Closing the Gap: Financial Supervisors’ AI Adoption

This article was authored by a cross-section of representatives from S&P Global and external guest authors, in particular Digital Transformation Solutions (DTS). The views expressed are those of the authors and do not necessarily reflect the views or positions of any entities they represent and are not necessarily reflected in the products and services those entities offer. This is a thought leadership report issued by S&P Global. This report does not constitute a rating action, neither was it discussed by a rating committee.

Financial institutions are rapidly rolling out generative AI (GenAI), with 30% reporting broad deployment (see figure 2). By comparison, only 2% of supervisory authorities have achieved widespread implementation (source: Cambridge SupTech Lab and Digital Transformation Solutions, State of SupTech Report 2025, December 2025). This GenAI adoption gap is emerging at a critical moment—with financial sector decision-making shifting toward real‑time, data‑driven systems. 

We believe that a widening structural gap in GenAI adoption could undermine supervisory effectiveness over time. In a December 2025 study of 148 supervisors across the globe, 56% reported limited internal capacity to supervise technology-driven innovations, while 54% indicated insufficient capability to assess or oversee AI-based tools and models (Source: State of SupTech Report 2025, December 2025).

AI adoption in finance is driven by a rapidly evolving ecosystem of compute, data, and advanced capabilities, pushing banks and fintechs toward real-time, increasingly autonomous systems, and continued investment. That shift is reflected in the pace of the financial sector’s AI investment, which is expected to be about $97 billion in 2027 (source: World Economic Forum, January 2025), growing at high-double-digit rates—with 59% of the sector dedicating 10% to 30% of their IT budget to AI initiatives in 2026 (source: Voice of the enterprise: AI & Machine Learning, S&P Global Market Intelligence, January 2026). 

Going forward, increasing AI autonomy, particularly due to agentic AI, raises further questions around reliability and accountability. As regulators grapple with foundational data challenges, they risk losing visibility into a financial system moving at an even faster pace toward agentic AI. That said, supervisory technology (SupTech, the application of technology and data analysis solutions to complement and enhance a financial authority’s financial market oversight capabilities) offers a powerful counterbalance. While AI agents accelerate market complexity, they can also provide regulators with automated tools to process and label vast datasets in real time, effectively resolving the data bottleneck. Through AI-driven monitoring systems, supervisors can enhance their monitoring capabilities, using anomaly detection to spot systemic risks as they emerge. 

The current adoption gap is characterized by growing friction between traditional oversight and modern AI scaling, which is evident in data constraints, talent shortages, infrastructure limitations, and institutional bottlenecks.

AI adoption is gradually increasing among supervisors, yet maturity—encompassing deployment, integration, scalability, and governance—remains low, particularly compared with the rapid scaling of GenAI in the financial sector. In 2025, 36% of surveyed authorities said GenAI wasn’t yet applicable to their work, and 30% were in an initial exploration phase. Active implementation is limited: 16% of authorities reported pilot programs, another 16% had limited deployment, while only 2% described sustained deployment with continuous improvement (see figure 2). This contrasts with the financial sector, where 30% of financial institutions claimed to have fully deployed GenAI and another 43% were using it in specific teams or workflows.

The gap is even wider for agentic AI, with only a handful of supervisors prototyping and testing low-risk applications while financial institutions report meaningful early deployment. While a recent study from the Cambridge Centre of Alternative Finance points to somewhat higher adoption levels of agentic AI by supervisors—with around 28% of supervisors reporting agentic AI use across piloting, scaling, and transforming stages—we note that the gap with financial sector remains material.

We categorize supervisory AI usage through a maturity framework, scaling from internal operational support to direct oversight of AI-driven risks (see figure 4). 

• Internal Use (Foundational): AI enhances organizational efficiency through productivity gains, core research capabilities, and automated insights. Financial supervisors’ GenAI adoption largely focuses on "copilot" modes—assisting staff in document summarization and knowledge management (see "FSI Briefs No. 26: Starting with the basics: a stock take of gen AI applications in supervision," BIS, June 2025) without fundamentally changing workflows.

• External Use (Intermediate): AI supports core mandates, including macroprudential activities, monetary policy development, and stability tracking. In microprudential activities, it is used to improve tools for consumer protection, the monitoring of specific institutions, and to promote fair competition (see examples in figure 5).

