BOARD BRIEFING REPORTEuropean Banking & Financial MarketsManagement Board Question · For Discussion

If AI Gets It Wrong, Could You Evidence Your Oversight?

TopicAI Oversight
AudienceManagement Board · Supervisory Board · Executive Committee
Read Time6 minutes
Target StatusGREEN — once oversight is owned, evidenced and reviewable

At a glance

The issue is no longer whether the tool made a mistake.

The issue is whether the institution can evidence oversight, ownership and human review.

Board AskConfirm whether the institution can evidence oversight for material AI use cases.

Situation

Assume the following situation.

An AI-supported tool assists a regulated process. It summarises client information, prepares a risk view, supports a control assessment or drafts a decision rationale. A few weeks later, the output is challenged by a client, auditor or supervisor.

The issue is no longer whether the tool made a mistake.

The issue is whether the institution can evidence oversight, ownership and human review.

Management Summary

AI use in European banking is no longer marginal: the ECB stated in February 2026 that more than 85% of large banks under European supervision already use AI in some form.

The board does not need every model detail, but it needs evidence that material AI use cases are owned, reviewed and controlled.

A strong answer is specific, current and evidenced; a weak answer remains anchored in policy, project status or vendor responsibility.

Management Report Panel

Situation in One Sentence
AI is moving from experimentation into regulated workflows; oversight must now be evidenced in practice.
Key Issue
Board reliance is not supported by policy alone. It requires ownership, human oversight, literacy, monitoring and evidence.
Primary Risk
AI output influences a process, communication or decision, but accountability and review evidence remain unclear.
Board Ask
Confirm whether the institution can evidence oversight for material AI use cases.
Target RAG
GREEN when the answer is owned, documented, tested and reviewable.

Answer Quality Calibration

GREEN Decision-Grade Answer
AMBER Partially Evidenced
RED Not Decision-Grade
InventoryCurrent AI use-case inventory exists.
InventoryInventory exists but is incomplete.
Inventory“We have an AI policy.”
OwnershipClear owner assigned per use case.
OwnershipOwnership exists at project level, not operating-model level.
Ownership“This sits with IT.”
Human OversightHuman oversight is defined and evidenced.
Human OversightOversight is described, but evidence is not retained consistently.
Human Oversight“The provider is responsible.”
LiteracyAI literacy is role-based and documented.
LiteracyTraining exists, but not by role, risk or use case.
Literacy“Training has been completed.”
MonitoringExceptions, overrides and incidents are monitored.
MonitoringMonitoring exists, but reporting is fragmented.
Monitoring“No incident has happened so far.”
Board ReportingBoard reporting shows risk, value and control evidence.
Board ReportingBoard receives status updates, but not decision-grade evidence.
Board Reporting“It is only a copilot.”

The RAG status calibrates the quality of the answer. It does not judge the institution.

Who Should Answer

CIOCTOCROCOOCISOComplianceLegalData ProtectionChief Data OfficerBusiness OwnerModel Risk / ValidationInternal Audit

Accountability note:
Technology may own the platform. The business owns the decision impact. Control functions must be able to challenge the answer. Internal Audit must be able to review the evidence.

Evidence the Board Should Request

  1. 01AI use-case inventory
  2. 02Risk classification by use case
  3. 03Ownership map
  4. 04Data classification and permitted-use view
  5. 05Human oversight design
  6. 06AI literacy evidence by role
  7. 07Exception, override and incident log
  8. 08Third-party dependency map
  9. 09Board reporting dashboard
  10. 10Decision log for scale, restrict, retrain or retire

Warning Signals

The following answers may sound reassuring, but they are not yet decision-grade:

  • “We have an AI policy.”
  • “This is managed by IT.”
  • “The provider is responsible.”
  • “The tool is only used internally.”
  • “No incident has happened so far.”
  • “We have no high-risk AI use cases.”
  • “Training has been completed.”
  • “This will be clarified during implementation.”

None of these statements is necessarily wrong.

They are simply not sufficient evidence for board-level reliance.

Path to Green

The answer becomes GREEN only when the board can see:

  • where AI is used and which use cases are material;
  • who owns each use case and each decision impact;
  • which human review is required and evidenced;
  • which data, model and provider dependencies exist;
  • which exceptions, overrides and incidents are monitored;
  • who can decide to scale, restrict, retrain or retire the use case.

GREEN is not a policy status.
GREEN is an evidence status.

Suggested Next Question

Which AI use case would create the greatest accountability issue if a client, auditor or supervisor asked us to explain it tomorrow?

Expert commentary — 4 min read

AI oversight is often discussed as if the central question were whether an institution has an AI policy, an AI committee or an AI inventory.

Those elements matter. But they are not the end point.

For a management board, the relevant question is whether oversight can be evidenced in practice. This is consistent with the ECB’s current supervisory direction on AI. The ECB’s 2026 supervisory priorities state that banks using new technologies, particularly AI, should have strategies that reflect both opportunities and risks and should establish robust governance and risk controls.

The ECB’s 2024 draft guide on governance and risk culture also used a good-practice and red-flag structure for governance assessment. In June 2026, the ECB announced that this draft guide will be replaced by a good-practices report planned for the first quarter of 2027. The useful point for this briefing is therefore not the legal status of the draft guide, but the management logic: governance must be visible in practice, not only described in policy.

This matters because AI changes the evidence standard.

In a conventional technology process, a board may ask whether a system is approved, whether controls exist and whether the relevant function owns the process. In an AI-supported process, the same questions are no longer enough. The board also needs to understand what the AI system is doing, what decision or workflow it supports, where human judgement remains required, who is competent to review the output and whether exceptions are visible.

That is why “this sits with IT” is not a board-grade answer.

Technology may manage the platform. But the decision impact sits where the use case changes work, judgement, communication, control or client interaction. If an AI tool supports a credit process, fraud process, investment-service process, control review, legal assessment or customer communication, ownership cannot be reduced to system administration.

ESMA has made the same point for investment services. In its public statement on AI and investment services, ESMA says that firms using AI when providing investment services should comply with MiFID II organisational, conduct and best-interest obligations.

This is the practical logic behind the RAG panel.

A GREEN answer is not strong because it uses sophisticated language. It is strong because it is concrete.

  • It can show the use cases.
  • It can name the owners.
  • It can explain the decision impact.
  • It can evidence human oversight.
  • It can show role-based AI literacy.
  • It can demonstrate monitoring.
  • It can produce logs, dashboards and decision records.

An AMBER answer may be directionally correct but not yet reliable for board reliance. The institution may have an inventory, but it may not include embedded AI in third-party tools. It may have training, but not by role. It may have a policy, but no exception log. It may have use-case approval, but no clear decision rule for scaling or stopping the use case.

A RED answer is different. It is not necessarily false. It is simply not enough.

  • “We have a policy” does not evidence oversight.
  • “The provider is responsible” does not evidence internal accountability.
  • “It is only a copilot” does not explain data exposure, decision impact or human reliance.
  • “Training has been completed” does not show whether the right people have the right competence for the right use case.

This distinction is particularly important under the EU AI Act. The European Commission explains that Article 4 entered into application on 2 February 2025 and that the supervision and enforcement rules apply from 3 August 2026 onwards.

The governance conclusion is straightforward. AI oversight is not a document.
It is an accountability chain.

That chain starts with inventory and classification. It continues through ownership, data governance, human review, literacy, monitoring, exceptions and decision rights. It ends with board-level evidence that the institution can explain how AI is used and how it remains controlled.

The right board question is therefore not whether AI is being used. It is whether the board can rely on the answer it receives. And reliance requires evidence.

Selected Source Base

← All briefings