AI governance gap widens

Banks are starting to use artificial intelligence systems that can take actions on their own, while the main federal rulebook for bank models was just rewritten without covering those systems. (forbes.com; federalreserve.gov) On April 17, the Federal Reserve, Office of the Comptroller of the Currency and Federal Deposit Insurance Corporation issued revised model risk management guidance that replaced the 2011 SR 11-7 framework. The agencies said the update sets a risk-based approach for models used by banks. (federalreserve.gov; occ.treas.gov; fdic.gov) The Forbes column published April 22 said the new guidance explicitly excludes generative artificial intelligence and agentic artificial intelligence, even as some banks are already testing or deploying software agents with authority to execute tasks. The column described that mismatch as a governance gap inside financial institutions. (forbes.com) Agentic artificial intelligence is software that does more than answer a prompt; it can plan steps, call tools and carry out tasks with limited human input. That is a different control problem from older bank models, which are usually validated before use and then monitored against expected behavior. (forbes.com; nist.gov; nvlpubs.nist.gov) Congress added pressure on April 22, when the House Financial Services Committee and House Energy and Commerce Committee said they were advancing the GUARD Financial Data Act and the SECURE Data Act. The committees said the bills would give Americans more control over personal data and create a national privacy framework. (financialservices.house.gov; financialservices.house.gov) That matters for banks using artificial intelligence because these systems depend on large stores of customer and transaction data, and because automated decisions can be hard to reconstruct after the fact. NIST’s Artificial Intelligence Risk Management Framework and its generative artificial intelligence profile both push organizations toward documentation, testing, monitoring and governance controls. (nist.gov; nvlpubs.nist.gov) The federal banking agencies did not present the April 17 guidance as an artificial intelligence rule. They said it clarifies model risk management principles, rescinds prior guidance and applies a risk-based approach, leaving banks to decide how to extend those controls to newer systems. (federalreserve.gov; occ.treas.gov; fdic.gov) The practical response inside firms is likely to be more audit trails, tighter approval gates and more “human in the loop” checks before software agents can move money, change accounts or contact customers. Those are the kinds of governance steps NIST describes for managing artificial intelligence risk when behavior is less predictable. (nist.gov; nvlpubs.nist.gov) For now, the gap is not about whether banks will use autonomous artificial intelligence. It is about whether their controls, and Washington’s, can catch up before those systems handle more of the financial system’s daily decisions. (forbes.com; financialservices.house.gov)