This is no longer an IT problem or a compliance team problem. When an examiner asks for documentation of an AI-influenced credit decision, that question lands in the boardroom. Directors who cannot demonstrate structured oversight — not just a policy document — face real regulatory, legal, and reputational exposure.
Four trends are reshaping what AI governance actually requires in 2026: regulatory scrutiny that has moved from guidance to examination, shadow AI emerging as a documented compliance exposure, agentic AI breaking traditional accountability models, and explainability becoming a baseline legal requirement. Institutions that build governance infrastructure now will have something to show when examiners arrive. Those that wait will be reconstructing their posture under pressure.
TL;DR
- FINRA, the SEC, and NYDFS are applying existing supervision and recordkeeping frameworks to AI — and examining firms accordingly
- Shadow AI creates supervision blind spots and recordkeeping failures comparable to off-channel communications violations
- Agentic AI takes autonomous, multi-step actions that break traditional accountability models, requiring institutions to define clear ownership for every AI-driven outcome
- Explainability is no longer aspirational — regulators and courts expect end-to-end reconstruction of any AI-influenced decision
- Boards and executives that treat AI governance as a governance problem — not a technology question — build more defensible compliance postures faster
Key Trend 1: Regulatory Scrutiny Has Moved Into the Exam Room
The era of voluntary AI governance is over. Regulators are not waiting for purpose-built AI legislation — they are applying rules that already exist.
What FINRA Is Requiring
FINRA Regulatory Notice 24-09, published June 2024, is unambiguous: existing FINRA rules are technology-neutral and apply to AI tools regardless of whether they are built in-house or sourced from a vendor. Firms must apply supervision under Rule 3110, capture AI-generated communications under books-and-records requirements, and manage vendor and customer-protection obligations the same way they would for any other technology.
FINRA's 2026 Annual Regulatory Oversight Report goes further. It identifies agentic AI specifically — AI systems that autonomously perform tasks and make decisions — as an active area of examination focus, not a future concern. Firms should expect examiners to ask about human-in-the-loop controls and how they are tracking and auditing what autonomous AI systems actually do.
The SEC's Technology-Neutral Position
The SEC has been equally direct. Former Chair Gary Gensler stated that securities laws apply to AI-related conduct — investment advisers and broker-dealers using AI for recommendations must still meet fiduciary obligations, Regulation BI requirements, and investor-protection standards. The SEC's Division of Investment Management reinforced in February 2026 that advisers remain legally accountable for AI-influenced advice.
Model Risk Management Under SR 11-7
Federal Reserve SR 11-7 and the April 2026 revised model risk guidance (SR 26-2 and OCC Bulletin 2026-13) require validation, documentation, ongoing monitoring, and independent review for consequential models at institutions over $30 billion in assets. The revised guidance explicitly excludes generative AI and agentic AI from its formal scope — acknowledging they are too novel to fit existing definitions — but that exclusion simply means existing principles apply without a defined safe harbor, not that those systems are ungoverned.
State-Level Complexity
Multi-state institutions face overlapping and sometimes conflicting obligations:
- Colorado SB24-205 creates duties for deployers of high-risk AI systems to protect consumers from algorithmic discrimination in lending and financial services
- California AG advisories (January 2025) confirm that existing civil rights, consumer protection, and privacy laws apply to AI developers and users
- NYDFS issued cybersecurity guidance in October 2024 requiring covered entities to assess AI-related risks under 23 NYCRR Part 500, with a follow-up letter in May 2026 specifically addressing frontier AI model risks
No single regulator defines the full exposure. Firms that build governance frameworks around one ruleset will find gaps the moment a second jurisdiction examines the same AI system.
Key Trend 2: Shadow AI Is Now a Documented Compliance Exposure
Defining the Problem
Shadow AI refers to employees using unapproved AI tools — standalone apps, browser extensions, personal ChatGPT accounts — outside firm-sanctioned governance frameworks to handle customer data, draft communications, or support regulated workflows. The firm cannot supervise what it cannot see.
The scale is significant. An American Banker survey found that 30% of banks were already restricting generative AI tools for at least some employees — a figure that reflects how widespread unsanctioned use has become. A separate DeepL survey cited by Finextra found 65% of UK finance professionals reported using unsanctioned AI tools for customer interactions.
When the SEC charged 11 Wall Street firms in August 2023 for widespread recordkeeping failures involving off-channel communications, it established a clear precedent: the method of communication does not eliminate the retention obligation. Shadow AI creates the same exposure: AI-influenced decisions and communications that are never captured, never reviewed, and never reconstructable during an examination.
