CEOs want risk leaders to use AI.

Not cautiously, not theoretically, but in ways that make the business faster, more consistent and more competitive. For regulated firms in the US, that pressure is already reaching Chief Risk Officers.

AI is being explored in credit decisioning, fraud detection, financial crime controls, surveillance, operational resilience, third-party oversight, regulatory reporting and enterprise risk management.

The question for CROs is no longer whether AI belongs in the risk function.

It is how to use AI without increasing the cost, complexity and headcount burden of managing the regulatory expectations around it.

That is not a simple balance. A highly regulated bank may see clear value in AI-enabled risk tooling, but every new use case can create additional work around validation, documentation, controls, monitoring and governance. The more critical the process, the more scrutiny follows.

In the US, that challenge is made harder by ambiguity. There is no single federal AI law that tells every regulated business exactly what good looks like. Much of the accountability sits inside internal policy, existing supervisory guidance, state-level activity and risk appetite decisions. That leaves firms with room to move, but also room to misjudge where the boundaries are.

For risk leaders, AI governance is becoming a workforce question as much as a policy question.

Why AI governance is moving up the CRO agenda

AI is attractive to CEOs because it promises scale. It can accelerate manual review, identify patterns faster than traditional controls, improve consistency across decision-making and reduce friction in risk processes.

For CROs, the value case is clear. The harder question is whether the governance model can keep up.

A risk team using AI to improve monitoring, testing or reporting still needs to explain how the tool works, what data it relies on, how it is validated, who owns the output, how exceptions are handled and what happens when the model behaves unexpectedly.

AI may reduce effort in one part of the risk function while increasing demand elsewhere, particularly across model risk, enterprise risk management, compliance, legal, technology risk and audit. If governance is not designed well, firms risk creating a faster process surrounded by heavier manual oversight.

The firms that get this right will not treat AI governance as a blocker. They will treat it as the operating discipline that allows AI to be used with confidence.

The US regulatory picture is still unclear

The US position on AI governance is fragmented.

NIST’s AI Risk Management Framework gives organisations a voluntary structure for managing AI risk, built around governance, mapping, measurement and management. It is not financial services specific, but it has become a useful reference point for firms trying to create internal AI control frameworks.  

For banks and other financial institutions, model risk guidance is still central. The Federal Reserve’s supervisory guidance on model risk management covers model development, implementation, validation, governance, policies and controls. Those principles are highly relevant as AI models become more complex, more embedded and more influential across regulated activity.  

There is also fresh movement from US banking regulators. In April 2026, the OCC issued updated model risk management guidance, coordinated with the Federal Reserve and FDIC, clarifying that practices should be risk-based and proportionate to an institution’s size, complexity and level of model use.  

At the state level, the picture is moving in a different direction. Colorado’s high-risk AI law, which covers areas including financial services, has become a focal point for debate and legal challenge. Reuters reported in April 2026 that the US Justice Department had intervened in xAI’s challenge to the law, which is due to regulate high-risk AI systems from 30 June 2026.  

For US risk leaders, the issue is not a lack of regulation. It's expected that expectations are developing across multiple routes at once.

That creates ambiguity. Internal policy becomes critical because firms often need to define their own thresholds for acceptable AI use, escalation, validation and oversight before regulation becomes fully settled.

Where AI governance sits inside the business

One of the most important questions is also one of the least settled: where should AI governance sit?

In some firms, it sits close to model risk because the primary concern is validation against guidelines. In others, it sits in technology risk, data governance, compliance or legal. Increasingly, AI governance is being pulled into enterprise risk management because the exposure cuts across multiple risk types at once.

AI risk is rarely isolated. A model used in a customer-facing process may involve conduct risk, operational risk, data risk, third-party risk, compliance risk and reputational risk. A vendor platform used in financial crime controls may raise questions around explainability, dependency, data usage, resilience and auditability.

ERM can provide the cross-functional view that AI governance needs. It can connect risk appetite, policy, taxonomy, control frameworks, board reporting and ownership across the three lines.

But ERM cannot do it alone.

Model risk still needs to be validated. Compliance still needs to interpret regulatory expectations. Technology risk still needs to understand systems, access, resilience and change. Data teams still need to evidence lineage, quality and usage rights. Business owners still need to be accountable for how AI is used in practice.

The ownership model matters because it shapes hiring.

