Beyond cybersecurity: Why banks need a dedicated AI risk strategy

By Michael Sell, SVP & Global Head of institutional Outreach, GARP

Technology risk in banking and financial services has typically revolved around cybersecurity: protect the systems, safeguard data, stay ahead of attackers. Artificial intelligence changes that equation. Generative and agentic AI introduce a distinct category of risk—spanning model governance, data integrity, and algorithmic accountability—that falls outside traditional cyber frameworks. As generative and agentic AI use cases move from operational support functions into core business decisioning, the importance of creating robust AI governance is becoming critical.

India’s AI Moment Needs a Governance Answer
Few markets illustrate this better than India, where banks are integrating AI workflows into customer engagement and support, credit assessment and other risk management processes including fraud detection, anti-money laundering surveillance, and risk reporting.

Fintech development is allowing India’s banking sector to serve hundreds of millions of customers across the country with greater efficiency and financial inclusion with one of the world’s largest digital financial ecosystems, powered by platforms such as UPI, Aadhaar, and the Account Aggregator (AA) framework, a digital public infrastructure overseen by India’s financial regulators, including the Reserve Bank of India (RBI). As AI becomes increasingly embedded within this infrastructure, governing it responsibly will be even more important than rapid deployment.

AI risk is top of mind globally among corporate leaders and regulators, and India is no exception. Supervisors across all markets are sharpening their focus on issues like data privacy and governance, AI model transparency, fairness, accountability, and ethics which are all important in the broader context of operational resilience and third-party risk. The FREE-AI framework, released by RBI, sets out guiding principles and recommendations for how banks, NBFCs, and fintechs should govern AI, from development to deployment lifecycle.

Broad regulatory consensus and oversight is forming in markets around the world. With AI becoming more deeply embedded in financial processes, institutions will be expected to show not only what their systems can do, but how they are governed and held accountable.

The Governance and Accountability Gap in AI
The Three Lines of Defense risk management framework is rooted in governance and accountability. Credit decisions supporting new banking relationships are approved and documented by the first line, market exposures are measured and reported by second line stakeholders, and third line corporate audit teams assess business processes, flagging breakdowns in risk management processes that require investigation. Creating governance and accountability for AI-guided decisions that produce incorrect or harmful outcomes is challenging when the output is a function of model design, the relevance and quality of training data, and the expertise and judgement of humans in the loop overseeing the models and their output.

Third-party dependencies raise the stakes further. As banks lean on externally developed models, accountability for delivering responsible AI solutions remains with the bank, despite the use of outsourced technology. This naturally creates governance questions around AI vendor oversight, concentration risk, and operational resilience that may be out of scope for current processes used to manage technology risk and cyberthreats.

Treating AI Risk as Its Own Discipline
How AI model risk and governance evolve will depend in large part on how seriously institutions invest in the discipline. Organizations that extract the greatest long-term benefits from AI may not be those using the newest models, but those that build robust governance around them. Institutions that develop professionals who understand how AI models work—and who can ask the right questions when assessing risk and validating output—will be best positioned as applications grow more sophisticated.