How AI Enters Without Formal Approval
AI typically enters financial firms through four channels, each with a distinct risk profile:
| Channel | Example | Primary Risk |
|---|---|---|
| Standalone tools | Personal ChatGPT, Claude accounts | No retention, no supervision |
| Embedded in approved platforms | Copilot in Microsoft Teams | Outputs may not trigger recordkeeping |
| Agentic AI with system access | Autonomous workflow agents | Actions taken without human sign-off |
| Process-specific AI | Vendor underwriting tools | Third-party accountability gaps |
Practical Controls
Institutions that have addressed shadow AI effectively have done three things:
- Published an approved tool list with documented vetting criteria visible to all staff
- Extended monitoring to communication channels where AI-generated content may appear
- Trained employees on what constitutes a recordkeeping obligation — including the outputs of AI tools they use personally
Boards and audit committees should treat shadow AI inventory as a standing governance item — not a one-time policy exercise. The failure mode is identical to off-channel communications, and regulators have shown they will enforce the retention obligation regardless of the tool that generated the content.
Key Trend 3: Agentic AI Is Rewriting the Accountability Playbook
What Makes Agentic AI Different
Traditional AI tools produce outputs that a human reviews and acts on. Agentic AI takes the action itself: initiating trades, flagging credit decisions, generating client communications, triggering payments across multiple systems without a human approving each step.
FINRA defines AI agents as systems capable of autonomously performing tasks and making decisions within defined parameters. Deloitte describes them as systems that reason, execute complex tasks, and reach goals with minimal human supervision.
That autonomy creates a governance problem that existing frameworks were not designed to handle.
Where Accountability Breaks Down
Access control frameworks, escalation thresholds, and audit trails were built assuming a human sits somewhere in the decision chain. When an AI agent takes an action affecting a customer or regulatory outcome, examiners expect the firm to:
- Attribute the action to a human identity who owned the decision
- Document what data the agent accessed and at what point
- Show which policy controls were evaluated at each step
- Produce a complete audit trail on demand
Agentic workflows break every one of those assumptions. JPMorgan Chase has noted publicly that AI agents combine untrusted inputs, sensitive data access, and authority to act externally — creating a combination that demands dedicated security and accountability controls most firms haven't built yet.
That gap isn't theoretical. Major institutions are already operating agentic AI in production, and the accountability risks are live.
Current Deployments and Their Risks
- BNY — agents handling coding tasks and payment-instruction validation
- JPMorgan Chase — LAW (Legal Agentic Workflows) for complex legal document processing
- Citi — AI agents deployed to software development teams as of July 2025
- Intesa Sanpaolo — a multi-agent framework called HEnRY in development
Each deployment carries distinct accountability risk. Credit underwriting agents affect individual consumers under ECOA; fraud detection agents make consequential decisions at scale; client communications agents produce records subject to retention rules. None of these can be governed with frameworks designed for human-initiated workflows.
For boards, the accountability gap between current deployments and current governance frameworks is where liability concentrates. Closing it requires three concrete commitments.
What Board-Level Accountability Looks Like
- Name an owner. Each autonomous workflow needs a named human who is accountable for its outputs and answerable to the board when something goes wrong.
- Document what the agent can and cannot do. Explicit decision-right parameters — written down, approved, and version-controlled — are the baseline for any defensible governance posture.
- Set escalation thresholds before deployment, not after. Define the specific conditions that require human review before the agent executes, not in response to an incident examiner's question.
Key Trend 4: Explainability and Audit Readiness Are Now Baseline Expectations
Explainability already has enforcement history behind it.
CFPB Circular 2022-03 established that creditors using complex algorithms — including black-box models — must provide specific, accurate reasons for adverse action. ECOA does not permit a creditor to use technology that prevents compliance with that obligation. A follow-up circular in 2023 confirmed that sample-form checklists are insufficient when the listed reasons do not specifically match the actual basis for the decision.
The Black-Box Problem
That obligation creates a direct tension with how high-accuracy models typically work. Statistical models that deliver strong predictive performance often resist the documentation standards regulators expect. Governance frameworks must address this directly:
- Define which use cases permit complex, opaque models (and what compensating controls apply)
- Define which use cases require simpler, interpretable models where adverse action explanations must be generated
- Document the rationale for each classification before the model goes into production
Model Drift Is a Governance Requirement
Models trained on historical data degrade as market conditions shift. A model that performs well in stable conditions can produce systematically flawed outputs during stress periods — without any visible failure signal until a compliance review surfaces it.
SR 11-7 and SR 26-2 both require ongoing monitoring to confirm models are performing as intended. NIST AI RMF 1.0 treats AI risk management as a continuous process, not a deployment gate.
In practice, governance frameworks must assign ownership for monitoring, define thresholds that trigger review, and document the monitoring cadence as a matter of record.
Vendor Models Do Not Transfer Accountability
OCC Bulletin 2023-17 is direct: using a third party does not diminish a banking organization's responsibility to perform activities in a safe and sound manner and in compliance with applicable law. When an institution deploys a vendor-supplied credit model, the institution owns the regulatory outcome.
Third-party AI risk management is not a procurement concern. It is a core governance obligation with two non-negotiable components:
- Documented review of the vendor model before deployment
- Ongoing oversight of model performance after go-live
What's Driving These AI Governance Trends in Financial Services
The governance challenge is proportional to the opportunity. McKinsey estimates that generative AI could add $200 billion to $340 billion in annual value to global banking — roughly 9% to 15% of operating profits. That number drives deployment decisions faster than governance frameworks can follow.
