As new technologies continue to emerge, auditors face increasingly novel challenges that require proactive coordination with IT and legal teams to develop temporary policies for the integration of digital proxies and artificial intelligence (AI) avatars. Auditing professionals must advocate for continuous third-party risk assessments to ascertain the sensitivity of data processed through spatial computing technologies. Additionally, there is a pressing need for organizations to create codes of conduct for virtual environments. This involves clearly documenting the ownership of proxies and avatars to ensure that these technologies are ethically managed and comply with regulatory guidance. Determining the legal and functional intent of digital proxies has become the responsibility of internal auditors and there is a growing need to develop a roadmap for managing this technology by leveraging telemetry logging and contextual authentication. Organizations that follow this roadmap will be poised to deal with the rapidly evolving future of data governance.
The Rise of the Digital Proxy
The integration of digital proxies and spatial computing into modern business processes has widened the human management gap. Technology-mediated avatars and digital proxies do not conform to conventional identity and access management (IAM) guidelines. For example, Microsoft’s Copilot AI can complete the same tasks as human workers but often with less access permissions and greater speed. Adding to the complexity, virtual surrogates may work across various time zones or even rely on agentic AI to complete more complex administrative duties. This growing landscape will only become more complex with time. Security professionals must understand that these identities are not stable and cannot be tied to audit nonrepudiation rules because electronic trails are no longer strictly confined to physical bodies.
Though the first wave of hype around the metaverse1 has largely subsided, organizations have been privately adopting major spatial technologies, including:
- Digital twins—Virtual copies of physical objects, processes, or individuals that is updated continuously with live data2
- Avatars—Graphical abstractions that users can operate in a virtual world3
The effect of this technological shift in the workplace is the emergence of the digital proxy. A digital proxy is a simplified artificial representation of an individual or entity in a spatial computing environment. This proxy can be managed by a human or an AI agent, and can speak, decide, and act on behalf of the individual or entity.4
A digital proxy can be used for various tasks, including remote cross-time-zone work, agentic task delegation, or virtual collaboration with humans or AI robots. Systems of governance must be expanded to accommodate these useful but complex proxies, curb unauthorized access, and reduce organizational responsibility in a decentralized digital world.5 Moreover, security professionals must understand that the long-term challenges of not closing this gap include regulatory and fraud risk.
Representing Identity in Spatial Environments
Spatial computing refers to the application of immersive three-dimensional (3D) digital spaces in which humans and proxies can engage, conduct business, and cooperate.6 A physical user usually obtains enterprise access through multifactor authentication (MFA), a biometric scan, or both. In the case of spatial computing, however, it may be more efficient to create proxies that can be carried across time zones or are supplemented by agentic AI to complete daily administrative tasks. However, automation, combined with other factors, such as role sharing and deliberate delegation, can potentially weaken the reliability of audit trails. This severs the connection between a digital identity and a specific person.7 Internal auditors must also be conversant with their organization’s IAM policies, since high-fidelity digital images, including avatars and 3D object assets, have legal and functional consequences in such spaces. Furthermore, the reality of identity spoofing and unauthorized movement through high-risk virtual realms is all too real for auditors. To prevent unauthorized delegation and identity spoofing, organizations should use continuous behavioral analytics to track the behavior patterns of avatars and proxies in real time and report unusual entities. Auditors must regularly reconcile the actions of the digital identity with physical access records to ensure accountability trails are intact and verifiable.
Copilot AI and Segregation of Duties
AI copilots are AI assistants that can take on the professional functions typically performed by human workers within a spatial computing environment.8 One of the most complex auditing problems this creates is the risk of segregation of duties (SoD) failure (e.g., a junior engineer uses a digital proxy via to perform an action they do not have the authorization for).
When an AI copilot operates autonomously, it can assist the digital proxy in bypassing internal checks that would typically need additional human verification.9 To prevent this, organizational policy should mandate granular logging, in which directives issued by humans and autonomous tools are clearly defined by the system, as shown in figure 1. When applied to auditors, this means that the identity-plus verification, in which the context of the action is as important as the access credential used to log in, should be implemented.
