AI Risk in banking is not just about individual models, it is about what happens when well-governed systems start working together. Banks love to say they are "responsibly" adopting AI. They have governance, model validation, data ethics, and oversight. In Switzerland, regulators are crystal clear about expectations around governance, explainability, data quality, monitoring, outsourcing, and fallback mechanisms. That is good news. It reduces many of the obvious risks and keeps the most dangerous failures in check. [2][5][1]
But it also creates a dangerous comfort zone. Because the real risk may no longer sit inside individual models. It sits in what happens when all those well governed AI systems start working together.
From Model Risk to Systemic AI Risk: The Blind Spots of Governance
AI governance is designed to answer questions like:
- "Is this model robust?"
- "Is this data usage acceptable?"
- "Is this decision explainable enough?"
Important questions. Necessary questions. But the next generation of AI in banking is increasingly agentic. It is no longer just one model scoring risk or recommending an offer. It is multiple agents that observe, decide, coordinate, and act across journeys. Deloitte's analysis of agentic AI risk in banking highlights hundreds of risks linked to autonomous behaviour, including coordination failures and emergent system effects. [4][6]
A single agent with a small error is rarely a crisis. A network of agents quietly amplifying each other's blind spots can be. That is the systemic risk no validation checklist will fully see:
- Outputs from one agent becoming unquestioned inputs for another [4]
- Feedback loops forming between agents and humans [7][4]
- Complex behaviour emerging that nobody explicitly designed [6][4]
The scary part is that every component can be "green" on its own, while the combined system drifts into behaviour nobody intended. FINMA's own guidance recognises that AI risk management must include ongoing monitoring, stress testing, and fallback mechanisms precisely because static approval is not enough once systems are live. [8][2]
When AI replaces People and takes Knowledge with it
At the same time, AI is arriving in a cost pressured environment. Every new automation case is a business case. Every efficiency gain becomes a headcount discussion. Over time, banks do not only remove roles. They remove memory. Not the memory stored in documents and systems. The memory stored in people:
- The relationship manager who recognises a "weird" case before the system does
- The operations expert who knows why that one exception rule exists
- The compliance officer who remembers the last time a similar idea went wrong
Once these people are gone, their knowledge does not simply sit on Confluence waiting to be reused. Organisational knowledge loss is widely associated with lower productivity, weaker continuity, and less innovation, especially when tacit knowledge leaves with experienced employees. It disappears. [3][9]
On a normal day, AI fills the gap. On an abnormal day, there may be nobody left who truly understands what to do when the system says "I don't know".
That is the quiet risk:
- Edge cases that AI cannot handle [10][4]
- Humans who have never handled them either [2][3]
- An organisation whose safety net has been automated away [3][2]
The day the lights go off
Now add dependency.
The more AI works, the more the organisation builds around it. Fallback processes exist on paper, but rarely in muscle memory. FINMA explicitly flags data availability, third party dependency, cyber risk, and business continuity as relevant AI related concerns for supervised institutions. [11][1][2]
Imagine:
- AI systems for KYC, credit, and monitoring go offline
- Model access is temporarily blocked by a provider issue or regulatory intervention
- Customer journeys lose their orchestration logic overnight
Suddenly the bank is forced back into manual mode….
- Who can still run those processes end to end
- Who remembers how decisions were made before AI
- How long can the institution deliver anything close to normal service
The question is no longer "Is our AI good enough" – it is "Are we good enough without it"
Convergence: When every Bank looks the same
There is another long term risk nobody wants to own. As banks adopt AI, they increasingly buy from the same cloud platforms, the same model providers, the same consulting toolkits. Governance requirements are similar. Data restrictions are similar. The incentive structures are similar. FINMA has already observed increasing third party dependencies, while supervisory commentary around AI stresses the importance of understanding outsourced solutions and their risks. [1][11][2]
Result: The underlying intelligence starts to converge.
If everyone uses similar models, optimises similar journeys, and manages risk through similar frameworks, what remains as differentiation. Look at smartphones. Most are black rectangles with similar interfaces. Cars are heading the same way. Design converges. Behaviour converges. Products become interchangeable. Broader innovation research links knowledge processes and digital innovation, which supports the idea that losing tacit knowledge while standardising technology can weaken distinctiveness over time. [12][13]
Banking is at risk of doing the same with its business model:
- Same types of models [1][2]
- Same optimisation logic [5][4]
- Same "personalised" experiences built on similar patterns [7][12]
At some point, the question becomes brutal. If the AI brains behind banks are similar, what exactly is the "strategy"?
The real AI risk Question
So yes, AI governance matters. It reduces many of the risks that can be controlled. And, it makes individual models safer. [5][2][1] But that is not enough. Because the new risk lives in:
- Systems of agents, not single models [6][4]
- Dependency on AI, not just AI performance [11][1]
- Loss of implicit knowledge, not just formal procedures [9][3]
- Strategic convergence, not only operational errors [13][12]
Banks therefore need more than an AI strategy and a governance framework. They need a new risk question.
Not
"How fast can we scale AI"
But
"Where do we refuse to outsource judgement, memory, and differentiation to AI"
And the most uncomfortable question of all: If the AI went dark tomorrow, would this still be a bank, or just a very expensive shell waiting for someone to remember how it used to work?
