Artificial intelligence is moving rapidly from experimentation into everyday use across financial services. From client servicing and research to operations and risk analysis, AI is increasingly embedded in core workflows.

This shift is widely recognised within the industry. 

 of financial services organisations report rapid AI adoption, with 

 ranking AI as a top security priority heading into 2026.

At the same time, governance structures are being established. Around 

 of firms report having formal AI policies in place, and 

 have created dedicated committees or oversight groups.

Taken together, these signals point to a sector that is both proactive and engaged.

However, a more nuanced picture emerges when examining how AI is being used in practice.

Despite growing investment in governance, many organisations are still working to achieve a clear, consistent view of AI usage across their environments.

 of financial services organisations have identified instances of unauthorised or “shadow” AI usage. This is not necessarily indicative of poor governance, but rather reflects the nature of AI adoption itself.

Unlike previous technology rollouts, AI tools are often accessible via browser, embedded within existing platforms, or introduced through third-party integrations. As a result, usage can become decentralised and user-driven, making it more difficult to fully map and monitor.

This dynamic is reflected in the questions senior leaders are asking internally:

These questions highlight a broader challenge around visibility. While many firms report the ability to detect sensitive data in AI tools, achieving a complete, real-time picture of usage remains complex.

Financial services have long operated within robust governance frameworks, and this is increasingly extending to AI. However, AI introduces a different risk profile that does not always align neatly with existing controls.

Risk is often created through routine actions. For example, the use of prompts to analyse data, generate content, or summarise documents. These interactions can involve sensitive information but may not trigger traditional security alerts or controls.

This creates a distinction between governance intent and operational enforcement.

Policies may define acceptable use, but they do not necessarily ensure that those policies are consistently applied at the point where data is being shared. Similarly, approval of an AI tool does not guarantee that all uses of that tool are compliant.

As one respondent put it, a key question remains: 

“How can we fully safeguard sensitive data while using AI effectively?”

Regulatory and Accountability Considerations

For financial institutions, this challenge is closely tied to evolving regulatory expectations.

FCA’s operational resilience requirements

 are already pushing firms to demonstrate a clear understanding of how technology impacts customer outcomes and data handling. More broadly, regulators are increasingly focused on governance that is not just defined but evidenced in practice.

 is moving towards enforcement, introducing explicit expectations around transparency, risk management, and oversight of AI systems, particularly in high-risk use cases relevant to financial services.

Alongside this, established obligations under 

 remain highly relevant, particularly where personal data is being processed through AI tools, often outside traditional visibility.

Taken together, these frameworks raise the bar. It is no longer sufficient to have policies or committees in place. Firms are expected to demonstrate:

This shifts the focus from governance as a structure to governance as a capability.

In this context, confidence in oversight is only part of the equation. What matters equally is the ability to evidence that control is operating effectively in day-to-day use.

What is becoming clear is that financial services are in a transitional phase.

On one hand, AI adoption is accelerating and delivering clear value. On the other, the mechanisms for managing that adoption are still evolving.

This is not unusual for a technology shift of this scale. However, the characteristics of AI; its accessibility, speed of adoption, and integration into existing workflows

mean that the gap between usage and control can widen quickly if not addressed.

The focus is therefore shifting towards achieving greater alignment between governance frameworks and operational reality.

Addressing this challenge does not necessarily require restricting AI adoption. Instead, it involves developing a more detailed and dynamic understanding of how AI is being used and ensuring that controls are applied where risk is created.

This includes improving visibility into usage patterns, strengthening the link between policy and behaviour, and enabling more consistent oversight of data interactions within AI systems.

As AI continues to scale, the ability to move from assumed control to demonstrable control is likely to become a defining capability.

For financial services organisations, the question is no longer whether AI will be used, but how confidently and transparently its use can be governed in practice.

closed_book

This blog only scratches the surface of the data and analysis behind these shifts.

point_right

The State of Enterprise AI Usage: The Illusion of Control

bar_chart

 Start surfacing risks in your own organisation:  

Artificial intelligence is moving rapidly from experimentation into everyday use across financial services. While many firms report the ability to detect sensitive data in AI tools, achieving a complete, real-time picture of usage remains complex.

AI Adoption Surging in Financial Services — But Control Lagging

Recommended for you

The Offensive Potential of Computer-Using Agents

Introducing The Human Threat Map: Mapping and Defending the Human Perimeter

Why Legal AI Governance Must Operate at the Point of Use