young woman standing on entrance of multicoloured portal door

How AI governance strengthens financial resilience in the GCC

Kawther Haciane

EY MENA Digital Risk Leader

Contributors

  • Gopal Bang
10 minute read 29 Apr 2026
Related topics
Consulting
Risk
Financial services
Digital
Technology
AI

As AI accelerates high-stakes decisions, GCC institutions must strengthen governance to safeguard trust, compliance and resilience.

In brief

  • AI is reshaping how GCC financial institutions make decisions, shifting resilience from recovery planning to governed, explainable intelligence.
  • When governance lags deployment, AI drives operational, model and trust fragility, amplifying risks across interconnected platforms and third parties.
  • Boards and executives must modernize AI governance, embed controls into operations, and integrate AI risks into enterprise risk management (ERM), stress testing and crisis simulations.

For decades, financial resilience in the GCC has been defined by capital strength, sovereign backing and business continuity planning. While these remain important, decision-making within financial institutions is changing rapidly.

EY surveys and financial services publications show that artificial intelligence (AI) is embedded across credit decisioning, fraud detection, financial crime monitoring, risk management, forecasting and customer engagement. AI investment is accelerating, but governance maturity is not keeping pace. This is creating a widening resilience gap.

In this context, financial institutions must evolve governance, controls and operating models at the pace of AI adoption. Left as an efficiency or decision-support enhancement, AI becomes a source of fragility; governed in the right way, it becomes a core resilience asset.

Resilience in the AI era is not about having better algorithms. It is about governing intelligence as a strategic and board-level responsibility, with accountability, transparency and control embedded into how decisions are made.

Waiting for a metro
1

Chapter 1

The structural shift in financial resilience: when speed rewrites risk

AI is now core to GCC banking, but governance is lagging. As machine‑driven decisions scale, gaps become systemic risk across AI‑enabled ecosystems.

How EY can help

In the GCC, where financial credibility underpins cross-border capital flows and market confidence, resilience is increasingly defined by institutions’ ability to govern machine-driven decisions under pressure.


Traditional resilience frameworks assumed risks emerged slowly enough for human intervention. Controls, escalation paths and recovery plans were built around that reality. AI breaks that assumption by executing decisions faster across interconnected systems, often without direct human review. Risk propagates through algorithms, data pipelines, shared platforms and third-party ecosystems — pushing resilience from reaction to prevention.
 

The GCC at a strategic tipping point: pressure, pace and opportunity


Across the GCC, rapid digitization of financial services, expansion of open banking and FinTech ecosystems, increased use of AI-driven automation and heightened supervisory expectations are converging while compressing risk cycles and stretching traditional governance models.


EY CEO Outlook and financial services AI research indicate that AI is becoming part of the operating fabric of financial institutions. When appropriately governed, it strengthens resilience and when governance lags deployment, it introduces systemic fragility.

AI financial resilience GCC
2

Chapter 2

AI-driven fragility in financial institutions: where resilience can crack

As AI decisions scale across banking, resilience depends less on cyber controls and more on governance. Operational, model and trust fragilities define the new risk landscape.

How EY can help

  • AI Insights

    Explore our global insights that look at how you can build confidence in AI, drive exponential value throughout your organization and deliver positive human impact. Learn more.

    Read more

To see the new resilience landscape clearly, look past generic cyber concerns. AI introduces three distinct layers of exposure when governance does not keep pace with deployment.


Operational fragility: the new front line


AI-enabled attacks are now a tangible concern. Adversaries are increasingly leveraging machine learning to test and identify vulnerabilities in systems, highlighting the need for proactive resilience strategies.


AI deployments across banking functions expand institutional attack surfaces, particularly where shared cloud infrastructure spans multiple entities. The speed and scale of these risks are unprecedented, making resilience a core operational requirement.


Model fragility: when intelligence becomes opacity


As institutions adopt more advanced and agentic AI tools, model risk becomes a primary resilience concern. Explainability, bias controls, audit trails and model validation are often incomplete.


