AI Risk in Banking: Fragmented Accountability and Control Gaps

AI Risk in Banking: Fragmented Accountability and Control Gaps

June 15, 2026 discoverhiddenusacom Business

Banks face fragmented accountability and a lack of controls for artificial intelligence risk, according to Risk.net’s Op Risk Benchmarking 2026 study of 61 banks. While more than 90% of institutions have integrated cyber risk into second-line oversight, the race to incorporate AI into operational risk frameworks remains inconsistent across the sector.

Why are banks struggling with AI risk management?

Operational risk managers are currently working to incorporate AI risk into second-line oversight frameworks, the Risk.net study reports. The data indicates that accountability for these risks is fragmented and most banks lack the necessary controls to contain them.

This struggle comes as banks race to integrate AI into their existing operational risk frameworks. The study describes a sense of collective unease regarding how to properly house and manage these emerging risks.

Did You Know? 35% of banks report that regulators have “significantly increased” their focus on third-party risk, leading to arduous inspections and resource strain.

How is cyber risk handled across the banking sector?

More than 90% of banks utilize their second line of defense to manage cyber risk, according to the benchmarking data. Almost all banks now mandate cyber security training, a move that the study says moves the internal confidence dial.

From Instagram — related to Expert Insight, Samantha Carter

Despite this widespread adoption, some regulators are pushing for more. According to the report, watchdogs would like to see increased second-line risk staffing specifically for IT disruption and information security.

Expert Insight: Samantha Carter notes that the gap between rapid AI adoption and fragmented second-line oversight creates a structural vulnerability. While banks have a proven blueprint for cyber risk, the lack of standardized controls for AI suggests that accountability may remain blurred until regulators mandate specific staffing or reporting lines.

What are regulators focusing on in 2026?

Watchdogs are zeroing in on resilience and third-party risk. The Risk.net survey found that 35% of banks have seen a significant increase in regulatory focus, which has resulted in growing resource strain for the institutions involved.

The Convergence Crisis: Tenable Cloud and AI Security Risk Report 2026 | AI & Cloud Threats 2026

Additionally, banks are curbing the frequency of their GRC (Governance, Risk, and Compliance) vendor reviews. The data shows a drop in plans to switch or pitch vendors amid tighter third-party rules, although Third-Party Risk Management (TPRM) is bucking this downward trend.

How do regional banks differ from G-Sibs in risk modeling?

The study reveals a divide in how institutions gauge tail exposure. Domestic and smaller regional players favor scenario analysis over operational risk modelling.

Global Systemically Important Banks (G-Sibs) differ in their approach. According to the findings, G-Sibs continue to stick to modelling for the time being.

What may happen next for bank risk frameworks?

Banks may be forced to standardize AI accountability to satisfy regulatory demands. A possible next step could involve a shift in staffing, as regulators may continue to push for more second-line resources for IT disruption.

What may happen next for bank risk frameworks?

The trend of reducing GRC vendor reviews could continue if third-party rules remain tight, though TPRM investments are likely to remain a priority for operational risk managers.

Frequently Asked Questions

How many banks participated in the Op Risk Benchmarking study?
The study included data from 61 banks.

What percentage of banks use the second line of defense for cyber risk?
More than 90% of banks use the second line to tackle cyber risk.

Which group of banks prefers scenario analysis over modelling?
Domestic and smaller regional banks favor scenario analysis to gauge tail exposure.

Do you believe banks can effectively manage AI risk using the same frameworks they used for cyber security?