The EU AI Act enforcement obligations for high-risk AI systems, including credit scoring, are now law, with a compliance deadline of December 2, 2027. The enforcement action that will define AI governance in financial services this decade will not come from a model that hallucinated - it will come from an institution that cannot explain, in a form a regulator accepts, why an AI system made a consequential decision.
The European AI Office, established under the EU AI Act, sets the global standard. It is the only body in the world with a specific statutory mandate and enforcement powers covering foundation models, with binding law and broader risk category coverage than any other jurisdiction. For multinational organisations with EU operations, building to that standard satisfies most other frameworks as a byproduct.
In the US, the FTC continues to use Section 5 of the FTC Act for AI claims that overstate capability or rely on undisclosed AI processing of consumer data. The Treasury Department published a financial services AI framework in February 2026, translating NIST AI RMF principles into 230 mapped control objectives. At the state level, Colorado enacted revised AI legislation effective January 1, 2027, followed by California.
The regulation that left generative AI out
SR 26-2, issued jointly by the Federal Reserve, OCC, and FDIC in April 2026, revised model risk management standards for US banking organisations above $30 billion in assets. Its most consequential provision is what it did not address. The guidance has no specific requirements for generative AI or agentic AI, describing them as "novel and rapidly evolving" - regulatory language for deferred. Institutions are expected to apply existing risk management principles in the meantime, with agency guidance expected in the near future. That is not the same as having governance standards.
The exclusion means the explainability gap remains open. SR 26-2 updates the governance standard for traditional quantitative models. It does not close the regulatory uncertainty around the AI systems institutions are already deploying at scale. For finance leaders navigating this gap, the AI for Finance resource hub covers the applications, risk, and compliance dimensions that are becoming central to the role.
What a defensible audit trail actually requires
A defensible AI audit trail captures the prompt, model version, dataset snapshot, reasoning chain, and output in a replicable, timestamped form. To satisfy a regulator or a court, it must be tamper-evident and independently replicable by a third party. That standard separates an evidential record from a well-organised folder of AI outputs. Most risk teams currently lack that capability, and the difference between filing outputs and building a chain of evidence is what a regulator will notice first.
Prompt inventories are closer to a regulatory inevitability than a best practice recommendation. If a prompt is a material input to a decision that affects a customer, a risk position, or a regulatory determination, then changing that prompt changes the decision logic. Under SR 26-2's model risk management framework, a material change to a model's inputs or logic triggers re-validation. A prompt that evolves informally, without version control or change documentation, is functionally an unvalidated model change. A prompt inventory needs four components: the prompt in versioned, immutable form; the date and author of each change; the rationale for the change; and the validation that confirmed the revised prompt produced appropriate outputs before going into production.
The drift problem nobody is catching
Model drift - the gap between the data distribution an AI was trained on and the conditions it encounters today - creates direct regulatory exposure under validation requirements in credit scoring, fraud detection, and risk model outputs. Most institutions have the tooling to detect it. Few have built the monitoring infrastructure to act on it. The constraint is incentive, not capability.
Risk leaders know drift is occurring. But when an AI system is still producing commercially favourable outputs, there is no internal pressure to intervene until a regulator, an auditor, or a loss event forces the question. The most dangerous version of the problem is the institution that believes its AI system is still performing correctly because nobody built the monitoring infrastructure to detect that it stopped doing so six months ago. That infrastructure exists. Most risk teams just have not built it yet.
The financial industry is converging on a small number of AI infrastructure providers. When multiple systemically important institutions run variants of the same foundation model in their risk functions, a model failure produces correlated losses across the system simultaneously. Concentration amplifies the exposure, and protection requires governance established before deployment, not retrofitted after it, with third-party AI risk embedded in procurement as a prerequisite rather than a compliance afterthought. For CFOs and senior finance leaders who own the accountability for these governance decisions, the AI Learning Path for CFOs provides structured training on managing AI risk and strategy across the organisation.
Why this matters for finance professionals
The organisations that build governance infrastructure now - audit trails, prompt inventories, third-party AI risk programmes, explainability frameworks, and drift monitoring - are not just managing compliance risk. They are building the infrastructure that will determine whether AI in financial services creates durable value or durable liability. The question a regulator will ask is whether you can explain how your model made the decision. If your governance programme cannot answer that question in a form that satisfies a court, the accountability gap is already open, and a regulator will close it for you.
Your membership also unlocks: