Scaling AI in banking: diverging approaches to control and supervision in the US and Europe

Artificial intelligence (AI) is already an integrated part of banking. The key question, however, is whether banks and regulators can maintain oversight as AI models become more complex, externalised and embedded in core processes. A comparative analysis of US and European markets indicates that scaling AI will increasingly depend on the ability to control, test and supervise it effectively.

Artificial intelligence (AI) is now embedded in many banks across diverse areas, including customer interactions, fraud detection and core operational processes. It’s, therefore, no longer a question of whether banks should adopt AI, but whether these systems can remain effectively supervised as they scale. 

Nor is the challenge limited to governance or internal control. It is also about the ability of banks and supervisors to understand, access and challenge increasingly complex models that are often developed by external providers and deployed in critical processes.  

AI is already being deployed across the banking sector in Europe and the US. Effective supervision depends on banks retaining sufficient control over these systems, and how the ability to understand, access and challenge AI models may differ between the US and Europe as deployment moves from bounded use cases into more critical banking processes. 

The UK sits somewhat between the US and EU models: it relies more on principles-based and outcomes-focused regulation, while facing similar practical challenges around model risk, third-party dependency, operational resilience and effective control. 

Eric Cloutier

“As AI moves deeper into banking processes, the supervisory question becomes increasingly if models can still be understood, accessed and challenged in practice. Banks need control frameworks that work across jurisdictions and remain effective as models become more complex and dependent on external providers.”

Eric Cloutier Global Head of Banking Regulations / Head of Global FS RegCentre, Forvis Mazars Group

Where AI stands today in banking 

AI is increasingly being deployed across a wide range of banking functions, including fraud detection, anti-money laundering, customer interactions, onboarding and internal support. However, the level of maturity in use case implementation remains uneven. Some use cases are already well implemented in daily operations, while others are still pilots in controlled environments or partly scaled out.  

This said, most current use cases still remain bounded by limited autonomy and well-defined perimeters. This explains why many banks still consider them broadly compatible with existing governance and control frameworks. 

Greater challenges are, however, expected to emerge as AI systems become more complex and increasingly integrated within banks, with their usage becoming less transparent and harder to control. 

From AI adoption to effective supervision 

As AI models continue to develop and their integration in the banking sector expands, the focus will increasingly be on ensuring that banks and supervisors can continue to fully understand, access and challenge these systems.  

In practice, control over AI systems relies on three central supervisory capabilities:  

  • To understand how a model operates, including its logic, limitations and potential failure modes.  
  • To access the model, its data and its underlying infrastructure, especially when provided by third parties.  
  • To challenge outcomes, through independent validation, testing and supervisory review, including ensuring sufficient explainability and transparency of model outputs. 

The question is whether they remain effective as AI systems become more complex, less transparent and more externalised. And this is where important differences appear between jurisdictions, as variations in the speed and depth of integration, as well as in regulatory approaches and supervisory capabilities, shape the response of policymakers and supervisors. 

US: AI as a strategic imperative for banks 

In the US, AI has rapidly moved from a promising innovation to a strategic imperative for banks, with adoption generally progressing more quickly and at greater scale than in many European jurisdictions.  

AI adoption is supported by a generally pro‑innovation federal stance, while remaining subject to existing legal, supervisory, safety and soundness requirements. Policymakers and supervisory agencies in the US are therefore shaping an approach that balances innovation while maintaining appropriate safeguards. Today, the conversation increasingly turns toward enabling responsible innovation while addressing risks through existing legal and supervisory frameworks.  

This evolution is significant. Banks have historically been cautious in adopting emerging technologies, especially when regulatory expectations are unclear. These institutions are likely to be more willing to rely on AI when they are supported by regulatory authorities that recognise its potential benefits and encourage its responsible use. 

Another distinctive feature of the US environment is the concentration of major AI providers, technical expertise and infrastructure within the same national ecosystem. This can facilitate dialogue between supervisors, banks and technology providers, even as systems are deployed rapidly. The implication is that the same level of AI deployment may not always translate into the same level of effective supervision. 

However, institutions should not mistake increasing regulatory acceptance for regulatory certainty. The US continues to rely on activity-based, sector-specific obligations rather than a comprehensive AI statute, leaving institutions to navigate a patchwork landscape defined more by principles, prudential standards and supervisory expectations than by prescriptive AI-specific rules.  

"The US agencies are not prohibiting or unduly restricting AI adoption. Rather, they are encouraging institutions to innovate responsibly and within the boundaries of legal, supervisory and risk management expectations."

Managing Director, US RegCenter Leader, Forvis Mazars US

Europe: structured supervision  

In the EU, the regulatory and supervisory approach is more cautious and is intended to strengthen control and supervisory oversight. The focus is on whether banks and supervisors can retain sufficient visibility as AI systems become more complex, more externalised and more deeply embedded in critical processes. 

These access and visibility issues are not unique to Europe. They are inherent to advanced AI systems, especially when models, data and infrastructure are provided by third parties. In Europe, however, they are amplified by a more fragmented market and regulatory environment, making coordination and supervisory dialogue more complex. 

Deployments are typically more gradual and remain longer within limited perimeters. Institutions place greater emphasis on validation, documentation and alignment with regulatory expectations before scaling solutions. This can slow scaling, but it also makes supervision more dependent on the quality of evidence that banks can provide on governance, validation, documentation and control. These differences are not only a question of timing; they directly affect how supervision can be exercised. 

What drives the US-Europe divergence 

The US and Europe are both innovating and exploring AI at pace, but their approaches diverge. This reflects differences in investment scale, the shape of technology ecosystems, the degree of market fragmentation and supervisory architecture. These factors not only affect the speed of implementation, but they also shape the ability to maintain effective supervision as AI becomes more complex.

US: scale and proximity to AI providers 

  • A key factor is the concentration of AI providers. Most leading models, infrastructure providers and specialised firms are located in the same ecosystem, creating a strong industrial base where capabilities can move quickly from development to deployment. Once validated, solutions can be scaled more rapidly. 
  • Another driver is the policy environment. The US has signalled a growing willingness to embrace AI as a lever of economic competitiveness, including in financial services. Recent policy decisions, such as Executive Order 14179, and subsequent agency statements, reflect a pro‑innovation stance that seeks to reduce barriers to adoption while addressing risks through existing legal and supervisory frameworks. As a result, supervisors tend to support innovation, as long as it remains consistent with established risk management and oversight requirements. 

Europe: regulatory layering and third-party dependency

  • European Union (EU) banks operate in a more constrained and fragmented environment.  This is a structural challenge. Banks operate across multiple jurisdictions, where regulatory expectations and supervisory practices can still differ. This makes coordination more complex and slows down the scaling of new technologies.  
  • Regulatory layering also adds complexity. AI-related risks are not addressed by a single framework, but by multiple overlapping regimes. For example, EU institutions must consider the Digital Operational Resilience Act (DORA), the EU Artificial Intelligence Act (AI Act), the General Data Protection Regulation (GDPR) and ongoing simplification efforts under the Digital Omnibus simultaneously. Some critics argue this increases operational complexity. 
  • Dependence on external providers is a key constraint. Many advanced AI models are developed outside Europe. Where banks rely on third-party models, infrastructure or cloud services, control depends not only on internal governance, but also on contractual access, transparency, and the ability to test and challenge provider systems.  

These structural differences also influence how uncertainty is managed. In the US, institutions may be more willing to deploy AI earlier and adjust over time. In the EU, the focus is more on validation, explainability and alignment with regulatory expectations before scaling. 

As long as AI remains bounded, the differences in regulatory and supervisory approach may have relatively limited impacts. The picture changes as integration becomes more widely embedded in banks’ business-as-usual activities. This is where differences between jurisdictions become structural, rather than marginal. The challenge here is whether banks and supervisors have sufficient expertise, access and control to understand, test and challenge AI implementations and to use them effectively as they become more embedded and complex.   

“For global banks, scaling AI is not just a technology challenge. It is a cross-border governance challenge. Institutions will need to manage different regulatory expectations, supervisory practices and technology dependencies while maintaining a consistent standard of accountability, control and oversight.”

Gregory Marchat Global Head of Financial Services Advisory / UK Head of Financial Services, Forvis Mazars Group

The real shift: when AI becomes harder to control and supervise 

The issue is not that some jurisdictions move faster than others; it is that the next phase of AI may test the point at which deployment becomes harder to govern effectively through traditional frameworks. This concern is no longer theoretical.  

Several recent developments point to the same pattern: not that advanced AI systems have already caused systemic disruption, but that existing governance frameworks may struggle to keep pace with systems whose outcomes may not always be fully anticipated.  

Traditional supervisory frameworks are better suited to models that are relatively stable, explainable and controllable. However, as AI systems become more adaptive, less transparent and more dependent on external providers, they become harder to understand, access and effectively challenge in practice. 

For banks, this changes the nature of control. Formal compliance alone no longer guarantees effective oversight. Control can degrade when models become less interpretable, access is limited by third-party constraints, or the ability to challenge outcomes becomes largely theoretical. 

Overall differences in regulatory and supervisory approaches also shape the evolving supervisory responses to AI.  

In the US, federal banking agencies, including the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB) and the Federal Deposit Insurance Corporation (FDIC), have generally approached AI through existing risk management frameworks. Rather than introducing AI-specific regulations, they emphasise that current requirements on governance, risk management, consumer protection, model risk and third‑party oversight remain applicable. The aim of this approach is to provide institutions with greater flexibility. Banks are not generally expected to wait for comprehensive AI-specific rules before deploying initiatives. Instead, they must demonstrate that AI use is supported by sound risk management, effective controls and appropriate oversight.  

The EU has taken a more structured approach, centred on documented governance, regulatory consistency and operational resilience. The challenge is not the absence of supervision, but the practical ability to obtain sufficient access, evidence and technical visibility when AI systems are provided by third parties or embedded in complex infrastructures.  

