For years, the debate around artificial intelligence in financial services was framed as a question of adoption. When would banks, insurers, asset managers and fintechs move beyond experimentation and start using AI at scale?

That question now feels dated. AI is no longer waiting at the edge of the financial sector. It is already embedded in fraud detection, transaction monitoring, KYC, customer support, marketing, regulatory analysis, document review and operational workflows. Increasingly, it is also entering the very functions designed to supervise risk.

That is the central argument behind The Future of AI Governance & Compliance in Financial Services, an international report coordinated by Zango AI and presented at the House of Lords in the UK. Based on conversations with senior figures across risk, compliance, legal and AI governance, the report points to an uncomfortable reality: financial institutions are deploying AI faster than they are building the internal structures required to oversee it.

The Future of AI Governance & Compliance in Financial Services

8.96MB ∙ PDF file

Download

Download

This is not a narrow technical issue. In financial services, governance is infrastructure. It is how trust is maintained, how risk is controlled, how executives remain accountable, and how institutions prove to regulators that innovation has not outrun responsibility.

Zango AI sits directly inside this tension. Founded by Ritesh Singhania and Shashank Agarwal, the company describes itself as an AI compliance layer for financial services. Its platform is designed to help institutions automate regulatory change management, obligation mapping, policy governance, compliance gap analysis, control testing, and audit evidence management.

Image: Ritesh Singhania, credits Zango AI

In other words, Zango is not selling AI as a glossy productivity layer. It is trying to use AI to modernise one of the least glamorous but most critical parts of financial infrastructure: compliance.

That positioning matters. Compliance teams are under pressure from two sides. Regulation is becoming more complex, fragmented and fast-moving. At the same time, internal business teams are adopting AI tools that pose new risks at a pace traditional oversight models were not built to keep up with.

Historically, financial regulation was built around relatively predictable systems. The same input would produce the same output. Models could be back-tested, documented, validated and reviewed against known benchmarks. Generative AI changes that logic. Its outputs are probabilistic, context-dependent and often impossible to validate against a single correct answer.

Agentic AI goes further still. These systems do not merely generate text, summaries or recommendations. They can take actions, interact with tools, trigger workflows and operate across systems. At that point, governance is no longer just about checking outputs. It becomes about supervising behaviour.

That is where the risk becomes sharper. A misconfigured AI agent in a financial institution does not make errors at human speed. It can repeat them instantly, at scale and across thousands or millions of interactions.

Image: Zango AI tool snapshot, credits Zango AI

Interview insights: “Adoption is outpacing governance”

For Ritesh Singhania, CEO and co-founder of Zango AI, the danger begins as soon as AI is used without proper governance. But the move towards generative and agentic systems has entirely changed the risk profile.

“Unlike earlier AI, these systems are probabilistic and non-deterministic,” he says. “They do not produce repeatable outputs that can be tested against a single correct answer. That makes conventional validation approaches inadequate.”

Singhania argues that the real issue is not AI adoption itself, but the speed at which it is outpacing governance. In many firms, the most mature AI use cases sit in the first line of defence: the teams building products, running operations and capturing efficiency gains. These teams have clear incentives to move quickly.

The second line of defence — risk, compliance and oversight — is often further behind. Many of these functions were designed around human workflows, periodic reviews and sample-based monitoring. They were not built to challenge autonomous systems operating continuously.

He identifies three main reasons for the lag. The first is economic pressure. Firms can capture cost savings and efficiency gains before governance frameworks are fully mature. The second is a capability gap, particularly within risk and compliance teams, which may lack the technical literacy needed to challenge advanced AI systems. The third is the absence of a shared operational standard for AI governance in financial services.

That last point is central to Zango’s argument. Regulation already exists in many forms: data protection, conduct rules, operational resilience, outsourcing requirements, model risk management, senior management accountability and, in Europe, the AI Act. But principles are not the same as implementation.

Financial institutions still need practical answers. How should AI systems be inventoried? How should risk be classified? What controls are appropriate for generative or agentic systems? How should firms validate variable behaviour? Who is accountable when a model supplied by a third party causes harm? What evidence should be available to auditors and regulators?

According to Singhania, every institution is currently trying to answer these questions for itself. “There is no common baseline,” he says.

The report argues that the industry needs sector-specific operational guidance, developed with practitioners and regulators, rather than leaving each institution to rebuild the same frameworks in isolation. Singhania points to examples elsewhere: the United States has adapted the NIST framework into a financial services AI risk management framework, while Singapore has worked on similar issues through the Monetary Authority of Singapore’s Project MindForge.

In the UK and Europe, he argues, the missing layer is practical implementation.

Visibility is another major concern. Several institutions interviewed for the report did not have a full picture of where AI was being used internally. That is a fundamental problem. A firm cannot govern systems it cannot see. It cannot classify risks it has not mapped. It cannot hold teams accountable for tools that are being used informally, experimentally or through third-party software.

