Four in five banks now use AI to manage operational risks, according to Risk.net's 2026 Op Risk Benchmarking study, which drew a record 61 institutions globally. Cyber risk detection is the fastest-growing front, but accountability for AI risk remains fragmented - and that is starting to curb deeper investment decisions.
Doubts about return on investment are slowing AI deployments, especially at regional banks with leaner model risk teams. The gaps in governance are wide enough that banks now treat AI as both a management tool and a source of new exposure.
Cyber risk leads AI use cases
Cyber risk is the fastest-growing AI deployment area within operational risk, per the study. Banks apply algorithmic tools to threat detection, anomaly monitoring, and fraud alerting. At the same time, AI risk itself climbed to fifth place in Risk.net's Top 10 Op Risks for 2026 - up from a lower spot in prior years - showing that AI is now a significant risk category in its own right.
No standard method yet exists for classifying AI risk within established operational risk taxonomies. The overlap creates a dual challenge: the tools used to control risk are also a growing source of it.
Governance gaps and ROI doubts
Accountability for AI risk remains scattered, the study's companion reporting found. Second-line risk functions are asserting ownership of AI governance, but many banks lack controls that match their deployment speed. Regional institutions with smaller model risk teams indicated they need clearer proof of return before committing to broader AI use.
"Doubts about ROI are slowing deeper investment," the Risk.net report said, "particularly at regional banks with leaner model risk teams." Without an agreed framework to place AI risk inside existing operational risk categories, risk teams continue to build governance piecemeal.
Wider surveys reinforce the pattern
The findings echo concurrent research. The EY-IIF Global Bank Risk Management Survey documented banks racing to adapt governance to both traditional and emerging risks. The Cambridge Centre for Alternative Finance's 2026 Global AI in Financial Services Report described rapid AI deployment across the sector alongside institutional caution about control frameworks.
A recurring theme across all three studies is that AI deployment is outpacing institutional governance capacity. Risk teams are embedding AI into processes faster than second-line functions can build the safeguards to oversee it.
Regulators are paying attention
Risk.net's 2026 data also shows risk appetite breaches climbing in cyber, operational resilience, and third-party risk categories - all areas where AI plays an expanding role. Regulators globally are expected to intensify scrutiny of how banks manage AI-driven exposures.
Why this matters for operations
AI is already in the operational risk toolkit, but the controls around it are not. For operations professionals, that gap is an immediate workload signal. Teams that can assess AI risk classification, monitor model performance, and communicate ROI to risk committees will influence deployment decisions and reduce exposure to regulatory friction. The distance between deployment speed and governance readiness is a concrete opportunity to shape how the function evolves.
Your membership also unlocks:
