Risk May 2026 18 min read

AI Governance
for Financial
Institutions:
A CRO's Action Framework

The supervisory perimeter for AI in financial services is now six sources wide. The EU AI Act is becoming binding. ISO 42001 and the NIST AI RMF set the operating standard. SS1/23 holds the model-risk line. SM&CR Section 36 and the Consumer Duty pull AI into individual accountability. UK GDPR Article 22 and the ICO AI Audit framework cover automated decisions. This briefing translates each source into what the CRO must do — and into one control library the bank can build once and use six ways.

By Georgios Petropoulos  |  LINXS Advisory
6
Sources to reconcile
EU AI Act · ISO 42001 · NIST · SS1/23 · SM&CR · ICO
2 Aug
EU AI Act Annex III
High-risk obligations apply 2 August 2026
7%
Maximum AI Act fine
Worldwide annual turnover, Article 99

01 The Source Landscape

Six sources govern AI in financial institutions today. Different scope, different teeth, overlapping obligations. MRM has always covered stochastic models — VaR, Monte Carlo, IRB — but the AI gap is wider: outputs that resist characterisation, vendor models the bank cannot inspect, autonomous action, customer rights, and a data perimeter MRM never owned.

EU
EU AI Act
Regulation 2024/1689
Risk-tier rulebook. Articles 9, 10, 13, 14, 15, 17, 27 and 43 set obligations for high-risk AI. Annex III applies from 2 August 2026. Fines up to 7% of global turnover.
Binding
Operating Standard
ISO 42001 + NIST AI RMF
ISO/IEC 42001:2023 · NIST AI RMF 1.0
Operating standards for an AI Management System. ISO 42001 is certifiable; NIST gives the Govern-Map-Measure-Manage scaffolding for trustworthy AI.
Voluntary · Expected
UK
PRA SS1/23
Model risk management principles
Five principles: identification, governance, development, validation, mitigants. AI/ML is in scope. Firms must complete an annual self-assessment.
Binding · UK
UK
FCA SM&CR + Consumer Duty
FSMA s.66A · PRIN 2A
Section 36 reasonable-steps duty and the four Consumer Duty outcomes both reach AI decisions affecting customers and senior-manager accountability.
Binding · UK
UK
UK GDPR Art. 22 + ICO AI Audit
Automated decisions · ICO toolkit
Right not to be subject to solely automated decisions with legal or significant effect. ICO AI Audit framework sets accountability and governance expectations.
Binding · UK
US
US — SR 11-7 Legacy
Interagency MRM guidance
SR 11-7 was rescinded in April 2026 and replaced with a non-enforceable principles statement. An interagency RFI on GenAI is expected in Q2–Q3 2026.
Non-enforceable

02 From Sources to Action

The highest-priority obligations across the six sources, translated into CRO actions. Each row answers more than one regulator at once.

Source / Article What it requires What the CRO does
EU AI Act — Art. 9, 10, 13–15 Risk management, data governance, transparency, human oversight, accuracy. One AI risk register per use case; data-quality controls with documented lineage; named human-overseer per system.
EU AI Act — Art. 17, 27, 43 Quality management system, Fundamental Rights Impact Assessment, conformity assessment. Merge FRIA with the DPIA workflow; decide assessment route per tier-A system; build technical file; register in EU database.
ISO 42001 — Clauses 5, 6, 8 + Annex A Board-level AI policy, AI risk assessment, system impact assessment, 38 reference controls. Use ISO 42001 gap analysis as the spine of the group framework; close gaps via existing 2LoD functions, not a parallel team.
NIST AI RMF — Govern · Map · Measure · Manage Accountability, context categorisation, trustworthy AI metrics, risk response. Adopt the seven NIST trustworthy characteristics as the AI metric backbone; report material AI incidents via the existing ORM channel.
PRA SS1/23 — Principles 1, 2, 4 Identification and tiering, board / SMF governance, independent validation with effective challenge. Group AI inventory tiered A/B/C; quarterly board MI; structural separation of validation preserved regardless of US softening.
PRA SS1/23 — Principle 5 + self-assessment Documented mitigants (override, rollback, kill-switch); firm-level annual self-assessment. Self-assessment evidence pack designed to also serve EU AI Act conformity, ISO 42001 audit and the FCA reasonable-steps test.
FCA SM&CR — FSMA s.66A + Section 36 Senior-manager duty of responsibility; reasonable steps to ensure AI-relevant controls are effective. Statement of Responsibilities names AI risk; quarterly reasonable-steps log; AI-specific training for SMF and certified staff.
FCA Consumer Duty — PRIN 2A Four outcomes (products, price & value, understanding, support); foreseeable-harm test on AI decisions. AI customer-journey impact assessment with vulnerable-customer carve-outs; logged human escalation route for every AI-handled query.
UK GDPR Art. 22 + Art. 35 Right not to be subject to solely automated decisions; DPIA for high-risk processing. Inventory solely-automated decisions; build genuine human review (not rubber-stamp); single DPIA + FRIA + SS1/23 template, DPO / CRO co-signed.
ICO AI Audit framework Accountability and governance, fairness / accuracy / security, individual rights including erasure. Map ICO principles to ISO 42001 leadership clauses; one set of board AI minutes serves both; SAR / erasure workflow live for training data.

