AI in financial services: the 2026 governance benchmark.

This benchmark presents primary data from 42 banks and insurers on how the operating model around enterprise AI is instrumented, governed, and escalated. The dataset is drawn from structured interviews with the sitting Chief AI Officer or equivalent role at each institution, supplemented by review of the governance artifacts in production at the time of the interview. The objective is operational rather than technological: the benchmark describes what the operating model actually does, not which models or vendors institutions have adopted.

The headline finding is that the dispersion in operating-model maturity across the 42 institutions is significantly larger than the dispersion in technology stack. The technology choices are converging. The operating models are diverging. The institutions that report the cleanest operating economics are not institutions with the most advanced stack. They are institutions with the most disciplined operating model.

01Methodology and sample

The sample comprises 42 institutions: 24 banks (11 global systemically important, 13 regional or national), and 18 insurers (11 life, seven property and casualty). Aggregate assets under management or in force across the sample exceed 41 trillion dollars. Interviews were conducted between September 2025 and January 2026. Each interview followed a structured protocol covering portfolio tiering, instrumented kill criteria, escalation paths, audit posture, and the regulatory surface. Each interview was supplemented by review of the governance artifacts in production at the time of the interview, where you made them available.

02Portfolio tiering practice

Portfolio tiering, in the operating-model sense, is the explicit classification of AI workloads into a small number of governance tiers, each carrying a distinct set of operating disciplines. Thirty-one of the 42 institutions in the sample reported a formal tiering scheme. Of those, 23 used a three-tier scheme, six used a four-tier scheme, and two used a scheme with five or more tiers.

The three-tier scheme that emerged as the modal pattern across the sample distinguishes between workloads that touch a regulated decision (tier one), workloads that materially influence a regulated decision without finalizing it (tier two), and workloads that operate outside the regulated surface (tier three). The operating disciplines that attach to each tier vary across the sample, but the modal pattern is the following.

03Kill criteria in production

Of the 42 institutions in the sample, 19 reported at least one kill criterion specified at the unit economic level and instrumented continuously. 23 reported kill criteria specified only at the program-spend level, or specified at the unit economic level but not continuously instrumented. The dispersion in operating economics across the two groups is significant.

Among the 19 institutions with continuously instrumented unit-economic kill criteria, the median portfolio remained within 12 percent of the originally approved cost envelope across the most recent fiscal year. Among the 23 without, the median portfolio exceeded the originally approved cost envelope by 68 percent. The tail among the latter group was a portfolio at three hundred and 40 percent of the original envelope, in a regional bank that had approved its current AI program in the third quarter of 2023.

04Escalation paths and decision authority

The escalation path, in the operating-model sense, is the written sequence by which a kill-criterion breach moves from instrumentation to a decision. Of the 42 institutions, only seven reported a written escalation path that could move from breach to decision inside 72 hours without requiring a board calendar event. Twenty-four reported an escalation path that required a quarterly board review at the earliest. The remaining 11 did not have a written escalation path and reported that the path would be improvised at the moment of breach.

We had the kill criteria. We had the instrumentation. What we did not have was a path from the breach to a decision that did not require a board agenda item, and the agenda was set six weeks in advance. Interview, Chief AI Officer, regional bank, fourth quarter 2025

05Audit posture and the regulatory surface

The audit posture across the sample is converging on a model that separates the runtime audit trail from the governance artifact. The runtime trail records what the system did, at the per-call level, with the input and the output and the routing decision retained for a period set by the regulatory surface. The governance artifact records what the system was permitted to do, at the policy level, with the kill criteria and the escalation path specified at the time of the most recent rewrite. The two artifacts are reconciled on a quarterly basis, and the reconciliation is itself audited.

The institutions that reported the cleanest reconciliation were institutions where the runtime trail and the governance artifact were maintained by separate teams reporting through separate lines. The institutions that reported the most painful reconciliation were institutions where the same team was responsible for writing the policy and recording the runtime evidence of compliance with it.

06Recommendations for boards

The benchmark supports four recommendations for boards. First, every workload above tier three should carry at least one kill criterion specified at the unit economic level and instrumented continuously. Second, the escalation path from a kill-criterion breach to a decision should be written, calendar-independent, and capable of moving inside 72 hours. Third, the runtime audit trail should be maintained by a team separate from the team responsible for writing the policy. Fourth, the rewrite trigger for the strategy itself should sit below the board, on a calendar that can move at the cadence the unit economics require.

None of the four recommendations is novel. Each is, on the evidence of the benchmark, the practice that distinguishes the operating models that have absorbed the last three years of workload shift cleanly from the operating models that have not.