Financial Firms Are Deploying AI Faster Than They Can Govern It, New Report Warns

By Hector Herrera | June 5, 2026 | Finance

Ninety-four percent of financial services firms are now running generative AI in core functions — and the compliance frameworks meant to govern those systems weren't designed for what AI can actually do. A joint report from the London Foundation for Banking and Finance (LBFB) and the Institute and Faculty of Actuaries (IFoA) warns that the financial sector is accumulating governance debt at the same pace it's deploying AI — and the gap is widening.

The report introduces the first AI risk taxonomy for financial services developed by professional industry bodies rather than regulators or vendors. Its central argument is not that AI is dangerous — it's that the governance infrastructure currently in place was built for a different kind of system and is failing to keep pace with what's actually in production.

Context

AI adoption in financial services has been rapid. Credit underwriting, claims processing, fraud detection, customer service, and algorithmic trading have all absorbed generative AI in the past 18 to 24 months. According to the joint LBFB/IFoA report covered by Insurance Edge, 94% of surveyed firms are now piloting or deploying generative AI in core business functions — a figure that would have been implausible two years ago.

The regulatory response has been slower. Most compliance frameworks still treat AI as a sophisticated statistical model — not as a system capable of independently taking multi-step actions with real financial consequences and no deterministic output.

The Tensions the Report Identifies

The LBFB and IFoA identify what they call "uncomfortable tensions" — structural mismatches between what generative AI does and what current oversight frameworks can see:

Speed vs. explainability. The same pattern-recognition capability that makes generative AI useful also makes it hard to audit. When a model declines a loan application or flags a claim as fraudulent, the output often can't be decomposed into a simple chain of reasoning that satisfies fair-lending or claims-handling regulations. The system arrived at the right answer; no one can fully explain how.

Scale vs. containment. AI agents don't just produce individual outputs — they execute sequences of actions autonomously. A compliance regime built to review individual model outputs has no mechanism for monitoring an agent that takes 40 steps across multiple systems before a human reviews the result.

Accountability vs. automation. As AI handles more decisions, the question of who is legally responsible for errors becomes harder to answer. Firms are building liability exposure without fully recognizing the governance gap beneath it.

A New Risk Taxonomy

The report's substantive contribution is a risk classification system for financial AI deployments. It categorizes systems by three factors: decision autonomy (how much the system acts without human approval), reversibility (whether the action can be undone), and systemic potential (whether a single failure could cascade across accounts, counterparties, or markets).

Agentic AI systems — those that take multi-step actions across systems without step-by-step human sign-off — are identified as the highest-risk category. They're also the category with the fewest governance controls currently in place across the industry.

The authors are direct about why: existing frameworks like SR 11-7 (the U.S. Federal Reserve's model risk guidance) and FCA model rules were designed for deterministic models with stable inputs and predictable outputs. Applying them to probabilistic, context-adapting LLM-based agents creates what the report calls "governance theater" — the appearance of oversight without the substance.

What This Means for Banks and Insurers

The practical implication is competitive as much as compliance-driven. Firms that can demonstrate robust AI governance — audit trails, documented accountability chains, human escalation protocols, and explainability artifacts — will be better positioned when regulatory requirements tighten. And they're expected to tighten. Firms that can't explain an AI credit decision to a regulator will face increasing legal exposure as these systems scale.

The harder organizational challenge is structural. Most financial institutions are built around product lines and business units, not cross-functional AI governance capabilities. Building the teams and processes to monitor, audit, and escalate AI agent decisions requires changes to how compliance and risk management functions operate — a slower transformation than deploying the AI systems they need to oversee.

For compliance officers and risk teams, the LBFB/IFoA taxonomy offers something practical: a framework for benchmarking their current governance posture against what regulators are likely to require, before those requirements are imposed.

What to Watch

UK and EU regulators are expected to issue updated AI-in-finance guidance in the second half of 2026. The IFoA framework is likely to be referenced in those consultations as a professional-body standard. Firms that engage with it now are preparing for requirements that are already taking shape.

The deeper question is whether the financial industry's self-governance instincts — historically strongest when the threat is systemic — will activate before regulators force the issue. The 94% deployment figure suggests the industry is too far into AI adoption to pull back. The question is whether the governance infrastructure will catch up in time.