A firm that places AI governance inside ERM will need people who can coordinate across functions, translate risk exposure into policy and report clearly to senior committees. A firm that places it inside the model risk will need deeper validation capability. A firm that embeds it across the business will need risk professionals with stronger technical literacy and stakeholder influence.

Why model risk is becoming central to AI governance

Model risk has always been about challenge.

That makes it one of the most important functions in AI governance, particularly for highly regulated banks and financial institutions. AI models need to be validated against internal guidelines, supervisory expectations and agreed risk appetite. That includes testing methodology, data quality, assumptions, performance, limitations, monitoring and change control.

The difficulty is volume.

As more teams experiment with AI-enabled tools, model risk functions can quickly become a bottleneck. Not every use case will require the same level of validation, but firms still need a clear way to decide which tools are high impact, which require formal review and which can be governed through lighter controls.

That calls for judgement, not just a technical process.

Model risk professionals need enough understanding of AI methods to challenge performance and explainability, but they also need to understand the business consequences of the model. A low accuracy issue in one context may be tolerable. In credit, fraud, sanctions, customer treatment or regulatory reporting, it may not be.

This is where hiring demand is likely to sharpen through 2026.

Firms will need people who can validate AI systems, document the rationale, challenge vendors, work with data science teams and defend the governance approach to internal stakeholders.

The hidden cost of AI adoption in risk

An AI tool may reduce manual review time, but increase the need for policy development, independent validation, control testing, monitoring, documentation, committee reporting and audit engagement. In a highly regulated bank, each use case can create a longer governance trail.

That does not mean AI becomes commercially unattractive. It means the business case needs to include the cost of responsible use.

The most mature firms will ask:

  • Which AI use cases genuinely reduce risk function effort?

  • Which use cases create new validation or oversight requirements?

  • Where does internal policy need to be clearer?

  • Which models require formal model risk review?

  • Which vendor tools need enhanced third-party risk assessment?

  • Which controls can be automated without weakening accountability?

  • Which teams need additional headcount or training to manage the governance load?

The risk for firms is adopting AI quickly, then discovering that the operating model around it is too manual, too unclear or too dependent on a small number of specialists.

The roles US regulated firms are starting to need

AI governance is creating demand for hybrid talent.

These are not purely technical roles, and they are not traditional risk roles with “AI” added to the job description. They sit between risk, regulation, data, technology and the business.

Demand is likely to build across roles such as:

  • AI Governance Lead

  • Enterprise AI Risk Manager

  • Model Risk Manager

  • AI Model Validation Lead

  • Technology Risk Manager

  • Operational Risk and Controls Lead

  • Third Party AI Risk Specialist

  • Data Governance and Controls Manager

  • Regulatory Change Manager focused on AI

  • AI Policy and Risk Framework Manager

The job title is less important than the skill combination underneath it.

Firms need people who can ask whether a model is explainable, whether the data is appropriate, whether the vendor can evidence its controls, whether the use case falls inside model risk policy, whether ERM has clear sight of the exposure, and whether the business can defend the decision if challenged.

That requires curiosity, technical literacy and regulatory judgement.

Where the talent gap starts to appear

Many risk functions already have strong capability in model risk, operational risk, compliance testing, technology risk and regulatory change. The issue is that AI governance cuts across all of these areas at once.

  1. A model validator may understand methodology but not own the customer process.

  2. A compliance leader may understand regulatory exposure but not the mechanics of model performance.

  3. A technology risk specialist may understand access, resilience and change control but not conduct implications.

  4. A business owner may understand the value of the use case but not the evidence standard needed around it.

This creates a gap that cannot be solved by hiring one 'AI person'.

The stronger approach is to build capability around the real exposure. That may mean hiring specialist model risk talent, placing AI governance inside ERM, upskilling operational risk teams, bringing data governance closer to compliance, or appointing senior leadership to own AI risk across the three lines.

The right structure depends on the firm. The need for clearer accountability does not.

What this means for US risk leaders

For US risk leaders, the practical question is not whether AI regulation will arrive. Existing obligations are already enough to require action, and state-level activity is adding further pressure.

The more useful question is where AI is already influencing decisions, controls or customer outcomes.