This is already visible in the euro area, but as an integral part of the broader supervisory priorities. For example, the European Central Bank (ECB) includes AI among its broader priorities for operational resilience and ICT capabilities, covering banks’ digital strategies, governance and risk management practices related to AI. 

This is also consistent with the ECB’s broader thinking on AI. In a 2024 speech on “Artificial intelligence: a central bank’s view, Piero Cipollone, Member of the ECB Executive Board, stressed the importance of safeguards, comprehensive documentation, understanding the properties of AI algorithms and models, reducing ‘black box’ risks and ensuring that humans remain firmly in control. Central banks, including the ECB, are monitoring these developments closely. The ECB has developed an AI action plan to build the tools, infrastructure and skills needed to use AI safely and responsibly. This closely mirrors the supervisory challenge for banks: as AI becomes more embedded in core processes, effective control depends on the ability to understand how systems operate, document their use, challenge their outputs and keep human judgement at the centre of decision-making.  

This is also consistent with recent European Stability Mechanism (ESM) commentary on AI in capital markets. The commentary notes that EU regulatory developments, including the AI Act and related initiatives, are pushing firms to strengthen oversight, data governance and explainability. More broadly, it points to a move towards improved data foundations, auditable AI lifecycles and stronger controls. For banks, this reinforces the operational direction of travel: supervision will increasingly depend on evidence that AI systems are properly governed, documented, explainable and capable of being challenged. 

In practice, this is likely to translate into more concrete supervisory expectations around mapping AI use cases, assessing materiality, model risk management, validation, explainability, and access, auditability and transparency over third-party systems. This does not mean instructing banks on how to use AI, but ensuring that AI use remains subject to effective governance and risk management. 

As systems reach higher levels of capability and autonomy, the central question will not only be what they can do, but whether they can be effectively supervised in practice; by whom, on what basis, and with what access and safeguards.  

“For banks, AI creates a practical risk management challenge. As reliance on third-party models and infrastructure grows, firms need to evidence how systems are validated, monitored and controlled, and how critical services would remain resilient if those models behave unexpectedly or fail.”

Huseyin Sahin Partner, Head of Banking Risk Consulting, Forvis Mazars UK

Implications for banks 

The implications for banks are immediate. The challenge is no longer simply to identify promising use cases or to comply with emerging rules. The challenge is to decide how far AI can be deployed in practice without creating dependencies, blind spots or governance risks that institutions may not be able to manage once systems become more powerful and more deeply embedded in core processes. This leads to a major dilemma for banks; scaling AI may come at the cost of reduced control, while maintaining full control may limit deployment and slow down innovation. 

The US:  

  • In the absence of a comprehensive federal statutory regime for AI in the US, the regulatory landscape is evolving through agency guidance, executive actions, sectoral initiatives and state-level developments. This fragmented but active environment is particularly relevant for global financial institutions operating across jurisdictions. In that context, voluntary frameworks have emerged as key reference points. One of the most influential is the National Institute of Standards and Technology (NIST) AI Risk Management Framework (AI RMF 1.0), together with its Generative AI Profile (NIST AI 600-1). These frameworks provide a structured approach to identifying, assessing and managing AI-related risks across the full lifecycle. They focus on core dimensions such as governance and accountability; transparency and explainability; fairness and bias mitigation; reliability and resilience; privacy and security; and continuous monitoring. 
  • Beyond formal frameworks, industry-led initiatives are also emerging as practical benchmarks for AI governance. One recent example is Project Glasswing, announced by Anthropic in April 2026, which brings together major technology and financial actors to support collaborative approaches to AI security and governance.  

Europe: 

  • European institutions are also likely to continue adjusting their approach. Deployment is becoming more selective, with a clear distinction between critical and non‑critical use cases. Highly sensitive activities are subject to tighter controls and requirements, while less critical use cases allow for flexibility and experimentation. 
  • Interactions with supervisors are also becoming more frequent and more detailed. Institutions are expected to engage in supervisory dialogue on how AI-related risks are identified, governed and controlled, and to demonstrate that their governance, risk management and operational resilience arrangements remain effective in practice. 

AI adoption is unlikely to slow down, but it is also unlikely to scale uniformly across activities. Deployment will remain constrained by the ability of institutions and supervisors to maintain sufficient control, manage dependencies and limit blind spots. 

In that sense, the real question is whether banks can scale AI in a way that remains understandable, controllable and subject to effective supervision. 

The future of effective AI supervision 

AI will continue to expand into the banking sector. Its deployment will, however, increasingly depend on the ability of banks to retain meaningful control, and on supervisors’ ability to assess that control in practice, as systems become more complex, more externalised and more deeply embedded in core processes. 

This does not mean slowing down adoption. It means ensuring that scale does not come at the expense of visibility, access and effective challenge. 

It’s no longer about how fast AI can scale, but how far it can scale while remaining effectively controlled by banks and effectively supervised by authorities. 

This is where different supervisory approaches will be tested in real time. The US and Europe start from different market, regulatory and supervisory conditions. Yet both will face the same practical issue: maintaining effective oversight over systems that are becoming harder to understand, harder to access and harder to challenge. 

 

Our experts