Insights from the AI Risk Summit 2025

Many thanks to the teams at Validmind and Experian for the opportunity to kick off their AI Risk Summit in New York City on 2 December 2025. It was a great opportunity to hear about the real opportunities and challenges facing model risk, operations and governance, risk and compliance (GRC) practitioners today as machine learning (ML) and artificial intelligence (AI) models find their way into retail finance, credit, trade and treasury, cyber fraud operations and other areas of modern financial markets.

Here are a few of our key takeaways from the event:

• The next two years will be crucial for establishing scalable governance programs for enterprise AI systems. For those on the front line of these innovations in 2024 and 2025, embedding GRC functions for AI systems within the first-line business risk function has been a game changer, particularly when deploying AI systems with ‘structured’ data, known data and standard process flows. The AI risk payoff has come to these innovators in the form of strategic clarity, buy-in, organizational alignment and leadership. Skills, particularly in data and model engineering, remain the most prominent gating factors.
• Although regulatory clarity will take some time to surface, most risk technology practitioners believe that waiting is not an option. The ISO and NIST AI risk frameworks contained in the EU AI Act (the binding law that imposes prescriptive obligations, especially for ‘high-risk’ and certain general‑purpose AI [GPAI] models) are sufficiently complementary and provide the guardrails for moving AI governance forward in critical areas, including:
  • Governance processes, such as inventorying and categorization.
  • RiskTech-enabling AI governance.
  • Risk assessments and tiering.
  • Data and model management.
  • Oversight and transparency.

The market has realized that it continues to be difficult to define AI-focused regulations from a compliance perspective, as issues that stem from AI, such as biased decision-making and codes of conduct, can fall under broader regulatory concerns. The pace of AI innovation – and the effort and energy required to adopt new use cases – will most likely continue alongside uncertain and still-forming regulatory expectations.

At the same time, businesses are contending with what we believe to be more immediate, tangible challenges on the other side of the AI coin: the risk of increasingly sophisticated AI-enabled cybercrime and the nefarious use of AI to defeat today’s enterprise risk and governance infrastructure. Combatting these threats requires a broader view of AI risk that addresses not only how to deploy AI safely, transparently and in alignment with enterprise risk appetite and regulatory expectations, but also where AI can measurably improve the detection, response and cost-efficiency of cybersecurity programs that constantly face sophisticated and well-funded attackers (such as AI-enabled malware strains).

• Conversations at the AI Risk Summit further confirmed our opinion that AI governance is an emerging market forming at the intersection of AI systems, model risk management (MRM), classic GRC, ML operations (MLOps) and cybersecurity. GRC principles, practices and tooling developed over the past decade of investment in financial MRM and DevOps architectures, including additional quantification and metrics-based practices, will converge over the next few years to form the heart of AI governance programs. Effective AI governance programs have become pivotal for accelerating AI adoption and translating the technical innovations of AI/ML into business value. Product strategies are already introducing this intersection in the form of M&As between classic GRC and AI governance point solutions, partnerships and application programming interfaces (APIs).

What to watch in AI risk and governance in 2026

• As governance programs mature and use cases become clearer, success in enterprise AI initiatives increases and confidence grows. Technical and compliance standards also help to drive regulatory consensus.
• GRC principles, MRM and DevOps practices become embedded and expand with new tooling in AI system development, deployment and operations.
• AI governance tooling creates confidence in the first line of defense and new pathways for judging and benchmarking compliance capabilities and independent audit functions.
• As agentic and agent-based applications mature, enterprise AI codes of conduct built from those developed for humans begin to emerge as stakeholder responsibilities and technical capabilities advance.