The issue becomes even more serious as AI begins to enter oversight itself. Some firms are already exploring the use of one model to validate another. That may improve efficiency, but it also creates a new kind of dependency. If the second line cannot assess whether automated validation is sound, oversight risks becoming little more than endorsement.

For Singhania, the answer is not to remove people from the loop. It is to rebuild human capability around the new technology.

“Governance has to become a distributed skill, embedded in every line, rather than the preserve of a few specialists,” he says.

AI can strengthen compliance by moving firms from periodic sampling to real-time analysis of entire datasets. But that only works if teams understand the tools well enough to use them, question them and intervene when they fail.

Full Q&A: Ritesh Singhania on why AI governance is becoming finance’s next critical infrastructure

Using AI is always dangerous without the right governance behind it. But the risk profile has shifted fundamentally with the move to generative and agentic systems. Unlike earlier AI, these systems are probabilistic and non-deterministic - they do not produce repeatable outputs that can be tested against a single correct answer. That makes conventional validation approaches inadequate.

What our research shows is that adoption is rapidly outpacing governance across the sector. In the EU, 92% of financial institutions use AI. The technology is being deployed faster than the frameworks meant to govern it - and that gap is widening.

The stakes become particularly acute with agentic AI, which does not just generate outputs but takes actions autonomously. At that point, harm no longer accumulates at human speed. Payment protection insurance - the UK’s largest mis-selling scandal - took years to reach £38 billion in redress. With ungoverned AI agents, as one compliance leader in our research put it, that could happen in weeks.

There are a number of factors that pull in the same direction. Adoption is most mature in the first line of defence, the teams that build and run the systems, where data is structured and the commercial case is immediate; fraud detection, transaction monitoring and KYC screening are already embedded there.

But the second line of defence - the independent risk and compliance functions whose job is to challenge and oversee what the first line does - is significantly behind. Those teams were designed around human workflows that do not absorb AI cleanly, and many are only beginning to deploy the tools they would need to oversee what the first line is already running. Ultimately, the systems are live before the oversight of them is. .

To summarise why governance is lagging behind:

• Economic pressure. Firms capture efficiency gains upfront even where governance frameworks are still evolving. As one Chief Risk Officer told us, firms sometimes want to capture those cost savings even before the model is perfected.

• A capability gap. Recent UK government research places some of the biggest AI skills shortfalls in compliance and risk teams.

• No shared AI governance standard. There is no sector-specific guidance in the UK or EU translating regulatory principles into operational practice, so every firm interprets the same rules alone and rebuilds the same frameworks from scratch.

That last point is the one worth emphasising. At Zango AI, we see this directly. When we work with financial institutions to deploy AI agents - whether for regulatory change management, financial promotions review, or compliance gap analysis - they are each asking different questions and arriving at different answers. There is no common baseline. That is precisely why the sector needs a shared AI governance implementation standard rather than every institution solving the same problem in isolation.

Other jurisdictions have already moved. The United States has adapted the NIST framework into a Financial Services AI Risk Management Framework, built with the US Treasury and more than a hundred institutions. Singapore has done equivalent work through the Monetary Authority’s Project MindForge. We even have a strong domestic precedent in the Joint Money Laundering Steering Group in the UK, where industry writes detailed operational guidance and government endorses it. Nothing comparable exists for AI in the UK and EU yet, and until it does, the governance lag is the predictable result.

It cannot, and that is the uncomfortable starting point. Visibility is the precondition for governance, not an optional extra. In several institutions we studied, compliance and risk functions had limited insight into which AI tools were actually in use across the business.

One Head of Compliance admitted that, asked to show everywhere AI was being used, no answer would be available. Another told us that without visibility you miss things, and that the range of quality in use cases ran from excellent to, in their words, real shockers.

Where deployment is decentralised, that blind spot widens quickly. The firms handling this well have built formal coordination across model risk, product governance, data protection and compliance. In practice that often means an existing function becoming the anchor: for example, this is often model risk, operational risk, or increasingly a dedicated central AI function with a Chief AI and Data Officer or Head of Responsible AI acting as a coordination layer across the business.

The foundational assumption breaks. Financial regulation grew up around systems that were predictable and testable; the same input produced the same output, and behaviour could be backtested against ground truth. That is how model risk has been governed for years. Generative AI produces context-dependent outputs with no single correct answer to validate against, and its behaviour shifts as it ingests new data.

The governance task moves from validating fixed outputs to governing variable behaviour. Agentic systems push it further again, from assessing outputs to governing actions taken on those outputs.

One of the contributors to the research describes this as a responsibility gap: legal liability outpaces a manager’s technical visibility. And once a system’s output cannot be guaranteed, tracing data lineage and logic through a traditional audit trail becomes far harder.

