Who this article applies to: Executives at financial institutions
Generative AI (GenAI) is rapidly moving from experimentation to operational reality across banking—powering loan analysis, automating reconciliations, summarizing regulatory updates, and supporting customer interactions. While the upside is clear, the risks are equally significant: hallucinated outputs, data leakage, model drift, and opaque decision-making can undermine financial reporting, compliance, and customer trust if not properly governed.
The COSO framework—long the backbone of internal control over financial reporting (ICFR) for financial institutions—remains fully applicable. The difference is not whether banks need new frameworks, but how they apply existing control principles in a GenAI environment.
This article highlights the most practical actions bank executives can take to implement GenAI with confidence, inspired by COSO’s recent Achieving Effective Internal Control over Generative AI white paper. We’ve distilled the white paper into our 10 biggest takeaways.
1. Start with a capability-based view of AI (not tools)
One of COSO’s most actionable insights is to shift focus from vendors or tools to what the AI actually does. GenAI capabilities fall into eight categories: ingestion, transformation, transaction processing, orchestration, judgment/forecasting, monitoring, knowledge retrieval, and human interaction.
Why this matters for banks:
- Risk is different at each stage
- Data ingestion → data quality, personally identifiable information (PII) leakage
- Transaction automation → financial misstatement risk
- Forecasting → credit and liquidity risk
- Controls should be placed where risk originates, not generically across “AI”
Practical takeaway:
Inventory every AI use case and tag it by capability type. This becomes the foundation for:
- Risk assessments
- Control design
- Audit scoping
2. Treat GenAI outputs as “claims,” not facts
GenAI is probabilistic and can be confidently wrong. For financial institutions, this is a critical mindset shift:
Practical controls:
- Require human validation for material outputs (e.g., financial reporting, credit memos)
- Implement:
- Confidence thresholds
- Source citation requirements
- Exception routing workflows
- Separate AI assistance from final decision authority
Executive implication:
If management or auditors are relying on AI outputs, those outputs must meet ICFR-level evidence standards (documentation of prompts, data sources, versioning, etc.). Furthermore, developing built-in confidence thresholds will help to identify those results that are potentially less accurate and thus need additional human validation. Those outputs that meet or exceed confidence thresholds may require less human intervention.
3. Build governance before scaling use cases
A recurring risk is “shadow AI”—teams deploying tools outside formal governance. Thus, it is important to establish a formal governance structure and policies so employees know what acceptable use looks like at your institution. This should be the first step in any AI tool deployment and, if done with an institution-wide focus, can serve as the foundation for assessing and deploying any AI tool throughout the institution.
Practical governance model:
Establish a cross-functional AI governance committee:
- Risk and compliance
- IT/security
- Finance
- Business leadership
Responsibilities:
- Approve high-risk use cases
- Set acceptable use policies
- Monitor incidents and Key Risk Indicators (KRI)
Key policy areas:
- Prohibited data (e.g., customer PII in public tools)
- High-risk use cases (e.g., lending decisions)
- Model and vendor approval standards
In addition to the departments mentioned above, consider having individuals that will be using these tools daily on the committee. Furthermore, when identifying those individuals, try to find someone that is passionate about AI. These individuals will naturally keep the committee apprised of AI trends and, when it comes time to deploy AI tools, will be champions at your institution, driving change throughout the organization.
4. Define clear “reliance boundaries” upfront
One of the most important—and often overlooked—steps in implementing GenAI is deciding where the bank will (and will not) rely on AI outputs.
The COSO white paper introduces a critical concept: Reliance occurs when management depends on AI outputs as evidence supporting a control or decision.
Why this matters for banks:
Once you rely on AI outputs, you are effectively:
- Bringing the process into ICFR scope
- Triggering audit evidence requirements
- Increasing regulatory exposure
Practical implementation:
- Classify each use case by reliance
- Non-reliance (low risk):
- AI drafts, summarizes, or assists
- Human fully re-performs or validates
- Reliance (high risk):
- AI outputs are used directly in decision-making or control execution.
- Align with key banking processes:
- Financial reporting → High likelihood of reliance
- Credit decisions → High likelihood of reliance
- Back-office productivity tools → Typically non-reliance
Executive implication:
Do not treat all GenAI use cases equally. Instead, draw a clear line between “assistive AI” and “decision-driving AI.”
