AI regulation moves closer to the finance function
Date published: October 3, 2025
AI is already influencing how finance teams forecast, control spend, and detect fraud. Now regulation is catching up. The EU AI Act and UK regulator guidance will increase expectations on governance, transparency, and accountability across the finance stack.
The EU AI Act sets the tone
The EU AI Act introduces a risk-based framework with strict duties for "high-risk" uses, including credit scoring, fraud detection, and employee management. If you operate in or sell to the EU, compliance will be a requirement, not a nice-to-have.
CFOs must know where AI shows up in forecasting models, payment workflows, and supply chain monitoring. Expect obligations around documented oversight, data controls, testing, and clear explanations of how models influence decisions. See the EU Council's overview of the law for context: EU AI Act - final approval.
UK regulators take their own path
The UK is using sector regulators instead of a single AI law. The FCA and PRA have flagged AI as a supervisory priority with focus on algorithmic decision-making, model governance, and explainability. Finance functions should expect more questions on how AI influences reporting, credit assessments, and compliance workflows.
The government's policy sets the direction and expects regulators to enforce as adoption grows. Read the policy paper here: A pro-innovation approach to AI regulation.
Why this matters for CFOs
AI promises lower costs, faster analysis, and better controls. Regulators worry about bias, opaque models, and overreliance on systems that people can't explain. That puts finance leaders on the hook for stronger oversight.
- Governance: Define who owns each model, the decisions it supports, and the approval process for changes.
- Transparency: Be ready to show auditors and regulators how inputs become outputs and how those outputs affect the numbers.
- Vendor management: Third-party tools using AI will fall under your obligations. Require documentation, testing evidence, and audit rights.
What to do now: a practical 90-day plan
- Create a single inventory of AI use across finance: forecasting, close, payments, treasury, tax, compliance, audit.
- Classify use cases by risk and jurisdiction exposure (EU, UK, other).
- Assign an executive owner and model steward for each system; set approval and change-control gates.
- Document data lineage, training data sources, and data quality checks.
- Stand up model risk controls: validation, backtesting, bias and drift checks, and periodic reviews.
- Produce audit-ready artifacts: purpose, assumptions, limitations, KPIs, and version history.
- Tighten vendor due diligence: request model cards, testing reports, security attestations, and incident logs; update contracts with compliance clauses and SLAs.
- Update policies (AI use, data, privacy, IT change) and align with existing SOX and internal control frameworks.
- Train finance, risk, and internal audit on AI basics, model risk, and explainability requirements.
- Implement monitoring and incident management for AI-related errors or bias events.
- Brief the audit committee; establish a cross-functional AI oversight forum and reporting cadence.
- Set a compliance timeline with milestones for 2025-2026 and budget for gaps.
Timeline and enforcement
The EU AI Act phases in through 2025-2026, with earlier deadlines for banned practices and obligations for providers and users of high-risk systems. The UK approach will build through regulator guidance and supervision cycles. Cross-border groups should plan to meet the stricter standard where rules differ.
Common pitfalls to avoid
- Relying on black-box tools without a way to explain outputs that affect financial statements.
- Assuming the vendor covers compliance; you, as the user, still carry obligations.
- Ignoring "shadow AI" in spreadsheets, macros, and plugins used by analysts.
- Weak change management for model updates and prompt template changes.
- Skipping bias, stress, and scenario tests before rolling models into production.
Be ready for audit and regulator review
- Model inventory and risk classification.
- Policies and control matrices mapped to SOX/ICFR where relevant.
- Explainability summaries and challenge logs for key models.
- Validation packs with test results, thresholds, and approvals.
- Data protection impact assessments where required.
- Third-party due diligence files and contract clauses covering AI obligations.
- Training records and evidence of ongoing monitoring.
Build capability inside finance
AI will sit inside core finance workflows. Upskill your team on model risk, data quality, controls, and prompt discipline so they can use these tools with confidence and accountability.
If you need practical resources, see curated AI tools for finance or explore role-based learning paths by job function.
Your membership also unlocks:
