Probability & Partners: The EU AI Act is here, what’s next?
By Yusi Wang, Senior Risk Consultant at Probability & Partners
Where do regulators and supervisors currently stand on AI? Are they ahead of the curve, or are they still catching up?
The global regulatory landscape for AI in financial services has shifted materially over the last 12 to 18 months. The biggest shift is that regulators now openly acknowledge AI, particularly generative AI and agentic systems, as core banking infrastructure rather than experimental technology.
Major jurisdictions are tightening expectations by building on and expanding existing frameworks. The EU has led the way with the AI Act, the first comprehensive global AI law affecting all organizations deploying this technology. Within the financial sector, supervisors are closely monitoring AI development and increasing requirements for risk assessments across cybersecurity, data, governance, third-party risk management, and consumer protection.
We see the US and the UK moving in similar directions. For instance, in February 2026, the U.S. Treasury released the Artificial Intelligence Lexicon and the Financial Services AI Risk Management Framework to standardize terminology and supervisory expectations across several areas like governance, transparency, and data lineage. This was followed in April 2026 by the publication of ‘SR 26-2 Revised Guidance on Model Risk Management’, although it notably excludes generative AI and agentic AI from its current scope. Meanwhile, the UK’s Financial Conduct Authority (FCA) and the Bank of England are focusing on the specific risks stemming from AI models and are considering new testing regimes for AI models deployed by banks.
Do we expect to see significant divergence across different jurisdictions?
While there is a global consensus on the key risk areas, the ‘how’ remains the primary differentiator. We are seeing different approaches: the EU remains more conservative and prescriptive (rule-based), whereas the US favors a more principle-based framework. In addition, there is still debate about where AI-related risks should be addressed. Take model risk management as an example. The revised ECB Guide to Internal Models (July 2025) introduced a dedicated chapter setting out comprehensive expectations for the use of machine learning in Pillar 1 models. In contrast, the OCC’s revised guidance on MRM has excluded AI-related models, leaving some uncertainty regarding how and where regulators will address them in the short term.
Regulators are also watching each other to ensure a level playing field and prevent excessive regulation from holding back innovation. As global competition in AI increases, it is crucial for the EU to promote innovation and maintain its global competitiveness. Driven by the ‘Simplification Agenda’, the European Commission’s Digital Omnibus proposal (November 2025) aims to reduce overlapping rules (such as the AI Act, GDPR, Data Act, and NIS2), move toward risk-based supervision and delay the implementation of core provisions for high-risk AI systems from 2026 to 2027.
Finally, AI is not only a technological tool, but has also become a geopolitical tool. Recent tensions have increased the focus on EU digital sovereignty and the need to reduce reliance on foreign technology providers. To address this, the European Commission is going to propose the Cloud and AI Development Act in 2026 to accelerate the EU cloud strategy and boost domestic AI companies.
What immediate actions should financial institutions be taking?
First, embrace AI technology. Organizations should actively explore use cases that deliver tangible benefits. We are already seeing strong interest from financial institutions in applying AI to quantitative modeling, coding, regulatory compliance, and risk management.
Second, strengthen your risk assessment frameworks. You must proactively address the risks stemming from AI, specifically in the areas of cybersecurity, data integrity, model risk, and third-party management. Expect regulators and supervisors to increase the depth and frequency of their assessments as AI usage becomes more widespread. Being proactive now is the best way to ensure long-term resilience as AI moves from the experimental phase to the heart of financial operations.
