“AI is no longer an innovation story. It is a governance story.”

Across banking, payments, capital markets and insurance, artificial intelligence systems are no longer advisory tools. They now:

• Approve or decline customers
• Trigger fraud interdictions
• Block sanctions payments
• Freeze accounts
• File suspicious activity reports
• Allocate capital
• Execute trades
• Automate regulatory surveillance

At scale, these decisions carry direct financial, regulatory and societal consequences. A biased model can create systemic financial exclusion. A poorly governed fraud engine can cause mass customer harm. A hallucinating generative AI system can fabricate regulatory submissions. A weak sanctions model can expose institutions to significant enforcement risk.

In this new paradigm, algorithms are not merely analytical assets. They are regulated decision-makers.

AI Is Now a Regulated Model

Supervisors globally have made it clear that AI does not sit outside the perimeter of prudential regulation.

In the United States, supervisory guidance under SR 11-7 is now applied in practice to machine learning models used in credit underwriting, fraud detection, transaction monitoring, and sanctions screening. The Office of the Comptroller of the Currency, Federal Reserve, and FDIC routinely review AI models under model risk examinations.

In the United Kingdom, the Prudential Regulation Authority’s SS1/23 model risk framework explicitly includes machine learning and advanced analytics, requiring firms to demonstrate explainability, performance stability, governance, and independent validation.

The European Central Bank’s TRIM framework similarly captures AI-driven risk models, while the EU AI Act introduces direct legal obligations around algorithmic transparency, fairness and control.

From a supervisory perspective, the principle is simple: If a model influences a regulated decision, it is itself regulated.

[....]