If AI Gets It Wrong, Could You Evidence Your Oversight?
At a glance
The issue is no longer whether the tool made a mistake.
The issue is whether the institution can evidence oversight, ownership and human review.
Board AskConfirm whether the institution can evidence oversight for material AI use cases.
Situation
Assume the following situation.
An AI-supported tool assists a regulated process. It summarises client information, prepares a risk view, supports a control assessment or drafts a decision rationale. A few weeks later, the output is challenged by a client, auditor or supervisor.
The issue is no longer whether the tool made a mistake.
The issue is whether the institution can evidence oversight, ownership and human review.
Management Summary
AI use in European banking is no longer marginal: the ECB stated in February 2026 that more than 85% of large banks under European supervision already use AI in some form.
The board does not need every model detail, but it needs evidence that material AI use cases are owned, reviewed and controlled.
A strong answer is specific, current and evidenced; a weak answer remains anchored in policy, project status or vendor responsibility.
Management Report Panel
Answer Quality Calibration
The RAG status calibrates the quality of the answer. It does not judge the institution.
Who Should Answer
Accountability note:
Technology may own the platform. The business owns the decision impact. Control functions must be able to challenge the answer. Internal Audit must be able to review the evidence.
Evidence the Board Should Request
- 01AI use-case inventory
- 02Risk classification by use case
- 03Ownership map
- 04Data classification and permitted-use view
- 05Human oversight design
- 06AI literacy evidence by role
- 07Exception, override and incident log
- 08Third-party dependency map
- 09Board reporting dashboard
- 10Decision log for scale, restrict, retrain or retire
Warning Signals
The following answers may sound reassuring, but they are not yet decision-grade:
- “We have an AI policy.”
- “This is managed by IT.”
- “The provider is responsible.”
- “The tool is only used internally.”
- “No incident has happened so far.”
- “We have no high-risk AI use cases.”
- “Training has been completed.”
- “This will be clarified during implementation.”
None of these statements is necessarily wrong.
They are simply not sufficient evidence for board-level reliance.
Path to Green
The answer becomes GREEN only when the board can see:
- where AI is used and which use cases are material;
- who owns each use case and each decision impact;
- which human review is required and evidenced;
- which data, model and provider dependencies exist;
- which exceptions, overrides and incidents are monitored;
- who can decide to scale, restrict, retrain or retire the use case.
GREEN is not a policy status.
GREEN is an evidence status.
Suggested Next Question
Which AI use case would create the greatest accountability issue if a client, auditor or supervisor asked us to explain it tomorrow?
Selected Source Base
- ECB Banking Supervision, “Technology is neutral, governance is not: AI adoption in the banking sector”, February 2026.
- ECB Banking Supervision, Supervisory priorities 2026–28.
- ECB Banking Supervision, “ECB streamlines supervisory guidance to improve clarity and transparency”, June 2026.
- European Commission, AI Literacy Questions & Answers.
- ESMA, Public Statement on AI and investment services, May 2024.
Expert commentary — 4 min read
AI oversight is often discussed as if the central question were whether an institution has an AI policy, an AI committee or an AI inventory.
Those elements matter. But they are not the end point.
For a management board, the relevant question is whether oversight can be evidenced in practice. This is consistent with the ECB’s current supervisory direction on AI. The ECB’s 2026 supervisory priorities state that banks using new technologies, particularly AI, should have strategies that reflect both opportunities and risks and should establish robust governance and risk controls.
The ECB’s 2024 draft guide on governance and risk culture also used a good-practice and red-flag structure for governance assessment. In June 2026, the ECB announced that this draft guide will be replaced by a good-practices report planned for the first quarter of 2027. The useful point for this briefing is therefore not the legal status of the draft guide, but the management logic: governance must be visible in practice, not only described in policy.
This matters because AI changes the evidence standard.
In a conventional technology process, a board may ask whether a system is approved, whether controls exist and whether the relevant function owns the process. In an AI-supported process, the same questions are no longer enough. The board also needs to understand what the AI system is doing, what decision or workflow it supports, where human judgement remains required, who is competent to review the output and whether exceptions are visible.
That is why “this sits with IT” is not a board-grade answer.
Technology may manage the platform. But the decision impact sits where the use case changes work, judgement, communication, control or client interaction. If an AI tool supports a credit process, fraud process, investment-service process, control review, legal assessment or customer communication, ownership cannot be reduced to system administration.
ESMA has made the same point for investment services. In its public statement on AI and investment services, ESMA says that firms using AI when providing investment services should comply with MiFID II organisational, conduct and best-interest obligations.
This is the practical logic behind the RAG panel.
A GREEN answer is not strong because it uses sophisticated language. It is strong because it is concrete.
An AMBER answer may be directionally correct but not yet reliable for board reliance. The institution may have an inventory, but it may not include embedded AI in third-party tools. It may have training, but not by role. It may have a policy, but no exception log. It may have use-case approval, but no clear decision rule for scaling or stopping the use case.
A RED answer is different. It is not necessarily false. It is simply not enough.
This distinction is particularly important under the EU AI Act. The European Commission explains that Article 4 entered into application on 2 February 2025 and that the supervision and enforcement rules apply from 3 August 2026 onwards.
The governance conclusion is straightforward. AI oversight is not a document.
It is an accountability chain.
That chain starts with inventory and classification. It continues through ownership, data governance, human review, literacy, monitoring, exceptions and decision rights. It ends with board-level evidence that the institution can explain how AI is used and how it remains controlled.
The right board question is therefore not whether AI is being used. It is whether the board can rely on the answer it receives. And reliance requires evidence.