As we move into 2026, most large capital markets institutions have moved beyond AI pilots. AI systems are now embedded in daily workflows—supporting research discovery, summarizing complex materials, assisting client interactions, and informing decisions during periods of market volatility.
Across global banks, these systems are no longer peripheral tools. They are production systems that employees rely on every day.
That shift naturally raises a different question for leadership teams, boards, and regulators: are existing governance and Model Risk frameworks keeping pace with how AI is actually being used?
Over the past year, the pace of AI deployment across banking has been matched by a noticeable increase in regulatory attention. Institutions moved quickly to adopt AI capabilities. Supervisors are now asking how those systems are governed, validated, and explained.
This tension is understandable. Many Model Risk Management frameworks were designed for statistical models that evolve slowly and operate within clearly bounded parameters. They were not written with large language models in mind—systems that consume vast amounts of unstructured information and generate natural-language outputs that may influence investment, credit, or client decisions.
As a result, Model Risk teams are often asked to validate systems that are already in use, without tooling or processes designed for this new class of model. That gap is not theoretical; it shows up in board discussions, regulatory exams, and internal audit reviews.
Explainability is increasingly treated as table stakes. But in practice, explainability does not begin with the model—it begins with the inputs.
When AI systems assist analysts, bankers, or advisors, the defensibility of the output depends on whether the underlying research and data are structured, attributable, and governed. If the content feeding an AI system is fragmented, poorly tagged, or inconsistently sourced, the system inherits those weaknesses.
When a supervisor asks why a recommendation was generated, the answer must trace back to identifiable research inputs: who authored them, when they were created, and under what assumptions. Without that lineage, even well-intentioned AI systems become difficult to validate and harder to defend.
This is especially relevant in environments where institutions are responsible for all models they deploy, including those sourced from vendors. If an external AI tool cannot demonstrate attribution and provenance, the explainability gap ultimately sits with the bank.
For research leaders, the implications are immediate. AI can materially improve productivity and coverage—but only when it can reliably find, interpret, and cite the right content at the right time.
Firms that treat research content as infrastructure—structured from creation, governed centrally, and traceable across workflows—are better positioned to introduce AI responsibly. In those environments, validation becomes possible because the chain from research to AI output to decision remains intact.
Firms that rely on unstructured documents and ad hoc repositories face a different reality: productivity gains are harder to sustain, explainability breaks down under scrutiny, and governance becomes reactive rather than designed.
In Europe, the EU AI Act will come fully into force in August 2026, with high-risk systems subject to explicit governance, documentation, and oversight requirements. Supervisory priorities across the ECB and national regulators are already reflecting this shift.
Other jurisdictions are moving along parallel tracks. While the specifics differ, global institutions increasingly face overlapping expectations around AI governance, transparency, and risk management. For firms operating across regions, this points toward a common architectural challenge: building systems that can satisfy the highest standard consistently.
The institutions making progress tend to focus less on AI as a standalone capability and more on whether their underlying research and data foundations can support it.
When content is structured, attributable, and governed, AI systems can inherit those properties. When it is not, Model Risk teams are left trying to impose control after the fact.
The question many firms are now grappling with is not whether to use AI, but whether their existing infrastructure allows AI to operate in a way that is explainable, defensible, and scalable.
I’ll be in London the week of February 9, meeting with banking leaders to discuss how institutions are navigating the space between AI adoption and Model Risk validation—particularly in light of upcoming regulatory milestones.
If your organization is working through these questions, I’d welcome the opportunity to compare notes and perspectives while I’m there.