The real shift: when AI becomes harder to control and supervise
The issue is not that some jurisdictions move faster than others; it is that the next phase of AI may test the point at which deployment becomes harder to govern effectively through traditional frameworks. This concern is no longer theoretical.
Several recent developments point to the same pattern: not that advanced AI systems have already caused systemic disruption, but that existing governance frameworks may struggle to keep pace with systems whose outcomes may not always be fully anticipated.
Traditional supervisory frameworks are better suited to models that are relatively stable, explainable and controllable. However, as AI systems become more adaptive, less transparent and more dependent on external providers, they become harder to understand, access and effectively challenge in practice.
For banks, this changes the nature of control. Formal compliance alone no longer guarantees effective oversight. Control can degrade when models become less interpretable, access is limited by third-party constraints, or the ability to challenge outcomes becomes largely theoretical.
Overall differences in regulatory and supervisory approaches also shape the evolving supervisory responses to AI.
In the US, federal banking agencies, including the Office of the Comptroller of the Currency (OCC), the Federal Reserve Board (FRB) and the Federal Deposit Insurance Corporation (FDIC), have generally approached AI through existing risk management frameworks. Rather than introducing AI-specific regulations, they emphasise that current requirements on governance, risk management, consumer protection, model risk and third‑party oversight remain applicable. The aim of this approach is to provide institutions with greater flexibility. Banks are not generally expected to wait for comprehensive AI-specific rules before deploying initiatives. Instead, they must demonstrate that AI use is supported by sound risk management, effective controls and appropriate oversight.
The EU has taken a more structured approach, centred on documented governance, regulatory consistency and operational resilience. The challenge is not the absence of supervision, but the practical ability to obtain sufficient access, evidence and technical visibility when AI systems are provided by third parties or embedded in complex infrastructures.
This is already visible in the euro area, but as an integral part of the broader supervisory priorities. For example, the European Central Bank (ECB) includes AI among its broader priorities for operational resilience and ICT capabilities, covering banks’ digital strategies, governance and risk management practices related to AI.
This is also consistent with the ECB’s broader thinking on AI. In a 2024 speech on “Artificial intelligence: a central bank’s view”, Piero Cipollone, Member of the ECB Executive Board, stressed the importance of safeguards, comprehensive documentation, understanding the properties of AI algorithms and models, reducing ‘black box’ risks and ensuring that humans remain firmly in control. Central banks, including the ECB, are monitoring these developments closely. The ECB has developed an AI action plan to build the tools, infrastructure and skills needed to use AI safely and responsibly. This closely mirrors the supervisory challenge for banks: as AI becomes more embedded in core processes, effective control depends on the ability to understand how systems operate, document their use, challenge their outputs and keep human judgement at the centre of decision-making.
This is also consistent with recent European Stability Mechanism (ESM) commentary on AI in capital markets. The commentary notes that EU regulatory developments, including the AI Act and related initiatives, are pushing firms to strengthen oversight, data governance and explainability. More broadly, it points to a move towards improved data foundations, auditable AI lifecycles and stronger controls. For banks, this reinforces the operational direction of travel: supervision will increasingly depend on evidence that AI systems are properly governed, documented, explainable and capable of being challenged.
In practice, this is likely to translate into more concrete supervisory expectations around mapping AI use cases, assessing materiality, model risk management, validation, explainability, and access, auditability and transparency over third-party systems. This does not mean instructing banks on how to use AI, but ensuring that AI use remains subject to effective governance and risk management.
As systems reach higher levels of capability and autonomy, the central question will not only be what they can do, but whether they can be effectively supervised in practice; by whom, on what basis, and with what access and safeguards.