Five ways for financial services boards to enhance AI governance and risk management

How boards should rethink oversight as AI compresses decision cycles, intensifies cyber threats and increases third-party dependence.

In brief:

• Reminder that boards are squarely accountable for ensuring AI is governed and controlled under existing standards, particularly CPS 220, 230 and CPS 234.
• Treating AI risk as just another technology results in gaps in lifecycle management and oversight, requiring urgent action to close these governance gaps.
• If AI risks aren’t managed proportionately, exposure will grow and institutions can expect increased supervisory focus and enforcement actions.

As institutions move to harness AI to create productivity and customer benefits, AI is fundamentally changing the way the workforce operates and services are delivered. The frenetic pace of this change is putting tried and tested governance, risk management, security and assurance systems under pressure.

The opportunity is to control risk and unlock value simultaneously by embedding AI risk management as an integral part of AI adoption. However, while boards are focused on AI’s potential, many lack the technical literacy to challenge how models behave in practice, leading to over‑reliance on vendor and management assurances.¹

As institutions move to align AI oversight with existing risk appetite, controls and reporting, they need to:

1. Map AI exposure
Identify all AI use cases and dependencies across critical services, including vendor embedded AI, to establish a clear inventory and risk profile.

2. Understand where the organisation sits on the AI adoption curve
Not all AI is equal. The type, scale and criticality of AI in use determines the required control environment. As organisations progress from productivity tools and copilot to embedded, agentic and self directing systems, the risk profile changes materially. Boards should have clear visibility of this progression and ensure governance, cyber security, third party and resilience controls scale proportionately, avoiding blind spots as AI becomes more autonomous and infused through operationally critical infrastructure.

3. Treat AI as operationally critical – even where adoption is cautious
Even firms in the early stages of AI adoption are exposed through vendor-embedded AI and AI-enabled attack techniques. Institutions need to prioritise and strengthen cyber security to respond to evolving threats, which may include using AI to more rapidly identity and resolve capabilities.

4. Shift to continuous, lifecycle based oversight and assurance
Approving individual AI use cases and relying on point-in-time reviews or traditional change controls is no longer sufficient for adaptive AI systems. Boards should expect ongoing insight aligned to risk appetite, including continuous monitoring of AI behaviour and performance (to avoid drift and bias), security weaknesses, dependencies and third-party reliance and concentration risk. Security needs strong foundational controls and basic cyber hygiene to improve containment speed and recovery time and minimise operational impact.

5. Manage AI risk holistically across the enterprise
The use of AI intensifies a wide range of risks, including data, model, privacy, compliance, conduct, technology, cyber and third-party risks. Institutions need a holistic AI standard and oversight requires monitoring and reporting processes that tie together these individual risk classes in aggregate.