AI Governance and Control

Overview

Regulators are watching. The FCA's Consumer Duty, PRA model risk expectations (SS1/23), and the Senior Managers & Certification Regime all create direct accountability for how AI systems operate within your firm. 

Whether you are deploying AI for credit decisioning, fraud detection, customer servicing, or operational efficiency, the governance expectations are the same: document it, own it, oversee it, and be able to explain it.

Why now 

AI is no longer an emerging technology for banks and building societies - it is already embedded in credit decisioning, fraud detection, customer servicing, and operational processes across the sector. The governance frameworks have caught up.

The PRA's Supervisory Statement SS1/23 is in force and model risk expectations apply now. The FCA has made clear that Consumer Duty extends to AI-influenced outcomes. The SM&CR means individual senior managers carry personal accountability for how these systems are governed. And the ICO is actively enforcing automated decision-making rights under UK GDPR.

Regulatory scrutiny is intensifying, not easing. Supervisors are asking harder questions about AI in firm visits, and the expectation that boards can demonstrate meaningful oversight - not just policy documents - is rising. At the same time, firms are deploying AI faster than their governance frameworks are evolving, creating gaps that may not be visible until they become a regulatory or customer issue.

The cost of getting ahead of this is modest. The cost of responding to a regulatory finding, a customer complaint upheld by the FOS, or an incident that reaches the board unprepared is considerably higher.

There is no better time to understand where you stand.

What the regulators now require

The UK regulatory framework does not yet contain a single AI law, but the expectations are nonetheless clear and materially overlap across multiple regimes that already apply to your institution. 

Where most firms still have gaps

In our experience, the most common gaps are:

• An incomplete inventory of AI systems and model-based components, including AI embedded in vendor products; 
• Accountability structures that exist on paper but are not mapped to named senior managers under SM&CR; model monitoring that tracks availability rather than performance or fairness;
• Board and committee reporting that provides reassurance rather than genuine insight; and 
• Human oversight of AI-assisted decisions that is procedural rather than substantive - sign-off without real challenge. 

What we're seeing in 2026

• Boards are asking harder questions about AI than they were twelve months ago, but many are still waiting for management to bring issues to them rather than actively interrogating the position. 
• SS1/23 implementation is exposing gaps in model inventory and validation that firms did not know they had. 
• Consumer Duty reviews are beginning to focus on AI-influenced outcomes in lending and servicing, not just product design. 
• The conversation across BSA and UK Finance forums has shifted from whether AI governance is needed to what good actually looks like in practice for an institution of this size and complexity. 

Approach

Our work is grounded in the AI risk domains that matter most for banks and building societies, drawing on established frameworks and the PRA's model risk expectations. We focus on the areas where gaps create real regulatory and customer risk.

We bring an evidence-based, audit-disciplined approach that is designed to be proportionate to your institution's size, risk profile, and the maturity of your existing governance. We don't do boilerplate - we tailor our scope and methodology to what you actually need. 

1) Governance and Accountability

We look for substance behind the structure:

• Is there a documented AI strategy? 
• Are roles and responsibilities clear - including SM&CR-mapped accountability? 
• Does the board receive meaningful reporting, not just reassurance? 

2) Model Inventory and Classification

We map the dependencies between your important business services and the third parties that support them, surfacing concentration risk, single points of failure, hidden dependencies and supply chain nodes that regulators will scrutinise. We pay particular attention to cloud and hyperscaler arrangements, where concentration is now a board-level concern. 

3) Model Validation and Monitoring

Are models subject to independent validation before deployment and monitored for drift, staleness, and performance degradation post-deployment? We assess whether monitoring is substantive and whether triggers for action are clearly defined. 

4) Data and Governance

We look at the full data chain including third-party and vendor-supplied data:

• Are training and operational data sources documented, lawful, and fit for purpose?
• Do data protection impact assessments address AI-specific risks? 

5) Fairness and Consumer Outcomes

Are AI systems tested for bias and discriminatory outcomes, particularly in credit, insurance, and customer servicing? Consumer Duty requires more than good intentions - it requires evidence that outcomes are actively monitored and acted upon.

6) Third Party and Vendor AI

Does oversight of vendor-supplied AI meet the same standards as in-house models? Many firms have stronger governance over models they built than over AI embedded in purchased software - despite equivalent customer and regulatory risk. 

7) Human Oversight and Automation Bias

• Where AI assists or automates significant decisions, are human oversight controls designed to be substantive rather than procedural?
• Are staff trained to challenge AI outputs, not simply accept them? 

8) Audit Trails and Explainability

• Can your institution reconstruct how an AI-influenced decision was reached? 
• Are audit trails sufficient to respond to regulatory enquiry, customer complaint, or legal challenge? 

This is increasingly the live questions in supervisory contact. 

Why choose Green Dolphin

• Sector credibility: Building societies and banks are our specialism. Our senior team have worked inside building societies, banks and insurers in roles including Board Risk Advisor, CTO, CISO and Head of Technology and Change Audit. We understand the BSA, the Strong & Simple regime, and the proportionality boards expect when engaging external assurance.
• Risk reduction: A focus on delivering quality at every step so that you can take confidence that risk reduction and opportunities to accelerate value are understood.
• Audit discipline: We apply genuine audit methodology, evidence-based, proportionate, and designed to provide boards with decision-making confidence rather than a report that sits on a shelf.
• Proportionate and commercial: An understanding that budgets are not infinite and therefore our support needs to be proportionate to the risks faced, regulatory expectations and commercial realities.
• Independence: Unlike other consultancies, we maintain full independence from all suppliers. That means we are straight talking and we don't promote, co-create or take introductory referrals.