Figure 1—Governance Gap Analysis to Account for Digital Proxies
| Governance Area | Traditional Control (Human-Centric) | Digital Proxy Gap | Audit and Governance Strategy |
|---|---|---|---|
|
Identity verification |
Access controls (MFA, biometrics) are assigned to a single individual. |
A single ID can run or share digital avatars with the aid of agentic AI. |
Contextual authentication identifies the type of operator (human versus AI). |
|
Access rights |
Role-based access control (RBAC) is allowed for every employee. |
AI-enhanced avatars can perform functions beyond the capabilities or authority of a human user. |
Human in the loop triggers can be used for high-risk actions under dynamic authorization. |
|
Segregation of duties (SoD) |
Approval and execution tasks are designed to separate the initiation and authorization of a transaction from its physical or logical control. This means that the person who starts and approves the transaction does not also have direct control over its execution. |
The SoD boundary may be unclear because the AI copilot can automate a series of actions in both processing and implementation. |
AI guardrails (e.g., role-based action limits, human in the loop approval conditions) can be deployed for high-risk operations. Real-time anomaly alerts are also useful, but they must be cross-checked against domains and digital twins.10 |
|
Accountability |
Digital signatures or personal logs provide nonrepudiation. |
Interventions by an AI agent on behalf of a human generate legal uncertainty and risk. |
Policies should account for proxy ownership. This involves designating a human being as the legal owner of proxy decisions. |
|
Audit evidence |
Text-based system logs, i.e., traditional access logs, timestamps, and transaction records, capture who did what, when, and where. |
Logs do not account for verbal cues or 3D object telemetry. |
Telemetry-based logging can be implemented to record 3D interactions and AI prompts. |
Establishing an Audit Trail for Virtual Environments
A healthy audit trail in a virtual environment requires foregoing the traditional text-based system of recordkeeping in favor of more complex, multidimensional recording systems. One of the first actions professionals can take is to emphasize transparency and observability as organizational values and to log every event that occurs in the virtual environment. This documentation should be visible, traceable, and, eventually, identifiable to a human being or proxy.10 Spatial logging, the process of recording actions and interactions among digital surrogates operating in the same virtual space, can be employed in such instances. The advantage of spatial logging lies in its ability to address 4 core questions: who, when, where, and what in an effective manner. With the help of precise spatial logging within security information and event management (SIEM) systems, organizations will be able to track every aspect of the virtual world.11
Conclusion
The time for auditors to act is now. As organizations integrate proxies into more workflows, the risk of compromise only increases. Auditors will need to coordinate with the organization’s IT department and legal teams to formulate temporary policies for the introduction of digital proxies and AI avatars. Auditors will also need to lobby for continuous third-party risk assessments to determine the sensitivity of data being held and processed via spatial computing technologies. Last, organizations will need to create conduct codes for the virtual environment that document ownership of the proxies and avatars. When organizations embrace these governance structures, digital proxies gain the potential to transform modern enterprises.
Auditors can mitigate the governance risk posed by spatial computing by treating digital proxies as liabilities and closely managing their organizational inclusion. The intersection of selective spatial logging and virtual conduct policies will enable the creation of a realistic digital trust model that harnesses the benefits of global collaborative decentralization.
Endnotes
1 Tan, E.; Isaac, M.; “The Long Farewell to Mark Zuckerberg’s Metaverse,” The New York Times, 19 March 2026
2 U.S. Government Accountability Office (GAO), “Science & Tech Spotlight: Digital Twins—Virtual Models of People and Objects,” 14 February 2023
3 Yenduri, G.; M, R.; et al.; "Spatial Computing: Concept, Applications, Challenges, and Future Directions,” ArXiv, 2024
4 Li, Y.; Ji, H.; et al.; “Tangible Twins: A Haptic Proxy and Digital Twin Framework for Virtual Physics Experiments,” VRCAI '25: Proceedings of the 20th International Conference on Virtual Reality Continuum and its Applications in Industry, iss. 7, 2026, p. 1–7
5 Kumar Grandhi, S.V.; “The Evolution of Identity and Access Management (IAM) in Financial Services: From Legacy Systems to Modern Authentication,” European Journal of Computer Science and Information Technology, vol. 13, iss. 38, 2025, p. 157–163
6 GeeksforGeeks, “What is Spatial Computing?”
7 Liya, M.; Mart, A.; et al.; “The Ethical Challenges of AI in Cyber Defense and Surveillance - Balancing Privacy, Data Rights, and Automated Decision-Making in Cybersecurity,” October 2025
8 Microsoft, “What Is a Copilot”
9 Kadir, G.; Sevim, H.; et al.; “Digital Transformation and Artificial Intelligence-Assisted Auditing: The Role of Technology in Internal Audit Processes in 2025,” Dynamics in Social Sciences and Humanities, vol. 6, iss. 1, 2025, p. 25–33
10 ISACA®, Digital Trust Ecosystem Framework, 2024
11 Rende, J.; “The 6 Cybersecurity Trends That Will Shape 2026,” ISACA, 14 January 2026
Alex Mathew, Ph.D., CISA, CCNP, CISSP, CEH, CEI, CHFI, ECSA, MCSA
Is a professor in the department of cybersecurity at Bethany College (West Virginia, USA) and is widely recognized for his deep expertise in cybersecurity, cybercrime investigations, next-generation networks, data science, and IoT Azure solutions. His proficiency in security best practices, particularly in IoT, cloud systems, and healthcare IoT, is complemented by his comprehensive knowledge of industry standards such as ISO 17799, ISO 31000, ISO/IEC 27001/2, and HIPAA regulations.
As a certified Information systems security professional (CISSP), Mathew’s leadership is evident in his role as a consultant across international regions, including India, Asia, Cyprus, and the Middle East. His extensive 2-decade career, distinguished by numerous certifications and over 100 scholarly publications, underscores his commitment to advancing the field. Mathew has been a pivotal force in organizing cybersecurity conferences and establishing incubation centres, contributing significantly to the academic and professional community.
A highly sought-after speaker, Mathew’s influence extends to international conferences where he shares his insights on cybersecurity, technology, and data science. His remarkable interpersonal skills and openness enhanced his ability to engage and inspire diverse audiences, further cementing his position as a leader in his field.