Today, CFTE hosted a webinar with Dr David R. Hardoon, PhD, CFTE Senior Advisor, Data and AI leader, and former Chief Data Officer at the Monetary Authority of Singapore, on “Agentic AI in Financial Services: From Governance to Operationalisations.”
The session focused on one of the most important questions facing financial institutions today:
How do we move from responsible AI principles and governance frameworks to practical implementation, assurance and controls?
As generative AI and AI agents become more embedded in financial services workflows, the challenge is no longer only about understanding the technology. It is about building the right operating model for responsible adoption.
The problem is not a lack of governance
Financial services is not short of governance.
There are frameworks, policies, principles, model risk processes, regulatory expectations, internal controls and approval committees. Yet, when organisations try to deploy AI, especially agentic AI, governance is often experienced as a blocker rather than an enabler.
During the webinar, participants identified familiar barriers to agentic AI adoption: governance, security, lack of expertise, data quality, control and awareness.
Dr Hardoon’s point was not that governance is unnecessary. Quite the opposite.
The intended purpose of governance is to create safeguards, manage risk, build trust, improve transparency and support long-term value. The problem is that, in practice, governance can become red tape, box-ticking and a process that slows down deployment without necessarily improving outcomes.
That gap matters.
If governance already feels difficult in traditional AI, agentic AI increases the complexity. Instead of one model producing one output, organisations may now be dealing with multiple agents, tools, workflows, decisions, escalations and human interactions.
This is why governance cannot remain a one-time approval gate.
Agentic AI is about orchestration
A key theme from the session was that agentic AI should not be understood as “AI acting alone.”
Dr Hardoon described agentic AI as an environment of specialised agents, task decomposition, memory, orchestration and collaboration. Some agents may perceive, some may reason, some may act, and others may coordinate.
But in financial services, the most important point is this:
Agentic systems will not consist only of AI agents.
They will sit alongside human agents, rule-based systems, existing operational processes and business teams. A true agentic environment is therefore not only a technical architecture. It is an operating model.
This creates a governance challenge.
If institutions govern AI agents in one way, rule-based automation in another way and human decision-making in another way, they risk creating inconsistent controls across the same business process.
The governance question becomes less about whether something is “AI” and more about what role it plays in the business process, what risk it introduces, and how it should be monitored.
The double standard problem
One of the strongest examples from the webinar was the idea of double standards.
When an AI solution accesses files, analyses information and drafts a memo, cybersecurity, legal or compliance teams may raise concerns. Those concerns may be valid.
But the next question is: how is the same task done today?
If a human already accesses the same files, reviews the same information and drafts the same memo, then the issue is not simply that “AI creates risk.” The issue is whether the new process changes the existing risk profile.
Does it increase risk?
Does it reduce risk?
Does it create new controls?
Does it expose gaps in the way the existing process was already governed?
This is where financial institutions need a more mature approach. AI should not be treated as special simply because it is AI. It should be governed according to the role it plays, the risk it introduces and the outcome it is expected to produce.
From one-time approval to continuous governance
Traditional governance often assumes a deterministic process.
A system is reviewed, approved, deployed and then periodically checked. That works reasonably well when inputs and outputs are stable and predictable.
Agentic AI is different.
The system may adapt, interact with changing data, respond differently depending on context and operate across a wider workflow. In this environment, governance has to become continuous.
Dr Hardoon highlighted several dimensions institutions need to monitor.
Observability means being able to see and understand what the agent or fleet of agents is doing.
Controllability means having a way for a human, another agent or a rule-based system to intervene when needed.
Stability means ensuring the wider system can remain reliable if one agent fails or performs below expectation.
Robustness means testing whether the system can handle adversarial prompts, market shocks, noise, system issues or unexpected inputs.
Performance means checking whether the system is still delivering the intended business outcome.
This is a very different mindset from asking whether a model passed an approval gate once.
It is closer to running an operating environment.
Governance as a business function
One of the most practical takeaways from the session was the need to treat governance as a business function.
That means governance should not sit outside the development lifecycle as a separate approval step. It should be embedded into the process from the beginning.
A practical AI governance operating model might include intake, assessment, build and test, deployment approval, operate and monitor, and retire or decommission.
At the intake stage, the AI use case is submitted, reviewed and added to an inventory with clear ownership.
At the assessment stage, risk, compliance, privacy, cybersecurity and business impact are reviewed early.
During build and test, evidence, attestations and controls are collected during development, not after everything is built.
Deployment approval should then be based on the risk tier, business context and evidence gathered.
Once deployed, performance, drift, value, risk indicators and compliance need to be monitored continuously.
Finally, institutions also need to think about retirement and decommissioning, including end-of-life decisions, migration and replacement.
This is where governance becomes useful. It becomes part of execution, rather than a hurdle that appears at the end.
The human capital gap
The session also ended with an important reminder: AI is ultimately about people.
Dr Hardoon noted that HR is often missing from AI initiatives, despite the fact that AI directly affects skills, roles, capabilities, operating models and talent strategy.
This is particularly important for agentic AI.
If AI agents begin to work alongside human agents, organisations need to rethink more than technology. They need to rethink capability building, role design, accountability, workforce readiness and leadership.
AI governance cannot be separated from human governance.
The question is not only: “How do we govern AI?”
It is also: “How do we govern work in an environment where humans, AI systems and rule-based processes operate together?”
What financial institutions should do next
The lesson from the webinar is clear.
Financial institutions do not need more abstract AI governance. They need governance that can be operationalised.
That means moving from policies to processes.
It means moving from one-time approvals to continuous monitoring.
It means moving from AI-specific controls to unified governance across humans, rules and AI agents.
It means moving from experimentation to operating models.
And it means moving from technical adoption to capability building.
Agentic AI will make governance more important, not less.
But the institutions that succeed will be the ones that make governance practical enough to accelerate responsible adoption, rather than slow it down.
