more frequently than ever. What’s being lost in the process is institutional knowledge—the nuanced, experience-based understanding of how things really work inside an organization.

This erosion of corporate memory poses significant risks, particularly when it comes to decision-making, crisis response, and continuity. When people leave, they take undocumented knowledge with them. And if that knowledge isn’t captured, organizations become vulnerable to operational missteps and strategic blind spots.

Internal auditors should be asking: How is knowledge being retained and transferred? Are there succession plans in place? Are critical processes and relationships well documented? This is not just a human resources concern—it’s a risk that could undermine performance and resilience. Of course, we should admit that the erosion of institutional knowledge is a risk to internal audit itself.

3. False Confidence in AI and Automation

Artificial intelligence and automation are transforming the way organizations operate—and that transformation brings immense potential. But it also brings a subtle and underappreciated risk: false confidence.

As AI tools are deployed in areas like fraud detection, credit scoring, hiring, and operational decision-making, there’s a temptation to believe the technology is infallible. But AI is only as good as the data it’s trained on and the assumptions built into its algorithms. Biases can creep in. Errors can go unnoticed. And accountability can become diffused.

The risk isn’t the use of AI—it’s the overreliance on it without sufficient oversight. Internal audit has a vital role to play here. We must ensure governance frameworks for AI are robust, that risk and compliance teams are involved in deployment decisions, and that there are controls in place to detect and correct unintended consequences.

AI is a powerful tool—but like any tool, it must be wielded with care and human judgment.

4. The Fragility of Organizational Culture in Remote and Hybrid Workplaces

The shift to remote and hybrid work models has brought flexibility and efficiency, but it has also fragmented the cultural fabric of many organizations. Employees are less connected. Informal communication channels have weakened. And new hires may struggle to absorb values and norms through a screen.

The danger is subtle but real: a weakening of organizational culture. Culture, after all, is the glue that holds an enterprise together. It drives behavior, ethics, innovation, and loyalty. When culture erodes, so too does risk awareness, accountability, and employee engagement.

Internal audit should be monitoring this risk carefully. Are employees aligned with the organization’s values? Is management effectively reinforcing the desired culture in virtual settings? Are ethical breaches or conduct issues on the rise?

Culture isn’t intangible—it’s auditable. And in the year ahead, auditing culture may be more important than ever.

5. Risk Blindness at the Board Level

In my conversations with board members and audit committees, I’ve observed a troubling pattern: many boards are still framing their risk oversight through a pre-pandemic lens. They are focused on traditional enterprise risks, but may not be fully attuned to the new risk landscape emerging in today’s volatile environment.

The risk here is risk blindness—the failure to see emerging threats because they don’t fit familiar models or past experiences. Boards may overlook reputational risks tied to ESG issues, underestimate the volatility of geopolitical conflicts, or fail to understand the second-order impacts of supply chain disruptions or regulatory upheaval.

Internal audit and risk professionals must help boards elevate their foresight. That means providing not just assurance, but insight and anticipation. It means surfacing weak signals, challenging assumptions, and connecting the dots across functions and geographies. It’s time to move from risk registers to risk radars.

Final Thoughts

Every risk we face in the coming year won’t be broadcast in a headline or cited in an analyst report. The quiet risks—the ones hiding in plain sight—are often the most insidious. As internal auditors, our mandate is not simply to react, but to anticipate. Not just to find what’s broken, but to question what’s missing.

The five risks I’ve outlined—compliance fatigue, loss of institutional knowledge, overconfidence in AI, cultural fragility, and board-level risk blindness—may not be on everyone’s radar. But they should be. Because in a world of accelerating change and compounding uncertainty, it’s not just the known risks that will challenge us—it’s the ones we didn’t see coming.

Let’s be the ones who do see them.