A Deloitte survey of EMEA banks puts the adoption gap in sharp relief:
- 94% of large banks and 62% of small banks have deployed GenAI
- 50%+ of financial institutions cite transparency and explainability as a primary challenge
- 39% identify a lack of internal skills and capabilities as a barrier
Regulators are applying existing frameworks because bespoke AI legislation cannot keep pace with deployment speed. Governance gaps that appear tolerable today will be examined under rules already on the books — SR 11-7, FINRA Rule 3110, ECOA, and Reg BI.
Institutions with documented governance failures face enforcement actions, civil liability, and the reputational cost that follows an AI-driven consumer harm event.
Domestic exposure is only part of the picture. For institutions with cross-border operations, the EU AI Act adds another layer of obligation. Credit scoring AI is classified as high-risk under the Act — which entered into force in August 2024 — creating documentation and conformity requirements that go well beyond current US principles-based expectations.
How These Trends Are Reshaping Financial Institutions
Operational Impact
Compliance teams must now extend existing supervision frameworks to AI-generated outputs. Meeting summaries, research reports, client communications, and credit decisions produced or influenced by AI carry the same retention obligations as human-authored records — full stop.
That extension requires a live inventory of every AI system in use, including third-party and vendor-provided tools. Governance cannot operate on assumptions about what AI is deployed where. Before any new AI application touches regulated activity, institutions need documented review processes that assess supervision obligations, recordkeeping requirements, and model risk classifications.
Strategic Impact
AI governance has become a board-level investment decision. Cross-functional governance councils — spanning compliance, legal, technology, and risk — are replacing ad hoc committee structures, and examiners can tell the difference during a review.
Organizations facing transition are particularly exposed: new leadership, post-incident recovery, and M&A integration all create governance blind spots where existing controls may not have been tested under stress. In these scenarios, the AI governance inventory may be incomplete, decision rights may be undocumented, and the escalation chain may not account for AI-driven workflows at all.
Engaging an advisor with governance expertise — rather than waiting for internal capacity to develop — compresses the timeline from months to weeks.
Tyson Martin's AI Governance Starter Pack is a fixed-fee 30-day sprint designed for boards moving from zero formal AI governance to a defensible posture. It delivers an AI risk assessment, a decision-rights map, a board-level AI policy, and a facilitated director briefing — without the lead time required to build that capability from scratch internally.
Workforce Impact
The skills gap runs in both directions:
- Compliance officers need functional AI literacy to identify what supervised activity looks like when AI is in the loop
- Model developers and data scientists need to treat governance requirements as design constraints from the start — not approval gates at the end of a project
Institutions that close this gap early build compliance into the model lifecycle rather than retrofitting it under examination pressure.
Frequently Asked Questions
What is AI governance in financial services, and why does it matter in 2026?
AI governance is the set of policies, controls, and oversight mechanisms that make AI systems deployable in regulated environments — covering model validation, supervision, recordkeeping, and accountability. In 2026, that means active regulatory examination: FINRA, the SEC, and federal banking regulators are now asking for documentation, not stated intentions.
Which regulators are most actively scrutinizing AI governance at financial institutions?
FINRA (via Regulatory Notice 24-09 and its 2026 examination priorities), the SEC (applying existing disclosure and fiduciary obligations to AI-influenced advice), and NYDFS (requiring AI cybersecurity risk assessments under 23 NYCRR Part 500) are the most active. Federal banking regulators apply SR 11-7 and the revised SR 26-2 model risk framework to consequential AI use cases at larger institutions.
What is shadow AI, and how does it create compliance risk?
Shadow AI refers to employees using unapproved AI tools outside firm-sanctioned frameworks to handle customer data, draft communications, or support regulated workflows. It creates supervision blind spots, data leakage risk, and recordkeeping failures — because activity the firm cannot see cannot be supervised, retained, or produced during an examination.
How should a board oversee AI governance without getting lost in technical detail?
Boards should establish clear decision rights and escalation thresholds for AI decisions, and require a current inventory of all AI systems in use — including vendor-supplied tools. The governance structure must demonstrate active oversight during an examination, not just point to a policy document that no one enforces.
What are the biggest operational risks when AI governance is absent?
The three most common failures are:
- Model drift — performance degradation compliance teams cannot detect without active monitoring
- Biased training data — compliance failures at scale across credit or fraud decisions
- Missing audit trails — no way to reconstruct AI-influenced decisions when examiners or opposing counsel ask
How do financial institutions prepare for AI-related regulatory examinations?
Maintain a current AI system inventory with documented approval workflows, and ensure every AI-influenced decision in a regulated activity can be reconstructed with timestamps, model version, and data inputs. Treat that reconstruction capability as a standing operational requirement — not something assembled after an exam notice arrives.
