I recently had the opportunity to host a webinar on a topic that's very much front of mind for banks and financial institutions right now: how to approach AI-powered risk and compliance in a regulatory environment that's moving fast but hasn't fully caught up to the technology.
Joining me was Tim Ayala, a former Chief Risk Officer with over three decades at the FDIC and subsequent years leading risk functions at banking institutions. Tim brought a rare dual perspective, having seen GRC from both the regulatory and practitioner sides.
The conversation covered a lot of ground. Here are the six takeaways I think every risk and compliance leader in financial services should sit with.
| Question | Key Takeaway |
|---|---|
| Is AI genuinely transformative in GRC, or still largely hype? | AI is real, not hype, but only if the human foundation is in place first. Silos, not technology, are the biggest barrier. |
| Where are the AI use cases delivering measurable value? | Risk assessments, credit memos, and AML/BSA analysis are delivering speed and consistency where manual work was the bottleneck. |
| Who should own AI models inside the institution? | Combined ownership is the ideal. The right structure depends on where skill and talent already sit, not on creating a new committee. |
| How should institutions approach AI governance? | Engage regulators early, plan for model validation, and define ROI measurements up front. Lack of documentation is the most common regulator complaint. |
| What's the regulator's stance on AI implementation? | There is currently no formal regulatory guidance on AI. This gives institutions freedom to design, but also creates uncertainty. Early, informal regulator engagement is essential. |
| How do you build trust in AI outputs? | Surface data sources and attach confidence levels to every AI response. Transparency makes outputs audit-ready and builds internal credibility. |
Tim's first point set the tone for everything that followed: before you think about AI, look at how your teams are communicating. Silos and territorial thinking will undermine any technology investment.
In his own experience as a CRO, Tim held regular open sessions with risk leaders, often monthly, where people shared what was keeping them up at night. What he found, consistently, was that things happening in one area were affecting two others, and nobody had connected the dots. Breaking those barriers down created a much more holistic view of risk.
The implication for AI is straightforward. AI needs good data, and good data requires connected teams. If the human foundation isn't there, AI won't fix it.
Once the human foundation is in place, Tim's view is clear: AI is genuinely transformative. The capability he'd always wanted as a CRO but struggled to achieve was real-time risk analysis. Not backward-looking reports built on historical assumptions, but visibility into what is happening now and what it means today.
Regulatory change management is another area where AI changes the calculus. When a regulatory action affects a bank's BSA program, how quickly can you analyze your portfolio and assess exposure? If that analysis depends on people doing manual research, it will be slow and inconsistent. AI addresses both of those problems at once.
The qualifier Tim kept returning to was governance. AI presents a real opportunity, but only when it is managed and governed with a proper structure.
Tim walked through three use cases where AI is delivering measurable value in banking risk and compliance:
Risk assessments - ERM teams spend an enormous amount of time building background documentation for regulators. AI can generate that documentation quickly, freeing people to focus on real-time monitoring rather than manual creation work.
Credit memos - When a loan is being underwritten, AI can generate geographic and risk context consistently across every deal. Consistency and repeatability are two of the things regulators most frequently look for, and AI creates a repeatable process by design.
AML and BSA analysis - Analysis quality in AML programs is often analyst dependent. AI creates more uniform output, allowing analysts to focus on reading that output and finding connections rather than generating it.
From the MetricStream side, we've seen strong AI adoption in the areas of risk reporting, regulatory alert applicability and summarization, contextual and conversational help using Q&A in natural language, and guided navigation. These help GRC professionals with risk and compliance intelligence to make informed decisions.
One of the most-asked questions in any AI conversation is: who owns this? Tim's honest answer was that it depends, and he meant that constructively. The right person or team to lead AI governance depends on where skill and talent already sit within the institution.
What he was clear on: combined ownership across functions is the ideal, board oversight needs to be in place from the start, and AI accountability will evolve as the system is adopted more widely across the institution. He also expressed a preference for working groups over committees. Committees create bureaucracy. Working groups put the right stakeholders in the room.
Education across all levels is essential. So is clear expectation-setting. And board reporting, Tim said, is always most effective when it's framed around what regulators will think, not just what technology teams want to present.
There is currently no formal regulatory guidance on AI implementation for financial institutions. Tim described this as liberating in one sense: it gives institutions the freedom to design their own frameworks. But it also creates potholes. Examiners don't have a defined rulebook either, which gives them latitude to criticize.
His advice was consistent and specific: don't surprise your regulator. If you're implementing AI, have the conversation early. Tell them what you're planning and why. Share your roadmap. Provide quarterly updates on significant projects. When formal guidance eventually arrives, you want to already be well-positioned.
On model risk management in particular: AI systems will be treated as models by regulators. That means institutions need a plan for model validation, whether handled internally or outsourced. Having that plan in place, even informally, signals to regulators that you're taking the governance dimension seriously.
A thread that ran through the entire conversation was how to build trust in AI outputs, both internally and with regulators. Tim's framework came down to two things: show your work, and measure your results.
Failing to define ROI measurements up front is one of the most damaging mistakes institutions make, because it makes the AI initiative very hard to justify internally. The metrics don't have to be complicated. Maybe it's fewer hires because the system absorbs the work. Maybe it's more consistent documentation at regulatory exams. Maybe it's positive board feedback on AI-generated reporting. The point is to define what success looks like before you go live.
From the technology side, MetricStream surfaces the source of information behind every AI output and attaches a confidence level to each response. That layer of transparency does two things: it helps users understand where uncertainty sits, and it makes every output audit-ready from day one.
The message from Tim across all six areas was consistent: the institutions that get this right aren't starting with the technology. They're starting with their data, their team structures, and their regulator relationships. The technology then amplifies what's already working.
We're still early. The regulatory landscape around AI in financial services will shift significantly over the next few years. The window to build a framework that holds up, engages regulators proactively, and delivers demonstrable ROI is open right now, but it won't stay open indefinitely.
If you'd like to see how MetricStream's AI-native Connected GRC platform puts these principles into practice, we'd love to show you. Request a demo now.
Watch the full webinar:
Subscribe for Latest Updates
Subscribe Now