•         AI acts as a meta-risk, amplifying existing operational, cyber, and third-party risks
•         Firms must adapt current risk frameworks to manage increased speed, scale, and complexity
•         Training and clear accountability are key controls for third-party reliance and shadow AI
•         Traceability of AI-driven decisions is a major governance challenge, beyond just data quality
•         Long-term success depends on resilience and continuity when AI systems or providers fail
•         Governance must evolve to manage AI-driven     decisions, dependencies, and autonomous systems

Ahead of the Next Gen OpRisk Europe Summit, we spoke with Rayan Bhattacharya to explore how organisations are navigating the rapidly evolving risk landscape shaped by AI. He shares insights on why AI should be viewed as a “meta-risk,” the growing importance of resilience, and how firms can strengthen governance while continuing to innovate responsibly.

How is your organisation currently assessing the operational, ethical, and governance risks associated with AI in decision-making processes?

Rather than treating AI as a novel risk type, we view it as a strategic “meta-risk” that amplifies the speed, scale, and interconnectedness of existing risks. AI increases the surface area and velocity of risks we already manage, including data quality, technology and cyber, third-party, model, and operational resilience risks. The challenge is therefore less about creating entirely new frameworks and more about adapting existing ones to a faster-moving environment.

What controls do you find effective for managing risks arising from third-party AI solutions and shadow AI usage across the business?

As with other innovative third-party services, firms must manage dependency on AI providers given vendor concentration, high switching costs, and limited influence over provider governance. The key challenge is that firms increasingly outsource capability while retaining accountability for outputs. While enhanced TPRM, accountability regimes, and regulation may help over time, the most effective near-term control for both third-party and shadow AI remains firm-wide training that reduces human failure. This should be reinforced by meaningful consequence-management mechanisms that promote positive behaviours.

What are the biggest gaps or challenges you see when it comes to data quality, governance, and traceability for AI models and outputs?

The biggest immediate challenge for large banks is figuring out how to best internally govern AI use cases and outputs of AI models, which are provided largely by a small number of third parties over whom banks have limited visibility. The core issue is less data quality itself and more the traceability of how outputs influence decisions. Rather than relying solely on third-party governance, firms should establish internal standards ensuring AI-generated reasoning can be documented, reviewed, challenged, and understood before informing critical business decisions.

As AI adoption accelerates, how do you see organisations striking the right balance between enabling innovation and maintaining robust risk controls?

As with cloud adoption, many organisations have accelerated AI deployment due to competitive pressure, leaving risk and control functions racing to keep pace. Over time, however, success will depend less on how quickly firms adopt AI and more on how resilient the supporting ecosystem proves to be. Sustainable innovation comes from confidence that critical business activities can continue when AI systems, providers, or infrastructure fail.

Looking ahead, how will AI governance frameworks need to evolve to ensure accountability, transparency, and responsible use at scale across increasingly complex environments?

AI cannot scale across the financial sector, particularly complex large institutions, unless the wider ecosystem is resilient. Governance frameworks must evolve beyond model oversight toward managing AI-enabled decisions and dependencies. Firms need clear ownership, tested contingencies for model or platform failures, and active management of provider and infrastructure concentration risks. Agentic AI will require additional safeguards around autonomous decision-making. Equally, many organisations remain underprepared for the cyber resilience implications of frontier AI. Ultimately, progress will depend less on written frameworks and more on embedded business-as-usual practices.