03 Build Once, Use Six Times

Each control area below is required, in some form, by multiple sources. Build the control once; map it to the source language each regulator uses. Built separately, the bank pays six times. Built once, every row answers six audit conversations.

Control area EU AI Act ISO 42001 NIST RMF SS1/23 SM&CR / CD GDPR / ICO
AI inventory & tiering
AI policy & risk appetite
Per-system risk assessment
Data governance & quality
Validation & testing
Human oversight by design
Customer-impact assessment
Monitoring & incident response
Documentation / technical file
Board MI & accountability
Direct obligation Indirect / supporting

04 The CRO's Action Plan

Three phases of thirty days to a defensible operating standard. Four quarters to a fully evidenced framework. Each quarter ships an external artefact.

Days 1–30 · Mobilise
Authority, scope, sponsors
Set the mandate before the work.
  • Convene AI governance committee under a board-approved charter.
  • Designate the accountable executive — SMF for UK, AI lead for group.
  • Confirm SoR updates and reasonable-steps logging cadence.
  • Authorise inventory + gap-analysis mandate across the six sources.
  • Pick operating standard — ISO 42001 + NIST RMF + SS1/23 spine.
Days 31–60 · Discover
Inventory, gaps, hotspots
Find what you have before you fix it.
  • Complete the group AI inventory; tier per Annex III + SS1/23 materiality.
  • Find shadow GenAI and embedded vendor AI; bring it under policy.
  • Run gap analysis against the six-source matrix; flag tier-A gaps.
  • Identify Art. 22 / Consumer Duty hotspots; pause if controls absent.
  • Brief the board on inventory, top ten risks, required investment.
Days 61–90 · Frame
Policy, library, evidence
Stand up the operating standard.
  • Issue the group AI policy aligned to the highest of the six sources.
  • Publish the consolidated control library and ownership map.
  • Stand up the evidence pack: AI risk register, model cards, DPIA / FRIA.
  • Decide EU AI Act conformity routes per tier-A system.
  • Set the 12-month roadmap; lock board MI and reporting cadence.
Q1 · Mobilise
Internal kick-off
  • AI governance committee live; SMF designated.
  • Group AI inventory and tier A/B/C complete.
  • Six-source gap analysis signed off by board.
  • Group AI policy issued; control library published.
Q2 · EU AI Act ready
2 August 2026 · Annex III
  • FRIA + DPIA templates merged; tier-A systems assessed.
  • Technical files (Art. 11) drafted; logs (Art. 12) enabled.
  • Conformity assessment route chosen per system (Art. 43).
  • EU database registration; deployer notices updated.
Q3 · UK self-assessment
SS1/23 annual cycle
  • First AI-inclusive SS1/23 self-assessment delivered.
  • Statements of Responsibilities updated; reasonable-steps log live.
  • Consumer Duty outcome testing extended to AI journeys.
  • ICO AI Audit remediation; SAR / Art. 22 workflows live.
Q4 · Operating standard
ISO 42001 readiness
  • ISO 42001 internal audit completed; certification optional.
  • NIST AI RMF profile published for the group.
  • AI risk integrated into ICAAP, ILAAP, recovery planning.
  • Board annual AI report; 2027 plan approved.

05 AI Governance Calendar to 2028

The window to early 2028 is heavy on AI-specific obligations. Three rules survive the calendar: design the policy once to the highest bar; build the evidence library to serve every source from one drawer; and appoint a single accountable executive before the inventory work begins.

Date Stream Item CRO action
Q2 2026 AI Gov · Group Establish single AI inventory across UK, US, EU. Appoint accountable SMF / exec; lock taxonomy.
Q2–Q3 2026 AI · US US interagency RFI on AI (expected). Pre-position group response; align SS1/23 narrative.
2 Aug 2026 AI · EU EU AI Act — Annex III high-risk obligations apply. Conformity assessment; FRIA; EU database.
H2 2026 AI · UK PRA AI Consortium report and biennial AI survey. Refresh AI register; brief board on findings.
Year-end 2026 AI Gov · Group First annual SS1/23 AI-specific self-assessment. Remediation plan finalised and board-approved.
Q1 2027 AI · US Revised US guidance expected post-RFI. Gap analysis vs group standard; document exceptions.
2 Aug 2027 AI · EU EU AI Act — full applicability incl. GPAI. Legacy GPAI sweep; Annex I product-embedded review.
Practitioner Insight

The CRO test for 2026–2027 is not which framework the bank picks — it is whether the bank can carry six sources through one operating model.

Pick the highest bar, build the evidence once, and let each regulator draw from the same drawer.

Design the policy once to the highest standard; build the library to serve every source; appoint a single accountable executive before the inventory work begins.

Recalibrating AI governance?

LINXS Advisory works with banks and asset managers on AI inventory, EU AI Act conformity assessment, SS1/23 self-assessments, ISO 42001 readiness and group AI policy design across the US, UK and EU.

Get in Touch Visit LINXS Advisory