Regulators already require operational resilience. AI just joined the scope
Banks and asset managers run AI across client service, research, compliance surveillance, and software delivery. Regulators — from the OCC to the FCA's operational resilience regime and the EU's DORA — expect critical business services to be mapped, tested, and recoverable. AI dependencies are now part of that map, whether or not they've been documented.
Where AI is embedded
How financial services runs on AI today
- Client service assistants and chat
- Research summarization and analysis
- Compliance surveillance and screening
- Developer copilots across the engineering org
- Document processing and KYC automation
Sector-specific risk
What makes resilience harder here
Third-party risk frameworks don't see AI yet
Your TPRM program tracks critical vendors — but AI providers often entered through product features and per-seat SaaS, bypassing vendor criticality classification entirely.
Resilience regimes now demand evidence
DORA and the UK operational resilience rules require mapped dependencies and tested recovery for important business services. If AI supports one, an untested AI dependency is a finding waiting to happen.
Concentration risk is systemic
The industry's AI usage concentrates on two or three providers. Diversified model routing is the financial-sector answer to a familiar problem: single points of failure in critical supply chains.
The regulatory picture
DORA (EU), FCA/PRA operational resilience rules (UK), OCC third-party risk guidance (US), and NYDFS 500 all point the same direction: mapped, tested resilience for critical services — including their AI dependencies.
Assess your financial services AI estate
The AIR Assessment maps your AI dependencies against sector-specific failure modes and regulatory expectations — in 3 to 6 weeks.