Financial services firms operate in environments defined by risk, regulation, oversight, and documentation. This should give the sector a natural advantage in building governance programs for AI. But new data from the AAA-ICDR Institute™ suggests that even in financial services, the hardest part of AI governance is making policies work in practice.
The finding comes from “From Principles to Practice: A Benchmark Study in AI Governance,” based on a survey of 500 senior legal and executive leaders across the United States and Canada at organizations with annual revenues of $100 million or more. Across industries, the report found that AI adoption is already widespread: 74% of organizations are using AI at a moderate or extensive level, and 30% say AI has become integral to operations. Yet only 22% say their AI governance works effectively in practice, even while 87% have some form of governance in place.
The data from the financial services, banking, and insurance organizations show how that gap plays out in a highly regulated sector: strong governance infrastructure does not automatically translate into technical controls, documentation, and auditable evidence.
A Strong Foundation Does Not Always Mean Technical Translation
Financial services companies appear more mature than the broader market at first glance. Ninety-six percent of sector respondents report having formal AI governance principles or policies in place, compared with 87% overall. Thirty-one percent report having a comprehensive, actively enforced framework, above the 20% all-industry benchmark. Legal and technical teams also appear more connected: 91% describe the relationship as collaborative, compared with 77% overall.
The next stage, however, is where the gap appears. Only 53% of financial services respondents say their AI governance principles have translated into specific technical controls, below the 63% all-industry mark. In other words, the sector is ahead on structure and coordination but still faces a familiar challenge: turning governance language into system-level requirements.
Callout stat: 96% of financial services respondents report formal AI governance policies, but only 53% say those principles have become specific technical controls.
Risk Discipline Is a Strength
The financial services sector respondents perform the strongest where AI governance builds on established risk-management practices. For example, 66% of these respondents cite confidence in risk classification and approvals, compared with 52% overall. The sector also exceeds the benchmark on formal third-party diligence and monitoring, at 79% versus 67%. Oversight during procurement, material changes, or retraining is also higher than average.
That makes sense for these highly regulated industries. Banks, insurers, and related financial services organizations are used to reviewing vendors, classifying risks, and requiring additional approvals before major changes. Existing processes can make it easier to embed AI governance into how the organization already operates.
But AI governance also requires ongoing visibility after an AI system is approved or deployed. Organizations need to know whether controls are working, who made key decisions, and whether they can produce documentation later if regulators, auditors, or courts ask for it. Strong front-end risk review is valuable, but it does not solve the challenge of maintaining a clear governance record.
Evidence Remains the Hardest Test
The real test for AI governance is whether an organization can show how decisions were made throughout the AI lifecycle. That means having records that explain which AI systems were reviewed, what risks were identified, who approved deployment, what controls were required, and how those controls were monitored after the system went live.
Only 21% of financial services respondents are very confident their organization could produce centralized, complete, auditable evidence for regulators, auditors, or courts, nearly identical to the 22% overall benchmark.
Other development needs are even more pronounced. Half of financial services respondents say audits and documentation need more work, compared with 35% overall. Sixty-six percent say data privacy and protection controls need development, compared with 58% across all respondents. For a sector built on trust, privacy, and regulatory accountability, the ability to document governance decisions is central to demonstrating that AI oversight is working.
Callout stat: Only 21% of financial services respondents are very confident they can produce auditable evidence of AI governance in practice.
The Takeaway for Financial Services
The financial services industry is not starting from scratch. Compared with the all-industry benchmark, the sector performs better on several markers of AI governance maturity, including effective governance, integrated functions, clear escalation, and maintaining an inventory of AI use cases. Its confidence in producing auditable evidence, however, is nearly identical to the overall benchmark: 21% versus 22%.
That contrast is the central finding. A regulated environment can help organizations build stronger governance, but it does not automatically solve the harder work of documenting how AI decisions are made, applied, and monitored over time.
Download the Full Report
The financial services findings are one view into a broader governance challenge facing organizations across industries. Download “From Principles to Practice: A Benchmark Study in AI Governance” to learn what organizations with more mature AI governance programs are doing differently, including how they connect legal, technical, and business teams, assign clear authority, and document governance decisions for regulators, auditors, and other stakeholders.