Generative AI reveals governance gaps at financial firms

Generative AI models are now used across investment analysis, due diligence, compliance, client onboarding, client communications and internal reporting at many financial firms, outpacing existing governance frameworks.

Practitioners point to a difference in how firms and supervisors treat AI. Many firms approach AI as a software procurement issue, while regulators increasingly view it as part of a firm’s operational infrastructure. Financial rules and controls were designed around human-speed approval chains, layered reviews and clear accountability tied to individual decision points; AI shortens decision cycles and distributes outputs across workflows, which changes how operational risk is traced.

Examples reported by practitioners include model-assisted research summaries appearing in investor materials without documented sign-off, AI-drafted internal notes affecting credit decisions, and employees pasting confidential data into public tools. Technical systems can log prompts, usage and anomalies but often do not capture who approved a workflow, which risk assessment supported its use, or who was accountable for validating outputs before they affected decisions.

Security and governance products address parts of the problem. Prompt-protection systems can reduce data leakage. Monitoring platforms can show usage patterns. Governance tools can build inventories, policies and risk registers. Firms commonly combine multiple vendors across different layers; one regulated firm was found to use more than 50 tools despite having about 25 employees.

That fragmentation makes it harder to connect signals into a single control framework and to reconstruct why an AI-assisted process was considered acceptable when an incident occurs.

Andrey Darenberg, founder of RateYourCyber.com, noted: “Governance systems must produce reliable accountability in environments where operational behavior is no longer tightly coupled to formal processes.” Darenberg and his team tested security, monitoring and governance tools used by regulated financial firms over the past year.

Regulators are applying existing rules on operational resilience, accountability, outsourcing and model risk management to AI systems. Investors and insurers are asking more detailed questions during due diligence and underwriting about how firms control AI-assisted workflows. Firms that can show approved environments, vendor oversight, access management, monitoring and clear ownership models report fewer barriers to expanding AI use.

Darenberg’s review found that operational controls and governance structures need to be developed in parallel. He added that firms are being pushed to document ownership, escalation procedures and board reporting that explicitly address how AI influences decisions.

Darenberg is the founder of RateYourCyber.com and has more than a decade of experience in cybersecurity and governance consulting, with additional training in finance and IT systems.