• AI Risk Supervision (Advanced): This involves directly overseeing AI deployment within the financial industry, including the monitoring of high-risk models, detection of algorithmic market harm, and the conduct of live testing to ensure the safety of regulated entities. Advanced frameworks, like Project Noor (an initiative of the Bank for International Settlements (BIS) Innovation Hub seeking to equip supervisors with explainable AI methods and risk analytics to evaluate and interpret the inner workings of AI models used by supervised entities), exemplify this approach, by using AI to ensure AI models are transparent, robust, and fair.  

We expect AI to deliver the greatest value to supervisors in risk management, enabling real-time analysis to improve micro and macroprudential oversight. While oversight of the financial sector’s AI use is nascent—only 2% of surveyed authorities report deployment of GenAI tools (Source: State of SupTech Report 2025)—the speed of supervisory AI adoption will determine their ability to monitor how supervised entities use AI and AI models. 

Because supervisors prioritize financial stability and consumer protection over revenue generation, they adopt a deliberate "augmentation-first" approach. This strategy corresponds to the 4G capability tier in the SupTech Generations 3.0 framework, toward which a subset of more advanced supervisors is gradually moving (see figure 1). At this level, AI provides decision support and business intelligence integrated within established supervisory workflows, utilizing data processing and analytics while human examiners retain final judgment.

Principal applications for supervisors include text analysis to manage large volumes of records and integrating predictive analytics for proactive risk detection—both of which are high-priority domains in Europe and Asia (Source: “State of SupTech Report 2025”). This approach seeks to ensure improved consistency and timeliness while maintaining "human-in-the-loop" accountability.

While the financial sector begins to experiment with 5G autonomous orchestration, supervisors are focused on solidifying 4G foundations to maintain human oversight and accountability, strengthening core mandates of financial stability, market integrity, and consumer protection.

AI is rapidly moving past static algorithms and into an agentic era—characterized by systems capable of reasoning, planning, and executing multi-step tasks autonomously. 

Within the financial sector, knowledge management and retrieval are the leading use cases for agentic AI, alongside applications in process optimization, customer support, task and project orchestration, compliance and risk monitoring (Source: "NVIDIA State of AI in Financial Services," 2026). Conversely, agentic AI adoption among supervisors remains mostly experimental, with current deployments focused on low-risk, assistant-style agents rather than autonomous workflows.  

Some supervisors are testing and starting to deploy early assistant-style agents for low-risk, largely internal use cases, including risk assessment, meeting summarization, coding assistance, and support for legal, policy and technology functions. Early agentic use within supervisory workflows is primarily restricted to "reviewer" roles, providing real-time guidance to inspectors rather than autonomous decision-making.

World Bank research indicates that some financial authorities are adopting "multi-agent" architecture, developing agents to analyze specific data sources. These agents are then queried through a central chatbot (Source: "Artificial Intelligence for Financial Sector Supervision: An Emerging Market and Developing Economies Perspective," 2025). Several authorities also plan to expand agentic AI to more technical domains, including asset quality reviews, risk assessments, and complaints analysis.

While the examples in the box above highlight the potential to enhance oversight, they also expose significant risks, such as potential for misalignment, inaccuracy, and limited accountability and explainability. The factors that make these use cases valuable—reliance on sensitive data and integration into specialized workflows—also create risks around integration, data governance, security, and skills challenges. That highlights supervisors' need for robust AI management processes to ensure security, privacy, and accountability before expanding agentic AI beyond pilot programs.

Supervisors and the financial sector face many similar AI challenges, but with differing priorities and intensities (see figure 7). We consider this divergence to largely reflect differences in AI maturity. 

For the financial sector, where AI adoption is more advanced, concerns are dominated by the quality and reliability of GenAI outputs, meeting regulatory requirements, and the ability to scale solutions beyond isolated pilots into enterprise-wide applications. For example, 40% to 50% of financial sector institutions surveyed ranked these three concerns among their top four challenges, indicating that they are already addressing challenges related to scaling and optimization. 