That imbalance can turn AI from a productivity accelerator into a compliance blind spot. Without disciplined model governance, intelligence becomes opacity and decision outcomes become harder to challenge, defend and correct under pressure.


Trust fragility: confidence is the currency


Trust is not optional in financial services. When customers, regulators or counterparties cannot understand or trust how algorithmic decisions are made, resilience erodes, even when systems remain operational.


In the GCC, the leading AI risk is often not technical failure. It is the erosion of confidence in how decisions are made and governed.

Indian male white collar worker video call
3

Chapter 3

Engineering resilience in the AI era

AI adoption is accelerating beyond governance, skills and oversight. As regulators raise expectations, financial institutions face rising systemic risk and must rethink resilience from design to deployment.

AI adoption is outpacing governance

EY research consistently shows the core resilience challenge is not a lack of investment, but uneven investment. Institutions are scaling AI capability faster than governance, skills and oversight. This governance gap is no longer a compliance issue; it is a systemic risk multiplier.

Regulatory scrutiny is intensifying

EY regulatory analysis shows supervisors globally, and increasingly across the GCC, are moving from broad digital principles to AI-specific supervisory expectations. These include model governance, explainability, third-party oversight, auditability, data quality controls and integration of AI-driven disruptions into resilience and crisis simulations.

Institutions are expected to demonstrate trustworthiness under examination, with evidence of governance, controls, monitoring and accountability across the AI lifecycle.

A new resilience playbook for GCC financial institutions

EY MENA teams’ AI and financial resilience analysis delivers a clear message; resilience in the AI era must be engineered, not assumed. This requires a shift from reactive controls to predictive risk management; from checklist compliance to governance maturity; from siloed continuity planning to integrated scenario exercises; and from traditional third-party risk management to algorithmic risk stewardship.

EY surveys, publications and leadership perspectives converge on a clear conclusion; in the AI era, resilience is measured by how effectively institutions can govern, explain and substantiate machine-driven decisions before, during and after periods of stress.

Leading institutions will evolve at the pace of AI itself by modernizing governance models, redefining controls and integrating AI risks into enterprise resilience planning, stress testing and crisis simulations as a core strategic priority.

Summary

AI is reshaping how banks and insurers in the GCC manage risk, trust and operational continuity. Governance has become the critical differentiator as machine-driven decisions accelerate, regulatory expectations tighten and exposure expands across models, data and third parties. It sets out a practical resilience agenda for boards and chief risk officers (CROs) by clarifying ownership, strengthening controls and integrating AI scenarios into stress testing, so institutions can deploy advanced capabilities with confidence and accountability.

Related articles

How the Middle East tackles the evolving digital risk landscape for 2025

In 2024, the Middle East actively managed emerging trends in the rapidly changing digital risk landscape. Read more.

Kawther Haciane + 1

Five ways banks can scale Global Capability Centers for AI value

Get ready for Global Capability Centers to transform your banking operations.

Nigel Moden + 1

Five questions banks must ask to turn technology spend into value

Banks are increasing technology spend, but long-term value remains hard to unlock. Learn how banks can improve return on investment.

Nigel Moden + 1

    How EY can help

    • EY Trusted AI Platform

      EY Trusted AI Platform provides an integrated approach to evaluate, quantify and monitor the impact and trustworthiness of artificial intelligence (AI).

      Read more

    • AI Strategy Services

      AI Strategy Services team can enable better and faster ROI for new products and services and help accelerate M&A. Find out more.

      Read more

    • Digital

      Discover EY's digital insights, teams & services and learn how they can help your business unlock human potential, and accelerate new and better ways of working.

      Read more

    About this article

    Kawther Haciane
    EY MENA Digital Risk Leader
    Enabling organizations to navigate the complexities of the digital era. Protecting critical assets. Ensuring trust in technology and fostering resilience against evolving threats.

    Contributors

    • Gopal Bang
    Related topics
    Consulting
    Risk
    Financial services
    Digital
    Technology
    AI

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.