Artificial intelligence

As banks move beyond isolated AI pilots, the harder challenge is no longer the technology but the governance, model risk management and accountability needed to scale safely across the enterprise

Over three-quarters of Hong Kong’s banks are already deploying or piloting AI solutions across use cases ranging from credit assessment and risk monitoring to customer engagement¹. However, discussions with banks across the market reveal that scaling AI into measurable, enterprise-wide value while maintaining clear governance remains elusive for many institutions.

This is consistent with what we see globally. Most banks have allowed AI to diffuse organically. Use cases have sprung up wherever a team had the appetite and the capability to build them – a pattern of growth that has produced a great deal of activity but very little coordination. The concern we increasingly hear at executive and board level is that this looks like the next generation of end-user computing risk: capability spreading across the organisation without central governance, accountability or oversight.

As a result, many of the largest banks are now pulling AI back into a central governance layer, and – importantly – they are fixing their data foundations first, consolidating fragmented silos into an enterprise data layer before attempting to govern AI on top of it. For Hong Kong’s banks, the lesson is that the centralisation question cannot be deferred until the infrastructure has already sprawled; the institutions making the most progress globally are those treating enterprise data and central governance as the platform for AI rather than an afterthought.

Stanley Sum

Head of Technology Consulting, Greater Bay Area,

KPMG China

mail
call

Simon Benson

Head of AI

KPMG Asia Pacific

mail

Angel Mok

Partner, Technology Consulting, Hong Kong SAR

KPMG China

mail
call

Moving beyond the pilot phase

The HKMA has run multiple rounds of generative AI sandboxes over the past two years, and the regulator is now clearly signalling that banks need to move beyond pilots and put AI into real production environments. With total banking sector technology spending projected to reach HKD 100 billion annually over the next three years², the stakes for getting this right are high. What we hear consistently from banks is that they have made genuine progress – they have run pilots, proven use cases – but they are struggling to scale that into something that changes performance at a system level. There are a few recurring tensions. First, fragmentation: lots of activity, but not enough coordination across the enterprise, so value does not compound. Second, ROI remains unclear — there is pressure to show results quickly, but the metrics are not always well defined, and that drives the wrong behaviour: more pilots instead of deeper transformation. Underlying all of that are structural blockers — data quality, operating model gaps, and increasingly the regulatory and risk overlay.

There’s still a strong bias toward quick wins — productivity gains, isolated use cases, tactical deployments. Those things matter, but they don’t move the dial structurally. The real value only shows up when AI is embedded end-to-end – when you redesign workflows, decisioning, and service delivery around it. That’s harder, slower, and more organisational — but that’s where the advantage is being created.

Model validation: fit for purpose is a moving target, not a one-off

As AI moves into production, a foundational question is not simply whether a model has been validated once, but whether it continues to behave the way it is expected to and produces the results it is supposed to over time. Fit-for-purpose assessment matters more than a one-time validation, because models do not stay still. A model is closer to a perishable good than a fixed asset: something that performs well today may degrade tomorrow or next week as the underlying data and market conditions shift. Treated as a single point-in-time exercise, validation leaves banks exposed to the risk that models quietly drift out of line, become overloaded, or simply go unreviewed. Continuous, periodic re-assessment — concentrated where the risk has genuinely moved — is the basic layer of credible model risk management for AI.

A second layer of complexity comes from the proliferation of models within a single institution. Increasingly, banks are not running one central AI model but many. Different models have different strengths and weaknesses, and as institutions explore which performs best for which task, the number in use can multiply quickly. This makes inventory management essential. Banks need to know how many models are in use, which versions are running, and where each is deployed.

A third and more complex layer arises where banks move beyond using a model “off the shelf” and begin injecting their own proprietary data for the model to work alongside, or to learn from. This raises a distinct set of questions: how does the bank govern the data it has fed into the model, how does it control the model as it evolves, and how does it keep returning to the same fundamental test of whether the output remains fit for purpose? The answer, in every case, is a proper inventory of what is in use, a clear governance process for onboarding and offboarding AI solutions, and a requirement that each is subject to regular validation. This is the practical machinery needed to turn the ambition of central governance into something real.

The third-party blind spot

Much of this risk sits outside the bank’s own walls. Most banks are deploying AI through third-party vendors and model providers, and the governance questions that come with that – vendor model opacity, contractual accountability and concentration – are too often underweighted. With third-party risk, banks have historically focused on understanding what they themselves outsource. The harder question, and one that is increasingly relevant in AI, is what those vendors in turn outsource to, and whether the bank can map that wider network at all.

Because so many AI solutions are cloud-based, tracing the chain often reveals further layers, many resting on open-source software. Open source does not always mean free to use; licensing agreements, particularly for commercial use, need careful handling to avoid intellectual property infringement. This network also creates a form of concentration risk that is easy to miss. A bank may have twenty, thirty or even a hundred AI solutions in use, but if they ultimately depend on the same handful of underlying models or cloud platforms, a single failure does not affect one solution in isolation – it can affect the entire stack at once. Many institutions are broadly aware of this in principle, but few have full visibility of where their AI solutions collapse into a single point of failure.

Working with the grain of regulation

As banks scale their AI capabilities, regulators in Hong Kong and elsewhere are actively working through what good AI governance should look like and what banks will be expected to demonstrate. The HKMA has made clear that responsible implementation is non-negotiable, and its work on explainability is a significant area of focus. Through Project Noor – a collaboration with the BIS Innovation Hub Hong Kong Centre and the UK Financial Conduct Authority – the HKMA is prototyping Explainable AI tools that convert complex model logic into plain language and intuitive visuals, so that supervisors can verify transparency, assess fairness and test robustness³. Critically, Project Noor does not seek to prescribe fixed standards or take responsibility away from banks: financial institutions retain responsibility for model explainability.

That responsibility matters in practice. When a model drives a credit decision or flags a transaction for review, the bank must be able to show which inputs drove the output, how they were weighted, and why the result is consistent with policy – not the underlying calculation, but a reasoning chain a senior decision-maker can own and defend.

In our view, governance cannot sit outside as a control layer — it has to be engineered into how AI operates day-to-day. The banks that get that right will actually move faster, not slower and banks can expect to see the most traction where governance is built in from day one.