Supervisors, in contrast, often cited challenges characteristic of earlier stages of AI maturity, including AI development and maintenance skills shortages, integration with legacy systems, and embedding AI into specialized supervisory processes. The comparatively lower concentration of challenges — with about 30% citing the same top issue — reflects more limited deployment. AI and data skill shortages are more pronounced in developing economies, where limited IT skills are a structural barrier (see “AI and education: Embracing the disruption,” Jan. 29, 2025) that materially hinders AI adoption and maturity (only 1.8% of supervisors in developing economies have AI solutions in (at least) widespread production, as indicated in the State of SupTech Report 2025). 

Despite these differences, both groups share a common top risk: data privacy and security. This is unsurprising, as effective AI adoption in a heavily regulated sector often relies on using sensitive and confidential data. Both authorities and financial sector must now navigate a landscape where data readiness and security must be managed simultaneously. Security risks may be further amplified by emerging threat vectors, such as “Mythos”-type exploitation techniques, which can use AI to democratize cyber vulnerability exploitation.  

The importance of protecting data used by AI has given rise to a handful of strategies. Some of the most widely adopted involve using open-source GenAI models, and keeping data fully on-premises or within a national border during inference. About 46% of surveyed financial sector companies said they are developing AI capabilities internally, including open-source frameworks (source: Voice of the enterprise AI & Machine Learning, S&P Global Market Intelligence, January 2026). Our research suggests this is also a focus among financial supervisors, where control over data and models is, in many instances, a sovereign priority.

We also observe a nascent trend among supervisors to maintain sensitive supervisory data within national borders and infrastructure. Sovereign clouds differ from public clouds by keeping data, models, and computing fully within a country’s legal and technical perimeter, rather than relying on globally distributed technology. Examples of sensitive AI workloads running on local infrastructure are relatively common (see figure 8). This practice differs from the use of joint ventures or localized regional hyperscalers.

We view the initiatives described in figure 8 as risk mitigant strategies because both cloud and AI workloads run on local datacenters under national jurisdiction, including local data protection laws. In some cases, such as Singapore, the risk-mitigation strategy focuses more on strong regulatory oversight. In other cases, such as with South Korea’s central bank, the data security mitigation strategy focuses on deploying a proprietary, in-house GenAI model (BOKI) on a fully isolated on-premise network. 

Supervisors and financial institutions are increasingly deploying a range of technical safeguards to protect data, enabling it to be used by AI systems while ensuring that privacy, copyright, and data protection laws are not breached. These safeguards are summarized in Appendix 1. 

Through these combined strategies, supervisors and financial institutions can pursue richer analytical capabilities while ensuring that privacy, copyright, and data protection laws remain fully intact.

Supervisors' slower pace of AI adoption and integration may have important implications for their roles over time. As AI use in the financial sector expands, differences in technological maturity could affect supervisors’ ability to assess risks, detect emerging vulnerabilities, and support risk-based supervision. We foresee two particular implications that could widen the capability and information gap between supervisors and supervised entities as AI adoption scales:

Assessment and monitoring of AI-based tools and models:

This factor affects supervisors in two ways. First, from a microprudential perspective, supervisors may lack the technical capabilities needed to effectively assess AI systems deployed by regulated entities. Second, evaluating risks posed by unregulated technology and AI model providers is becoming more difficult. While for example, the Digital Operational Resilience Act (DORA) strengthens oversight of critical third-party providers in the EU, it does not cover all AI model developers. This mismatch could create supervisory blind spots and systemic risks for supervisors without the technical expertise to scrutinize complex AI models. The emergence of independent AI auditing firms and established auditing corporations offering AI assurance services—such as bias, fairness, explainability, governance, and compliance auditing—could partially address this gap. Some regulators, including those in the EU under the AI Act, are introducing conformity assessment requirements for high‑risk AI systems, which in certain cases may involve independent third‑party review, while U.S. authorities such as the Securities Exchange Commission emphasize auditability, model validation, and robust governance frameworks. However, most financial-sector use cases will likely fall into the lower-risk categories, which are less likely to be independently audited.

