{"id":34343,"date":"2026-06-26T14:03:29","date_gmt":"2026-06-26T12:03:29","guid":{"rendered":"https:\/\/sii.pl\/blog\/?p=34343"},"modified":"2026-06-26T14:03:48","modified_gmt":"2026-06-26T12:03:48","slug":"undreamed-risk-management-revolt-how-gen-ai-and-agentic-ai-are-reshaping-the-effective-challenge","status":"publish","type":"post","link":"https:\/\/sii.pl\/blog\/en\/undreamed-risk-management-revolt-how-gen-ai-and-agentic-ai-are-reshaping-the-effective-challenge\/","title":{"rendered":"Undreamed risk management revolt: How Gen AI and Agentic AI are reshaping the effective challenge"},"content":{"rendered":"\n
The implementation of artificial intelligence in the financial sector is no longer just a technological novelty for marketing and operations. It is now the foundation for cost optimization and a structural element of risk management, and will soon be vital to the security of the entire financial sector.<\/p>\n\n\n\n
This article explores the evolving governance and challenges associated with deploying Gen AI and Agentic AI within risk functions. We discuss the benefits, costs, and impacts on process quality, simultaneously highlighting the crucial role of “effective challenge” in the new technological landscape and the latest regulatory views on model definition.<\/p>\n\n\n\n
AI Assistants and Agents \u2013 everywhere, i.e., including risk<\/strong><\/strong><\/h2>\n\n\n\n
The adaptation of Gen AI solutions, Large Language Models (LLMs), and autonomous Agentic AI systems is permanently altering the architecture of operational workflows and risk management. This is no longer an experimental phase but a requirement of our “fast-paced” times, where the pressure to cut operational costs, save time, and improve verification quality forces radical decisions that reach the deepest parts of organizations, including risk and audit.<\/p>\n\n\n\n
These tools are revolutionizing daily “effective challenge” \u2013 on the one hand, reducing the time required for deep analysis from weeks to minutes, which drastically improves the overall security of banks, particularly in IT, Resilience, and Cybersecurity. On the other hand, internal human understanding of organizational processes is degrading, and this deployment generates significant cyclic and initial costs related to infrastructure, cloud, and competencies.<\/p>\n\n\n\n
The paradigm shift over the past year is that financial institutions have stopped wondering whether to implement these solutions and have started designing their repositories, governance, and independent reviews or challenges more boldly, yet rigorously.<\/p>\n\n\n\n
Model or not a model \u2013 does it matter?<\/strong><\/strong><\/h2>\n\n\n\n
Classic machine learning for models in financial and non-financial risk has long fit within the standard model lifecycle and the use of internal methods for calculating regulatory and economic capital. Conversely, systems utilizing Gen AI, NLP, CV, or AI Agents and assistants fall outside the traditional regulatory definition, even when the model engine is based on foundation models and trained using neural networks.<\/p>\n\n\n\n
From the perspective of regulatory definitions such as the PRA or the latest OCC revisions, text generation by Gen AI or task automation using Agentic AI does not necessarily constitute a model in the narrow sense, subject to the typical pre-implementation validation for internal models based on a specific “use case”.<\/p>\n\n\n\n
Merely asking “is this a model?” is no longer sufficient, and it may not even matter when the most critical task becomes determining its contribution to a decision, business impact, outcome criticality, and the “boundaries” of the model’s application and its “outcome”. Automation is a business decision dictated by the benefits of process agility, but the effectiveness of risk management cannot be weakened by the generation of “AI slop”.<\/p>\n\n\n\n
Governance for Gen AI and Agentic AI \u2013 different or agile?<\/strong><\/strong><\/h2>\n\n\n\n
The shift in gravity involves shifting focus from the algorithm itself to accountability for outcomes, data quality, and the right to halt the process. AI governance must actively integrate model owners, validators, risk function owners, and regulatory compliance, with a focus on fairness and ethics.<\/p>\n\n\n\n
Deterministic controls such as “Human in the loop” or “Human on the loop” cannot merely be a symbolic formal step; they must constitute genuine expert control providing space for rigorous “review”, “challenge”, and “escalation”. Creating separate frameworks and risk\/control matrices (GRC) for Gen AI\/Agentic AI loses its meaning when it consumes the capacity of combined lines of defense (3LoD, according to IIA) or duplicates review and attestation processes.<\/p>\n\n\n\n
Is validation necessary? From tests to the lifecycle of an Agent or Agent Networks<\/strong><\/strong><\/h2>\n\n\n\n
Independent validation of Gen AI or Agent Networks cannot be limited to point-in-time precision assessments, prompt security, RAG databases, or even vulnerability scanning.<\/p>\n\n\n\n
The risk of deploying Gen AI or Hubs is distributed across the entire implementation and operational continuity chain: “input”, “retrieval”, “model inference”, “output”, and the “feedback loop”.<\/p>\n\n\n\n
The foundation here consists of four pillars:<\/p>\n\n\n\n
\n
data first,<\/li>\n\n\n\n
materiality-driven scope,<\/li>\n\n\n\n
end-to-end validation,<\/li>\n\n\n\n
continuity in controls.<\/li>\n<\/ul>\n\n\n\n
This means a deeper review of Tools\/Skills or access to MCP servers for Agents and Agent Networks, including hallucination testing, verifying the robustness and stability of results, and continuous monitoring in the production environment for model drift.<\/p>\n\n\n\n
Where does AI tangibly strengthen the second line of risk management?<\/strong><\/strong><\/h2>\n\n\n\n
Deploying these innovations or improvements in the second line of defense is not about blindly automating decision-making processes based on expert judgment. It serves to improve the effectiveness of hard controls:<\/p>\n\n\n\n
\n
agile test automation in a low-code\/no-code architecture,<\/li>\n\n\n\n
generation of insightful “model findings”.<\/li>\n\n\n\n
\u00a0all “issues”, and the efficient preparation of validation or effective challenge reports.<\/li>\n<\/ul>\n\n\n\n
It also streamlines the aggregation of distributed data for risk management purposes in the spirit of BCBS 239, resulting in significant time savings.<\/p>\n\n\n\n
The multitude of advisory and consultation forums and committees \u2013 which are highly static elements of the structures connecting lines of defense and risk management \u2013 is significantly accelerated by the use of agentic transcriptions, auto-summaries, and notes that direct actions and responsibilities, along with their execution deadlines.<\/p>\n\n\n\n
In essence, it also supports mutual understanding of risk and explains the adequacy of controls for given situations.<\/p>\n\n\n\n
Risks within risk that cannot be ignored<\/strong><\/strong><\/h2>\n\n\n\n
Autonomous, unsupervised use of artificial intelligence is a direct path to reinforcing multiple “biases”, eroding the need-to-know principle, and weakening the independence of the second line of defense by relying on predefined, automated conclusions that apply to everything.<\/p>\n\n\n\n
Even though some tools are not, by definition, models and are not subject to strict validation regimes, this in no way absolves institutions of full accountability for the product or its impact on the reliable functioning of Agentic AI products within the risk management and decision-making system.<\/p>\n\n\n\n
Implementing proportionate governance embedded within existing risk, control, and monitoring taxonomies is an absolute prerequisite. AI Assistants and Agents tangibly boost production capacity, but the significance of “effective challenge” remains unchanged.<\/p>\n\n\n
![\"\"](\"https:\/\/sii.pl\/blog\/wp-content\/uploads\/2026\/04\/Blog-CybersecDesktop_.jpg\")
\n <\/picture>\n \n \n