The accountability framework itself has not changed, and that is the tension. Under the Senior Managers regime in the UK, accountability still rests with named executives; you cannot outsource your obligations to an algorithm. So the work shifts from auditing a system’s internal logic to orchestrating continuous, real-time guardrails around the environment it operates in.

It is a real risk. Independent challenge depends on the ability to interrogate how a model actually behaves. Where compliance and risk teams lack that technical literacy, effective challenge becomes impossible, and the function risks being reduced to a reactive gatekeeper that slows adoption without reducing risk. Part of the problem is cultural; several practitioners described real resistance within control functions, a fear that engaging too deeply with AI threatens existing roles.

The danger sharpens as first-line teams begin running AI-driven validation of their own systems. One emerging practice is to use one model to judge another, and that validation can now sit in the first line. If the second line cannot assess whether that automated validation is sound, oversight becomes endorsement. It goes a layer further when oversight functions deploy AI themselves; as one leader put it, you then have to oversee the overseer agents, and the more you rely on AI-assisted review, the harder failures within the review mechanism become to detect.

The answer is not to remove people from the loop but to rebuild capability. Governance has to become a distributed skill, embedded in every line, rather than the preserve of a few specialists. The same AI creating this pressure can also strengthen oversight; firms are already moving from periodic sampling to analysing entire datasets in real time. But that potential is only realised by teams equipped to use the tools, and to exercise judgement when they fail.

It could look like conduct harm that builds invisibly: an AI system generating personalised customer communications at scale - flagging account features, prompting product upgrades, summarising terms - making the same error consistently and at volume. Traditional compliance monitoring, built around periodic sampling and retrospective review, was not designed to catch problems accumulating at that speed.

The second form it could take is systemic. As agents converge on similar models and a handful of foundation providers, correlated behaviour could amplify a market move, echoing the 2010 flash crash, or reduce deposit stickiness and raise the threat of a bank run. One interviewee suggested AI could come to be viewed almost as critical national infrastructure, with only a few core models everyone relies on, which makes a single flaw a system-wide exposure rather than a local one.

There is also the adversarial dimension. The same capabilities are in the hands of criminals, through prompt injection, jailbreaking and adversarial inputs, and weak internal governance leaves firms less able to defend against them.

The common thread across all of this is that the sector expects regulation to be written after the failure rather than before it, and we have lived through that pattern before. That is why Zango AI is bringing together leaders across financial services to build sector-specific operational guidance for AI governance. This includes developing a shared understanding of agentic AI’s capabilities, and the risks and controls that follow. By proactively sharing what works - and what doesn’t - the industry can build practical best practice before a crisis forces the issue.

The scandal that has not happened yet

What might the first major AI-driven financial scandal look like?

One plausible version is a failure of conduct. A bank uses AI to generate personalised customer communications, summarise account terms, suggest product upgrades or explain financial products. The system makes a subtle error — an omission, a misleading phrase, an unsuitable recommendation — and repeats it at scale. Traditional compliance monitoring, built around retrospective sampling, may not detect the issue until harm has already accumulated.

Another version is systemic. Multiple institutions use similar models, vendors, or agents to make operational or market decisions. Under stress, those systems react similarly, amplifying rather than absorbing market movements. A local model failure could become a correlated sector-wide exposure.

A third version is adversarial. Criminals use prompt injection, synthetic identities, automated fraud and adversarial inputs to exploit weakly governed systems. In that scenario, poor AI governance is not just an internal weakness. It becomes part of the sector’s attack surface.

The common thread is speed. Financial scandals have traditionally taken time to build. AI compresses that timeline. A flawed workflow, model, or agent can scale through APIs, automated communications, and operational systems far faster than a human process can.

That creates a difficult responsibility gap. Senior executives remain accountable, particularly under regimes such as the UK’s Senior Managers and Certification Regime. But their legal responsibility may outpace their technical visibility. They cannot outsource accountability to an algorithm, yet they may struggle to understand precisely how an AI system behaved, why it acted as it did, or where control failed.

Image: Ritesh Singhania with the Portuguese team, credits Zango AI

Zango’s bet is that the next phase of AI in finance will not be defined by the most impressive demos, but by the systems that make AI usable, auditable and controllable in regulated environments. That means inventories, control mapping, audit trails, governance boards, testing frameworks, real-time monitoring and technically capable compliance teams.

It is less glamorous than the first wave of generative AI. But it is where the technology becomes real.

The financial sector has often been regulated after failure. The danger with AI is that failure may arrive faster than the old regulatory cycle can respond. By the time a scandal is visible, the damage may already have been done.

That is the urgency behind Zango’s work. The company is effectively arguing that AI governance is becoming a new layer of financial infrastructure. Not a policy document. Not a committee exercise. A live operational capability.

The question, then, is no longer whether AI will transform financial services. It already is. The question is whether financial services can transform governance quickly enough to keep up.

by Gonçalo Perdigão
Accredited Press Professional: CCPJ TE-882
ERC-Registered Media Organisation: 128149