DiGi Advisory
All insights

AI in Financial Services

AI Risk Needs a Home and a Yardstick: Building Quantitative Discipline Before the Tools Reach the Core

By Thomas DiGiovanni, Partner and Founder

July 1, 20265 min read

The Financial Stability Board's June 2026 consultation gives AI risk a home inside the governance framework institutions already run. The firms that pass supervisory scrutiny will be the ones that can name the owner, measure the system, and report the result before anyone asks.

On June 10, 2026, the Financial Stability Board (FSB) published a consultation report, Sound Practices for Responsible Adoption of Artificial Intelligence (AI). Its twelve sound practices do something quietly important: they give AI risk a home, a yardstick, and a reporting line, all inside the governance framework an institution already runs. AI is not treated as a novel category demanding a parallel structure. It is treated as a risk to be owned, measured, and reported like any other. The comment period runs through July 22, 2026, with a final report expected in October.

That framing matters because most mid-sized banks and credit unions are past the question of whether AI will enter the institution. It is already in the environment, sanctioned and unsanctioned. The open question is whether anyone owns it, and whether its performance can be measured against a standard rather than trusted on faith.

Give AI risk a home before it reaches the core

The FSB's first four sound practices address organization-wide governance: accountability, risk appetite, and board-level oversight. The remaining practices cover managing AI risk through the stages of development and deployment, and the cyber, information technology, and third-party dimensions that come with it. The through-line is ownership. An AI tool that touches customer data or feeds a lending decision is not a productivity feature. It is a governed system with an accountable owner, a defined risk classification, and a place in the institution's existing risk reporting.

The most common weakness is not the absence of policy. It is that AI sits in the gaps between functions. Technology deploys it. A business line uses it. Risk and compliance learn about it later. When an examiner asks who owns the model and how its risk is classified, the answer takes a meeting to assemble.

Classify by stakes, then match the yardstick to the class

Not every AI system deserves the same scrutiny. A tool that summarizes internal documents carries limited risk. A system that informs credit decisioning carries high risk, and the governance intensity should follow the stakes. Classification is the decision that drives everything downstream: how tightly the system is controlled, how often it is monitored, and what evidence the institution keeps.

The yardstick then has to match the class of system. Generative systems can be measured on groundedness and faithfulness scored against a curated reference set, along with error and hallucination rates. Agentic systems, which act rather than answer, call for operational telemetry: task-completion accuracy, exception rates, and the points where a human takes back control. The FSB consultation acknowledges that continuous human review of every autonomous decision is impractical at scale, which makes measured, automated monitoring a requirement rather than a nicety.

Four decisions that separate measurement from theater

Defining a metric is the easy part. Four design decisions determine whether the measurement means anything. First, threshold-setting: what score is acceptable, and what score triggers escalation or shutdown. Second, trusted reference data: the curated set the system is scored against, which has to be maintained and defended. Third, how metrics combine, because a single number rarely captures a system's behavior and the wrong composite can hide a failure. Fourth, monitoring frequency: how often the yardstick is applied, calibrated to the risk classification rather than set once and forgotten.

Skip these, and an institution has dashboards without discipline. A high-risk system has no excuse for being governed on faith.

The window is the comment period

The consultation is public. The comment period runs through July 22, 2026, and the final report is expected in October. By the time supervisory expectations harden around these practices, the institutions that treated the consultation as a planning window will already have their AI inventory classified, their owners named, and their measurement approach documented.

For a risk officer, the sequence is simple to state and harder to execute. Define it before you deploy it. Measure it before you trust it. Report it before you are asked.


Back to all insights

A 15-minute triage call to find the fastest path.

Start a Conversation