Reduced ability to detect emerging risks: 

About 53% of financial institutions say they are increasingly using AI and prescriptive analytics to process large volumes of real time and unstructured data and accelerate decision-making (source: "Voice of the enterprise AI & Machine Learning," S&P Global Market Intelligence, January 2026). This shift towards real-time analytics is leading to more dynamic management of exposures. By contrast, supervisors relying primarily on periodic reporting, manual analysis, or static indicators may face growing information asymmetries.

Beyond missing unintended consequences from generative or agentic AI, supervisors risk failing to detect early indicators of liquidity stress, market imbalances, or bubble formation—particularly where these risks emerge from complex interactions across institutions or markets. Over time, these gaps could hinder the shift toward proactive, risk-anticipatory supervision and limit supervisors’ ability to reallocate supervisory resources as risk profiles evolve.

AI’s use by financial supervisors will be shaped by how quickly and smoothly they can reduce the capability gap with the financial sector. Supervisors with maturing AI are converging on a shared ambition: to make supervision more predictive, timely, and data‑driven. 

Among these more advanced supervisors, we observe convergence on two major trends: a shift toward real‑time or near real‑time data collection and analysis, and a shift toward collaborative, risk‑anticipatory supervision.

We expect the use of AI-powered digital twins or agent-based simulations of economies, while still in its early stages, to facilitate close to real-time data collection, analysis, monitoring, and prediction—particularly when reinforced by investments in sovereign financial cloud infrastructures. This should support intelligent automation and real time analysis with regulatory oversight of data and compute sovereignty (see "Compute sovereignty: The strategic importance of digital infrastructure," May 12, 2026).

Digital twins are continuously updated virtual replicas of parts of the financial system. They integrate data from financial institutions, markets, and external events, enabling supervisors to analyze developments dynamically rather than relying on static, periodic reports. Their increasing use should strengthen risk management and supervisory decision-making by enabling real-time insights for stress testing, “what-if” scenario analysis, and the early identification of vulnerabilities and emerging risks.

For example, Project Danu, a collaboration between the BIS Innovation Hub’s Eurosystem Centre and several financial supervisors, aims to develop a digital twin framework to monitor the impact of extreme weather events and natural catastrophes on financial systems. Looking ahead, supervisors could deploy digital twins at both macro and microprudential levels. At the micro level, digital twins could support live stress testing and scenario analysis of supervised entities. At the macro level, they could connect supervised entities with real-time market data to analyze system-wide vulnerabilities, simulate contagion effects, and assess the impact of policy or regulatory decisions through “what-if” scenarios. These capabilities directly address the supervision gap: without real-time visibility, supervisors risk falling further behind the financial sector’s adoption of automated, real-time decision systems.

Modern infrastructures, such as sovereign financial cloud ecosystems, are nascent but can be powerful when they combine data sovereignty with real-time oversight and AI-driven intelligent automation. The Central Bank of the UAE was among the first publicly announced deployments of a sovereign financial cloud service infrastructure to strengthen financial sector competitiveness, while other regulators, such as the European Central Bank, are developing similar infrastructures.  

Proactive and collaborative supervision

The shift from reactive to proactive, risk-anticipatory supervision builds on real-time data collection and analysis. Our discussions with supervisory authorities indicate increasing interest in AI’s capacity to automate analysis of low-risk activities and reallocate scarce human resources toward higher-risk activities and entities, consistent with risk-based supervisory principles. In this context, AI’s value lies less in fully automating supervision and more in sharpening prioritization, early‑warning capabilities, and supervisory judgment. An example of this is the Central Bank of Philippines’ ASTERiskC*, an advanced engine for risk-based compliance. This AI-driven and cloud-based engine is designed to perform real-time monitoring, risk assessment, and collect incident reports from financial institutions to support risk-based and proactive supervisory decisions on cybersecurity. 

This shift reframes how supervisors evaluate AI investments, moving them from a primarily financial analysis to focus on improvements in resilience, risk detection, and supervisory effectiveness. Unlike financial institutions, which often justify AI adoption based on efficiency gains revenue growth, or competitive advantage, supervisors evaluate AI through a public‑value lens—with a focus on strengthening market integrity, enhancing financial stability, and improving consumer protection. 

This difference in objectives underpins our view that cross‑jurisdictional collaboration—through shared tools, data, and best practices—is essential to achieve scale and meaningful impact for financial supervisors' AI adoption.