Regulators flag AI as a control risk

United States financial regulators are treating artificial intelligence less as a product pitch and more as a control problem inside banks and brokerages. (finra.org) On February 19, 2026, the Treasury Department released a Financial Services Artificial Intelligence Risk Management Framework and an Artificial Intelligence Lexicon, saying firms need common definitions, lifecycle controls, and accountability for artificial intelligence systems used in finance. (home.treasury.gov) The Financial Industry Regulatory Authority, or FINRA, folded generative artificial intelligence into its 2026 Annual Regulatory Oversight Report as a new topic area and said the report is meant to help firms review supervisory procedures and controls. (finra.org) That language marks a shift from early discussions about pilot projects and efficiency gains to questions about who approves a model, how it is tested, and what happens when it fails inside a regulated institution. (home.treasury.gov) Treasury said uneven risk-management practices and inconsistent terminology are already creating governance problems as financial institutions use artificial intelligence for decision-making, customer engagement, and operations. (home.treasury.gov) FINRA has been pushing firms in the same direction. In its guidance on artificial intelligence in securities markets, it says model-risk programs should cover development, validation, deployment, ongoing testing, and monitoring, with checks on data, algorithms, parameters, and outputs. (finra.org) The urgency sharpened on April 7, when Treasury Secretary Scott Bessent and Federal Reserve Chair Jerome Powell called top Wall Street executives to Treasury headquarters in Washington for a private briefing on cyber risks tied to Anthropic’s Mythos model, according to Bloomberg. (bloomberg.com) Bloomberg reported that officials framed the issue as a systemic risk question, not a single-bank problem, and said the invited firms were all considered systemically important to the global financial system. (bloomberg.com) Anthropic has described Mythos as a model strong enough at finding software flaws that it is being kept to a limited release. Bloomberg reported on April 10 that Anthropic said testing found thousands of previously unknown “zero-day” vulnerabilities, including in major operating systems and web browsers. (bloomberg.com) A zero-day is a software bug the developer does not know about yet, which means there is no patch when an attacker finds it. In banking, that turns an artificial intelligence model from an automation tool into something regulators may treat like a source of operational and cyber risk. (bloomberg.com) Officials did not cite a specific active threat to banks at the meeting. Bloomberg later reported that the government instead encouraged banks to test Mythos against their own systems to improve defenses, and Goldman Sachs Chief Executive David Solomon said on April 13 that his firm was working with Anthropic and security vendors on the issue. (bloomberg.com) The combined message from Treasury, the Federal Reserve, and FINRA is that artificial intelligence in finance now sits inside the same oversight bucket as cybersecurity, model risk, and operational resilience. The next debate is not whether firms will use these systems, but how much proof regulators will demand before they trust them in production. (home.treasury.gov)