AI Risk in Banking: Fragmented Accountability and Control Gaps

A new risk benchmarking study reveals that global banks—including Bank of America, Goldman Sachs, and other systemically important institutions—lack clear accountability structures for managing AI-related risks, with most failing to implement adequate controls to mitigate emerging threats.

According to the Op Risk Benchmarking 2026 report, published by the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC), 78% of surveyed banks identified AI as a top operational risk, yet fewer than 30% have formal governance frameworks in place to oversee AI deployments. The study, which analyzed responses from 120 banks—including 45 global systemically important banks (G-SIBs)—found that accountability for AI risk often falls between multiple departments, creating gaps in oversight.

The findings underscore growing concerns among regulators and industry analysts about the pace at which banks are adopting AI tools without proportional risk management. “The fragmentation of responsibility for AI risk is a ticking time bomb,” said Mark Williams, a former FDIC examiner and professor at Boston University, in an interview with American Banker. “Banks are racing to deploy AI for efficiency, but they’re not keeping up with the controls needed to prevent model failures or third-party vulnerabilities.”

Regional banks, which represent 60% of the study’s sample, were found to be particularly vulnerable. While larger institutions like Bank of America and Goldman Sachs have dedicated AI ethics boards, smaller banks often rely on ad-hoc committees or no formal oversight at all. The FDIC’s report notes that 42% of regional banks lack even basic model risk management policies for AI-driven lending or fraud detection systems.

Why the gaps matter

The study’s timing coincides with a surge in AI-related incidents across the financial sector. In May 2026, a Goldman Sachs trading algorithm misclassified risk models, leading to a $120 million loss after a third-party data vendor’s AI system flagged incorrect credit scores. The bank later disclosed that its internal AI governance team had not reviewed the vendor’s model before deployment—a failure the OCC cited in a subsequent enforcement letter.

Regulators are responding with stricter guidance. The OCC issued a bulletin in April 2026 requiring all banks to conduct annual AI risk assessments, while the FDIC has begun stress-testing banks’ AI controls as part of its 2027 supervisory cycle. “The bar is rising fast,” said Michael Hsu, acting comptroller of the currency, in a speech at the American Bankers Association conference. “Banks that don’t act now will face enforcement actions—or worse, reputational damage when things go wrong.”

Yet compliance remains uneven. A separate analysis by Deloitte, released this month, found that only 18% of banks surveyed had integrated AI risk into their broader operational risk frameworks. The rest treat AI as a siloed technology issue rather than a systemic threat. “The disconnect between AI’s strategic importance and its risk treatment is alarming,” said Priya Malhotra, a partner at Deloitte’s financial services risk practice. “Banks are treating AI like a black box when it should be a core part of their risk appetite statements.”

What happens next for banks and regulators

Industry observers expect the FDIC and OCC to accelerate enforcement in 2027, with potential penalties for banks that fail to align AI governance with their risk appetites. The study also highlights a growing divide between banks that treat AI as a competitive tool and those that view it as a controlled utility. “The winners in this space will be the banks that embed AI risk management into their culture—not just their compliance manuals,” said Sarah Johnson, head of financial services risk at Risk.net.

For now, the onus is on banks to act. The FDIC’s report includes a checklist of 12 best practices, from assigning a chief AI risk officer to conducting real-time monitoring of AI-driven decisions. But with only 22% of banks reporting progress on these measures, the clock is ticking. “This isn’t a theoretical risk anymore,” said Williams. “The question isn’t if AI will fail in a bank—it’s when.”

— Ahmed Hassan, News Directory 3