Beyond the committee: the real work of governing AI at scale

There is no shortage of awareness in financial services. Boards know the topic matters. Risk teams are engaged. Compliance teams are alert. Technology leaders are under pressure to support adoption without allowing the organisation to drift into unmanaged exposure. The conversation has matured quickly.

That does not mean control maturity has kept pace.

The survey suggests many institutions have made a serious start but are still building the routines and controls that turn governance from intent into discipline. In insurance, several core governance capabilities still sat in the emerging category rather than appearing mature or deeply embedded. Internal assurance also looked uneven. Most insurance responses said AI or GenAI risk and control effectiveness had not been subject to an internal audit in the previous 12 months. Banking responses pointed in a similar direction, with targeted review activity still not consistently complete. This suggests the market is still progressing through this stage rather than operating beyond it.

That work is less glamorous than the public conversation around AI often suggests. It includes keeping inventories current, understanding where AI sits inside products, processes and third-party systems and risk-tiering use cases properly rather than treating them as one broad category.

It also means making validation, monitoring and escalation routine rather than exceptional. This ensures first-line leaders understand how AI is used in their areas and where human judgement still needs to sit.

For experienced risk leaders, none of this is conceptually new. AI does not create a completely new governance world, but it does broaden and intensify the risk picture. Model-related issues remain important but the exposure is now broader: operational risk, conduct risk, reputational risk, cyber exposure, third-party dependency, concentration risk and the risk of decisions or outputs changing quietly as tools evolve.

Once AI is embedded in service operations, claims handling, underwriting support, fraud detection, regulatory processes or employee decision support, governance stops being an abstract virtue and becomes an operating capability.

That is why execution matters more than awareness. Most firms know the subject is important. Fewer can yet say, with confidence, that they know exactly what they have, where it sits, how it is controlled and how they would respond if something material went wrong.

One of the more important issues in the survey is not a narrow control issue. It is a strategy issue.

A number of firms appear to be moving into AI governance before they have fully settled their AI strategy. They may have committees, policies and active discussions but that is not the same as having a coherent point of view on where AI should create value, where it should support differentiation, what risks are worth taking, where the organisation wants to move quickly and where it should be deliberately cautious.

That matters more than it may seem at first. Without a clear strategic anchor, governance can quickly become reactive. It manages activity rather than shaping it. It reviews proposals, discusses risks and creates process but does not offer much directional clarity on what the institution is actually trying to achieve with AI. When that happens, governance can become process-heavy without becoming more effective. Investment fragments. Decision-making slows. The organisation looks careful but not always purposeful.

For boards and executive teams, this is becoming more pressing as the competitive backdrop is changing. Incumbents are starting to recognise that staying in expert follower mode may not be enough. They do not need to mimic the posture of AI-native challengers, but they do need a more explicit view on how AI fits into their future model, economics and customer proposition. Without that, governance risks becoming a brake on movement rather than an enabler of confident adoption.

The aim is not reckless risk-taking, but greater clarity about which risks are being taken and why. Firms that are explicit about the value they want from AI, the choices they are willing to make and the boundaries they want to maintain will usually govern better than firms that approach the topic mainly through process and review.

The South African responses make clear that governance is visible. Committees exist. Structures are being formalised. More senior people are involved. At one level, that is exactly what should be happening. In a regulated industry, stronger oversight is part of the price of progress.

The problem is that governance can become more elaborate without ownership becoming more settled.

Across the survey, the data do not point to absent oversight so much as distributed ownership across committees, risk leaders, technology leaders and executive teams in ways that do not always look fully resolved. Banking responses were suggestive, with governance committees playing a prominent role in decision-making. Insurance showed a related pattern, with accountability often sitting across the CRO and CIO or CTO.

Still, there is a difference between shared accountability and unclear accountability. When decision rights are unclear, progress slows, often quietly. More people are consulted. More perspectives are heard. Risks are discussed at length. Yet the hard calls do not always land cleanly.

These are not abstract governance questions. They are day-to-day management questions. They sit close to the logic of the three lines of defence. The first line needs enough clarity to use and supervise AI responsibly in the business. The second line needs sufficient standing and visibility to challenge, set guardrails and monitor emerging risk. The third line needs enough evidence and structure to assess whether the control environment is actually working. Where those roles are vague, AI governance tends to look stronger on paper than it feels in operation.

Most institutions can now articulate responsible AI principles. They can talk about fairness, transparency, accountability, human oversight and governance. In some cases, they can point to a framework that captures all the right concepts. That is a useful foundation. That foundation still needs to translate into clear, demonstrable control in practice.

The more revealing questions are practical. Can the institution show where AI is being used, including tools embedded in third-party platforms? Can it distinguish low-risk productivity use from higher-stakes applications that affect customer outcomes, operational decisions or regulated processes? Can it demonstrate testing, challenge and validation in a way that would stand up to internal audit, board scrutiny or supervisory inquiry? Can it explain how incidents would be identified, escalated and managed? Can it show that control expectations hold regardless of whether the model was built internally, procured externally or embedded in a broader technology product?

The South African data is especially useful here. The insurance responses suggest that several enabling disciplines are still in development. Monitoring and metrics were often still in the process of emerging. Documentation and transparency were not yet consistently strong. Training and change management were also far from being fully embedded. Regulatory readiness also looked uneven, even though a notable share of insurers referenced the EU AI Act in describing the external frameworks shaping their thinking.

One of the most practical issues here is inventory. If a firm lacks a reasonably complete, current view of where AI is being used or embedded, governance becomes incomplete. That inventory needs to be broader than formally approved use cases. It needs to include third-party tools, evolving vendor functionality and AI-enabled capabilities that may have entered the environment through broader technology adoption.

The more meaningful divide is between firms that can describe governance and those that can clearly evidence how it works in practice.

Third-party AI is often treated too narrowly, as though governance sits mainly with the vendor.

For many institutions, AI will not arrive mainly through internally built models. It will come through software providers, cloud platforms, core systems, workflow tools and enterprise vendors steadily layering AI into products and services. On the surface, that is efficient.

The institution still owns the consequences. It still needs to know where the tool is used, which decisions it influences, what data it touches, how outputs are checked and what degree of human intervention remains possible. A vendor may update a model, change an underlying feature or improve a product release, and suddenly the outputs shift. The institution remains exposed even where the model originates externally.

Vendor governance, therefore, needs to become more than a procurement checkpoint. Institutions need sharper questions and better evidence. What is the tool actually doing? What has it been trained on? How often is it updated? What can be explained and what cannot? What happens when outputs are wrong or unexpected? What incident obligations exist, and what leverage does the institution have if something material goes wrong? These questions now sit close to the core of AI governance.