Generative AI reached 100 million users faster than any consumer technology before it. The governance frameworks needed to manage it responsibly have not kept pace. This article examines where AI actually stands in financial services, what the ethical obligations mean in practice, and why the gap between capability and accountability is the industry's most pressing problem.
Every transformative technology follows a similar arc. Electricity triggered wonder, then overinvestment, then a period of reckoning before it became the invisible foundation of modern life. The dot-com boom of the 1990s produced the same pattern: breathless expectation, painful correction, and then, quietly, a restructuring of how the world actually works. E-commerce did not become a serious commercial force until the 2010s, a decade after the crash that was supposed to have killed it. The reason, as economists Brynjolfsson, Rock, and Syverson have argued, is that transformative technologies require complementary investments in processes, skills, and organisational structures before their productivity gains materialise. The technology arrives before the world is ready for it.
Adapted from the Gartner hype cycle framework. AI applications plotted by current maturity stage.
Artificial intelligence is following the same trajectory, but faster and with considerably higher stakes. The Gartner hype cycle has become the standard frame for understanding where a technology sits relative to its actual utility. AI is not one point on that curve. Different applications sit at very different stages: machine learning is moving through the slope of enlightenment toward productive deployment; deep learning is arguably passing through its trough of disillusionment as energy costs and interpretability challenges become more apparent; generative AI is close to the peak of inflated expectations; and artificial general intelligence remains entirely theoretical, with credible estimates for its development ranging from several decades to never. Financial services firms that treat AI as a single technology with a single maturity level are misreading both the opportunity and the risk.
The distinction that matters most right now is between narrow AI and general purpose AI. Narrow AI systems are optimised for specific tasks: fraud detection, credit scoring, portfolio optimisation, client sentiment analysis. These are not new. The financial services industry has been running algorithmic and rules-based systems for decades. What has changed is the scale, sophistication, and autonomy of those systems, and the emergence of foundation models capable of performing a wide range of tasks from a single architecture.
The practical applications in wealth management alone illustrate the range. AI can analyse large datasets covering market trends, economic reports, and individual client behaviours in ways that human analysts cannot match for speed or breadth. It can identify patterns in portfolio risk that might not surface through conventional modelling. It powers 24-hour client-facing tools that handle routine queries and free advisers for higher-value conversations. Robo-advisors, which barely registered a decade ago, are projected to manage an estimated $3.14 trillion in assets by 2026 according to Statista, having multiplied revenue roughly 15 times between 2017 and 2023. AI adoption in the sector increased by 37% between 2020 and 2021 alone.
None of this is theoretical. But the speed of adoption has created a gap between capability and governance that the industry has not yet adequately addressed. That gap is where the real risk sits.
On 13 March 2024, the European Parliament formally adopted the EU Artificial Intelligence Act, the world's first comprehensive legal framework for AI. It passed with 523 votes in favour. The Act takes a risk-based approach: certain applications are banned outright, others face strict compliance obligations, and general purpose AI models must meet specific transparency requirements. For financial services, the implications are material. Credit scoring, insurance risk assessment, fraud detection, and automated client communications all fall within the high-risk category, requiring thorough documentation, human oversight mechanisms, and the ability to explain decisions to regulators and clients.
This followed the Bletchley Declaration of November 2023, in which 28 governments including the US, UK, China, and the EU agreed that frontier AI poses potentially catastrophic risks and committed to international cooperation on safety research. The declaration was notable not for what it resolved but for what it acknowledged: that the most capable AI systems present risks that no single government fully understands, and that managing those risks requires coordination that does not yet exist.
The United States has taken a different approach. In the absence of overarching federal regulation, AI governance sits across a patchwork of the FTC, NIST guidelines, state-level rules, and sector-specific oversight. The Federal Trade Commission is focused on fairness, transparency, and accountability. NIST has released risk management frameworks. But the fragmentation means that a firm operating across jurisdictions faces genuinely different obligations in different markets, with no single standard to align to. China's approach is more centralised: significant AI initiatives must be registered with and approved by government, reflecting a tighter model of state control. The contrast between the EU's rights-based framework, the US's market-led patchwork, and China's state-directed model creates a fragmented global regulatory position that financial services firms with international operations have to work through simultaneously.
Regulatory compliance is the floor, not the ceiling. The ethical obligations that sit beneath the legal frameworks are more demanding and less well defined. Six principles recur across every credible framework for responsible AI in financial services, and each has practical operational implications that are easy to underestimate.
Fairness and bias mitigation requires that models are regularly tested to ensure they are not producing discriminatory outcomes across different client groups. This is not a one-time exercise. Models trained on historical data encode historical biases. Markets change. Client populations change. A model that was fair at deployment may not remain fair two years later without active intervention. Transparency and explainability requires that firms can explain to clients and regulators not just what a decision was, but how it was reached and what data drove it. For complex neural networks, this is technically demanding and often commercially uncomfortable.
Privacy and security obligations mean that AI systems handling client data must operate with clear access controls, defined data use protocols, and appropriate anonymisation. The volume and sensitivity of data that modern AI systems require makes this a significant operational challenge. Accountability means that clear lines of human responsibility must exist for every consequential AI decision. When an AI system denies a loan application or flags a transaction as fraudulent, a human being must be accountable for that outcome. Human oversight means that AI must enhance rather than replace human judgment on decisions that materially affect clients, with genuine checkpoints rather than nominal ones. And continual learning means that models must be retrained and recalibrated as circumstances change, because a static model in a dynamic environment will drift.
Yuval Noah Harari captured the systemic dimension of this more sharply than most regulators have managed. Warning specifically about financial services, he asked what happens if AI creates financial instruments of orders of magnitude greater complexity than the collateralised debt obligations that contributed to the 2007-08 crisis: instruments that no human being can fully understand and therefore no regulator can adequately oversee. The 2008 crisis was not caused by malicious intent. It was caused by complexity that outran comprehension. AI has the potential to recreate that dynamic at a scale and speed that would make the previous crisis look manageable.
The distance between where most financial services firms currently sit on AI implementation and where the governance frameworks require them to be is significant. Firms that have moved quickly on deployment have often moved slowly on the oversight structures needed to manage what they have built. The reasons are understandable: governance is expensive, slows deployment, and produces no immediate revenue. But the costs of getting it wrong, reputational, regulatory, and financial, are considerably higher.
The practical approach that responsible firms are taking starts with pilots rather than wholesale transformation. Identifying specific use cases, implementing them carefully, measuring outcomes rigorously, and only then scaling. This is not timidity. It is the recognition that incremental, well-governed innovation is more durable than rapid deployment that produces regulatory or reputational problems. The complementary investments in process, skills, and organisational structures that Brynjolfsson and colleagues identified as the precondition for productivity gains from technology apply here too. AI will not deliver its potential in financial services simply by being deployed. It will deliver it when the people, governance structures, and cultural norms around it are ready to use it responsibly.
Reputation operates as a form of currency in financial services. Firms that deploy AI poorly, that cannot explain their decisions, that allow biased outcomes to persist, or that experience failures they cannot account for, face consequences that extend well beyond the regulatory fine. In a sector built on trust, the reputational cost of AI misuse may be more damaging than the compliance cost of getting it right the first time.
The hype cycle always resolves. The dot-com crash produced Amazon, Google, and the modern internet economy. The current AI moment will produce something equally transformative and equally different from what the peak of inflated expectations suggested. The financial services firms best placed to benefit from that resolution are the ones building the governance infrastructure now, before the regulators require it, before a failure makes it urgent, and before the competitive pressure to deploy without oversight becomes irresistible.