Data Governance Defines How Far Banks Can Extend AI Into Their Regulated Core

As reporting cycles have compressed, cost structures have shifted, and analyst time has moved upstream from production toward exception management, the operational case for AI in banking is no longer speculative. The gains are real, and they're showing up in earnings calls across the sector. The harder questions sit underneath them. AI's value to a bank scales with the integrity of the data it draws on, the resilience of the infrastructure it sits on top of, and the governance discipline of the institution running it. Where any of those layers are weak, AI amplifies the weakness rather than masking it.

Armel Roméo Kouassi Senior Vice President and Global Head of Asset Liability Management at Northern Trust, where he leads balance sheet management, Interest rate risk management across the firm's global business lines. His career spans senior roles at State Street, M&T Bank, Citi, Merrill Lynch, and GE Capital, and he speaks and writes widely on AI policy and financial risk for industry forums in the US and Europe. That perspective, anchored in both the balance sheet engine of a global bank and the policy conversations shaping AI adoption across the sector, frames how he reads the current moment.

"The fuel that makes the engine of AI work is data. Investing in clean, governed data sets is the only way to ensure the foundation for integrity, consistency, and security is there," he asserts. Though the productivity story sitting on top of that foundation is the one most easily measured, the structural story underneath it is the one that determines how far the productivity goes.

Where the operational gains are showing up

Banks have moved fast on the parts of AI adoption that sit furthest from the regulated core. Kouassi says reporting, internal analysis, and executive information delivery are the clearest beneficiaries. "CEOs want to be able to drill down and ask questions on earnings. In the past, the CEO would send an email and ask a range of analysts from different departments. Today, he can get this answer on his iPad, and the AI can provide insight, foresight, and forecasts."

The CEO-iPad example cleanly illustrates the shift in analysts' work. Though the information itself isn't new, the delivery model has changed, and that change cascades through the analyst layer above it. Time that used to be spent assembling the answer now goes to validating the exceptions where AI's output cannot be trusted on its own. Kouassi is precise that the human still sits in the loop, but the loop runs differently than it did two years ago.

Legacy systems hold the regulated core

Today, the gains stop at the regulated boundary. The systems that actually clear transactions, manage liquidity, and feed the balance sheet metrics regulators monitor remain on legacy infrastructure that cannot be replaced quickly. In Kouassi's view, the reason is structural rather than technical. "Because of the regulation, the core of what makes the banking system work is still on the legacy system. For making a transaction happen, we still have that human component or that legacy technology in charge."

The systems used to run balance sheet positions sit even further from external access by design. Many of them are proprietary and deliberately kept off public networks, which protects them from external attack but also constrains how AI can plug into them. Kouassi sees a change on the horizon. "The trade-off will be a loosening of regulation, which will allow much more accelerated innovation, and in that case it may be a bit more vulnerable." Until that trade-off is resolved at the policy level, he says, banks will continue to deploy AI as the receiver and synthesizer of information rather than as the actor on the underlying transaction.

AI amplifies cyber exposure as fast as it improves operations

Cybersecurity is the area where AI's dual-use nature shows up most sharply. The same capabilities that compress reporting cycles inside the bank also expand the attack surface outside it. "AI has amplified the risk," Kouassi says. "Hackers are using trial and error with AI technologies to mimic a human, to replicate another organization. The attack points become multiple at an exponential rate."

The institutional response has been to reemphasize the basics of training and diligence at the employee layer, particularly around phishing, data requests, and compliance procedures, but Kouassi believes the harder problem sits above that layer. State actors targeting major banks operate at a scale no single institution can defend against alone. "Even the largest, most powerful bank in the US in terms of infrastructure, scope, and scale, doesn't have 100% prevention against a state actor. It has to be a collaboration between the banking system and the US government."

That collaboration is becoming part of the broader sovereignty conversation reshaping how banks think about AI infrastructure dependencies. Kouassi sees data sovereignty as a state-level issue that ultimately shapes which technology stacks global banks can rely on, and on whether US AI standards remain the de facto global baseline the way US banking regulation did.

Governance, sovereignty, and the "one bank" operating model

The internal expression of the same governance discipline is showing up in many banks' attempt to implement a cohesive strategy that aligns a complex organization, using AI to break down silos between divisions and create a consistent view of information across the company. "The beauty of AI, especially since many of the banks have implemented it with guardrails internally, is that you learn about your bank activities from the external and the internal. That information is ingrained in the learning process, and the AI disseminates information consistently and holistically." He explains how, in the past, if two people from different parts of the organization had similar requests, the requests would typically be acted on in silos. "Today the AI understands that this request has already been asked, already been answered, and can tell whether things are consistent or not between the two."

The danger Kouassi flags in this is the inverse of the upside: when AI is the layer disseminating answers across divisions, contaminated inputs do not stay contained. The same architecture that makes information flow consistently will also propagate bad data consistently if governance fails. "Safety nets around the data are critical," he says.

By that logic, data and AI governance live on the same priority tier as cyber resilience and regulatory compliance. The institutions that treat clean data as foundational infrastructure rather than as a back-office concern will be the ones that can extend AI deeper into the regulated core, at least as far as today's policy allows. The institutions that treat it as a downstream problem will discover that they have automated their dysfunction rather than their decision-making.