Building Trusted AI in financial services

Why this matters:

Treating AI as 'just another technology' leads to weak lifecycle governance, unclear accountability, and limited oversight, particularly for generative and agentic AI systems in critical, customer-facing processes.

Mature governance helps deploy AI faster and with confidence, and mitigates the risk of failure, harm, and scrutiny.

What good looks like:

• Governance: establish a fit-for-purpose AI governance framework across the full lifecycle.
• Accountability: define clear ownership and accountability for AI (design, deployment, monitoring, decommissioning).
• Board oversight: uplift Board and executive AI literacy and challenge capability.
• Transparency: implement central AI inventory and system-level documentation to document AI systems, use cases and agents.
  

Why this matters:

Current assurance approaches are insufficient: point-in-time testing misses evolving risks, detection of drift, bias, and degradation is limited, and audit and risk functions often lack specialist skills and tools.

Continuous monitoring and assurance helps to detect drift or failures before they impact customers..

What good looks like:

• Monitoring: continuous monitoring that measures AI drift and decay against validated domain knowledge.
• Assurance: assurance that runs at the same speed as the system it governs, with independent evaluation capability that assurance teams can rely on rather than replicate.

Why this matters:

Heavy reliance on AI providers leads to limited visibility over model and agent behaviour, opaque upstream dependencies (e.g. foundation models), and weak contractual protections and exit planning. Mapping the supply chain and confirming exit paths reduce single-vendor reliance and strengthen AI as a durable enterprise capability.

What good looks like:

• Supply chain visibility: establish end-to-end AI supply chain visibility.
• Vendor governance: strengthen supplier governance and contractual controls (audit rights, transparency, change notification, incident response).
• Risk management: implement ongoing performance, risk and compliance monitoring of providers.
• Resilience: develop and test credible exit, substitution and portability strategies.

Why this matters:

AI is reshaping the threat landscape through introducing new attack vectors (e.g. prompt injection, data leakage, agent misuse), increasing the speed and scale of attacks, and exposing gaps in identity and access management for non-human actors.

Rapid AI development is outpacing security controls, while shadow and workforce use of AI reduce visibility and control.

Calibrated security controls enable organisations to deploy agents and AI generated code with confidence.

What good looks like:

• Identity & access: implement modern IAM for AI agents and non-human actors.
• Privacy & data protection: strengthen privacy and data protection controls to prevent data loss of PII and other sensitive data through AI tools.
• Vulnerability management: strengthen continuous vulnerability scanning, prioritisation and rapid patching.
• Testing: enhance security testing across AI models, generated code and integrations.
• Resilience: fallback processes and incident response for AI-supported critical operations.
• Preventative controls: enforce technical controls to restrict unapproved AI tools and high-risk use cases.
• Governance: establish clear policies and accountability for acceptable AI use.