That means mapping use cases across the business, including vendor tools and embedded automation. It means asking whether each use case has an owner, a control framework, a validation route and a reporting mechanism. It also means being honest about whether current teams have the capacity and expertise to review AI use at the pace the business wants to adopt it.

Several pressure points are likely to define hiring demand:

  • Model risk teams will need more capacity for AI validation and monitoring

  • ERM teams will need clearer ownership of enterprise AI risk frameworks

  • Operational risk teams will need a stronger understanding of automated control environments

  • Compliance teams will need to interpret emerging AI expectations across states and sectors

  • Third-party risk teams will need to assess vendors using AI in critical processes

  • Data governance teams will need clearer ownership of lineage, quality and usage rights

  • Senior risk leaders will need to explain AI exposure to boards and regulators

This is where talent strategy becomes part of risk strategy. Without the right people, AI governance becomes a framework on paper rather than a working control environment.

Why role design will matter

AI governance candidates are still an emerging talent pool, which means firms need to be careful about role design.

A job description asking for AI, model risk, compliance, data, technology, regulation, controls, stakeholder management and senior reporting may describe the problem accurately. It may not describe a realistic candidate.

Many strong candidates will come from adjacent backgrounds, including model validation, technology risk, cyber risk, operational resilience, financial crime analytics, data governance, audit, regulatory change or ERM.

The common thread is not identical experience. It's the ability to challenge complex systems, work through ambiguity and translate risk into controls the business can use.

Where external rules are unclear, internal policy carries more weight. Firms need people who can help define what acceptable use looks like, not only enforce rules that already exist.

What this means for hiring in 2026

Early work has focused on strategy, principles and policy. The next wave will focus on implementation: controls, testing, validation, vendor challenge, reporting, remediation and committee evidence.

That has a direct impact on hiring plans.

Regulated firms will need to decide whether they are building centralised AI governance teams, placing AI risk inside ERM, strengthening model risk, embedding expertise into existing functions, or creating a hybrid model across the three lines.

Each structure requires a different talent profile.

A centralised team may need senior governance leadership, policy capability and enterprise reporting strength. An ERM-led model may need people who can coordinate across risk types and manage ambiguity. A model risk-led structure may need deeper validation capability. An embedded model may need risk professionals with enough technical fluency to work directly with business and technology teams.

There is no single answer. Hiring should follow the way AI is actually being used.

Commercial bridge

AI governance is often framed as a regulatory challenge. For regulated businesses, it is becoming a workforce challenge too.

CEOs want CROs to use AI because the efficiency case is compelling. CROs need to make sure adoption does not create a larger, more expensive governance burden than the business expected.

Broadgate supports regulated businesses across Risk, Legal, Compliance and Financial Crime, Accounting, Sales and Relationship Management, and Transformation and Change. For firms building AI governance capability, that means access to talent across the functions most exposed to AI-related accountability, from model risk and ERM through to regulatory change, technology risk and controls.

FAQ

What is AI governance in financial risk?

AI governance in financial risk is the way regulated firms assign accountability, controls and oversight to AI systems that influence financial decisions, customer outcomes, risk reporting or regulated processes.

Where should AI governance sit in a regulated firm?

AI governance can sit in different places depending on the firm’s structure and AI use cases. In many companies, it's moving into enterprise risk management because AI exposure cuts across model risk, operational risk, technology risk, compliance, legal and data governance.

Why is model risk important for AI governance?

Model risk is central because AI systems need validation against internal guidelines, supervisory expectations and agreed risk appetite. That includes testing performance, assumptions, data quality, limitations, monitoring and change control.

Why is AI governance difficult in the US?

The US does not have one single federal AI rule for all regulated businesses. Firms are working across voluntary frameworks, existing model risk guidance, state-level activity, supervisory expectations and internal policies, which creates ambiguity around what good governance should look like.

What skills are needed for AI governance roles?

AI governance roles typically require risk judgement, regulatory understanding, data literacy, model oversight, control design, stakeholder management and the ability to challenge technical teams.

Do AI governance professionals need to be technical?

They do not always need to be engineers or data scientists, but they do need enough technical literacy to understand how AI systems work, where they can fail, and what evidence is needed to govern them properly.

Don’t Let AI Governance Gaps Become Regulatory Exposure.

Speak to Broadgate’s Connor Nurse to identify the roles, skills and leadership your business needs across model risk, ERM, operational risk, technology risk and regulatory change.