That single distinction will:
- Simplify governance
- Focus control investment
- Avoid unnecessary audit complexity
- Reduce regulatory risk
5. Expand risk assessment to new AI-specific threats
Traditional risk frameworks are not enough. GenAI introduces new risk categories:
High-priority risks for banks:
- Hallucinations (incorrect but plausible outputs)
- Prompt injection attacks (malicious inputs manipulating models)
- Model drift (performance degradation over time)
- Third-party/vendor risk (limited visibility into models)
- Bias/fair lending implications
Practical approach:
- Maintain a living risk register that is frequently reviewed and updated
- Include “What if?” scenario analysis:
- What if a vendor updates the model without notice?
- What if training data changes?
- Link risks to key reporting initiatives (e.g., accuracy thresholds, exception rates)
6. Elevate “configuration” to a controlled asset
In GenAI, controls are not just around systems—but around:
- Prompts
- Retrieval data
- Model settings
These are effectively new financial reporting control points.
Practical controls:
- Version control for prompts and configurations
- Formal approval workflows for changes
- Logging of:
- Inputs
- Outputs
- Model versions
Executive implication:
Treat GenAI configurations like core banking system configurations—subject to the same change management rigor. Specific to prompting, develop a prompt library with widely used prompts. Encourage employees to visit this prompt library prior to developing their own prompt. Establishing this protocol will assist in creating consistent outputs for similar tasks.
7. Design controls that scale with automation
GenAI can amplify both efficiency and errors.
Leading practices:
- Human-in-the-loop review for high-risk decisions
- Multi-model validation for critical outputs
- Automated monitoring for anomalies and drift
- Segregation of duties (separate model configuration from approval)
Example
Auto-reconciliation:
- Auto-post only above validated confidence threshold.
- Route exceptions with full audit trail.
- Require approval for threshold changes.
For instance, incoming invoices are routed through an AI tool that attempts to categorize and record the journal entry associated with the invoice. The tool has been trained that if it is not confident in the journal entry, it will suggest one, but it will not be posted until a manual review occurs.
8. Strengthen data provenance and traceability
Banks must be able to answer:
- Where did this output come from?
- What data was used?
- Which model generated it?
Practical requirements:
Capture and retain:
- Prompts and inputs
- Source data references
- Output versions
- Confidence scores
Why this matters:
- Auditability
- Regulatory defensibility
- Root cause analysis
9. Monitor continuously—not periodically
GenAI environments change rapidly (model updates, data shifts, usage patterns). As mentioned earlier, this is why it is important to maintain a living risk register.
Practical monitoring strategy:
Combine:
- Real-time dashboards (accuracy, exceptions, drift)
- Periodic deep reviews (model validation, bias testing)
Key metrics:
- Accuracy / precision / recall
- Hallucination rate
- Data leakage incidents
- Forecast variance
Action triggers:
- Retrain models
- Roll back changes
- Escalate to governance committees
Example
Forecasting:
An AI tool is used to forecast credit losses, which is then used as an input in a financial institution’s current expected credit loss model. This forecast is temporarily compared to actual results and, if forecast variances exceed a certain threshold for consecutive comparisons, the tool is retrained.
10. Follow a simple, repeatable implementation roadmap
COSO outlines a practical six-step cycle:
- Establish governance
- Inventory use cases
- Assess risks
- Design controls
- Implement and train
- Monitor and adapt
Executive takeaway:
This is not a one-time project—it is a continuous control cycle, similar to ICFR.
Bottom line for bank executives
GenAI is not simply a technology initiative—it is a control environment transformation.
Banks that succeed will:
- Integrate GenAI into existing control frameworks.
- Treat AI outputs as risk-bearing assertions.
- Build governance before scaling.
- Design controls that evolve with the technology.
Banks that do not succeed may be subject to:
- Financial reporting errors
- Regulatory findings
- Reputational damage
Strong internal controls do more than reduce risk—they help institutions align GenAI initiatives to enterprise strategy, scale adoption responsibly, and improve value realization by making AI-enabled processes more reliable, repeatable, and trusted.
Done well, GenAI becomes not just efficient—but auditable, reliable, and strategically differentiating. That matters at the enterprise level because strong controls give leadership the confidence to move beyond isolated pilots and embed AI into broader transformation priorities. In that way, governance and control disciplines are not barriers to innovation—they are enablers of sustainable adoption, measurable business impact, and long-term value realization.
BerryDunn can help
If you have any questions about GenAI and internal controls at your bank, please reach out. Learn more about our team and services.