Global Policy Watch

AI governance has to balance shared rules with sector-specific consequences.

Consider two AI application scenarios. One system recommends films on a streaming platform. Another assists a bank in deciding whether an individual qualifies for consumer credit. Both systems rely on automated analysis, process large volumes of data and generate recommendations that influence human decisions. Yet the consequences of error are very different. A poor film recommendation may simply disappoint a viewer. A flawed credit assessment model may affect access to financing, alter commercial opportunities and raise concerns about fairness, accountability and discrimination.

This contrast shows why AI should not be treated only as a single, abstract technology. The same technical capability can carry very different regulatory implications once it enters a particular institutional setting. The regulatory question is therefore not only what AI is, but where it is used and what consequences it may produce.

At the same time, AI does not belong to any single sector. It is used in healthcare, transportation, education, public administration, financial services and many other areas. If each sector adopted an entirely separate AI rulebook, firms providing AI systems across multiple markets could face overlapping and potentially inconsistent compliance reviews. Similar model components might need to satisfy medical device requirements, credit-scoring rules and data-protection obligations at the same time. As these requirements accumulate, compliance costs rise and innovation may slow.

This explains the appeal of the EU AI Act's horizontal design. Rather than beginning with each individual industry, the AI Act starts from technology and risk categories. Common definitions, shared classifications and consistent governance duties create a regulatory baseline across the European market. For much of the legislative process, this approach seemed compelling because it promised consistency while reducing fragmentation.

The debate around the AI Act therefore reflects a broader policy dilemma: horizontal regulation or vertical regulation. Horizontal regulation establishes general rules that apply across industries. The GDPR is a representative example, as it applies to personal data processing regardless of sector. Vertical regulation, by contrast, focuses on the risks and institutional realities of a specific sector. The Medical Device Regulation, for example, governs product safety and performance within healthcare.

Both approaches serve important purposes. Horizontal regulation promotes consistency and prevents fragmentation. Vertical regulation allows lawmakers and supervisors to address risks that arise in particular industries. Neither approach is inherently superior. A purely horizontal framework may struggle to capture the distinctive features of highly regulated sectors. A purely sector-specific regime may struggle to govern technologies that cut across traditional boundaries.

In finance, the AI Act enters a mature supervisory environment rather than a blank slate.

Financial services show why this interaction matters. Like healthcare and transport, finance is already heavily regulated. Banks, insurers and investment firms operate under detailed requirements covering governance, operational resilience, outsourcing, model risk management, consumer protection and financial crime compliance. When AI regulation enters this sector, it does not enter a blank slate.

Credit assessment is a useful example. Annex III, point 5(b) of the AI Act classifies AI systems used to assess the creditworthiness of natural persons or establish their credit scores as high-risk, except where such systems are used for detecting financial fraud. A bank that uses an AI model to assist or automate a personal loan decision may therefore need to comply with high-risk AI obligations, depending on whether it acts as provider, deployer or both. These obligations include risk management, data governance, technical documentation, transparency and human oversight.

For financial institutions, many of these concepts are familiar. Banks using internal ratings-based models have long faced prudential requirements under the Capital Requirements Regulation and supervisory expectations such as the ECB's Guide to Internal Models. These frameworks already require model governance, validation, documentation and supervisory review. The AI Act therefore does not introduce model governance from nothing. It extends established regulatory logic into the AI context.

The harder question is how the AI Act and existing financial regulation should operate together. In November 2025, the European Banking Authority (EBA) published the outcome of a mapping exercise comparing AI Act requirements for high-risk AI systems with existing EU banking and payments legislation. Its overall conclusion was that no significant contradictions were identified, and that the AI Act is generally complementary to existing sectoral rules rather than a replacement for them. Still, complementarity does not mean full alignment. Implementation will require careful coordination between AI governance and financial supervision.

Data lineage, model versioning, logging, and auditability become core compliance capabilities.

In some areas, the AI Act fills gaps that existing financial regulation has not addressed directly. Banking prudential regulation has traditionally focused on issues such as model accuracy, capital adequacy and risk management. The AI Act adds broader expectations around transparency, accountability and explainability. Article 86 gives affected persons, under specified conditions, a right to obtain a clear and meaningful explanation of the role of a high-risk AI system in a decision and the main elements of that decision. In a credit context, this may require a bank to explain how an AI system contributed to a refusal, without turning the explanation into full disclosure of model code or variable weights.

In other areas, the requirements overlap. Banks are already expected to ensure data quality and representativeness in model governance. Article 10 of the AI Act similarly requires appropriate data governance practices for training, validation and testing datasets, including attention to data origin, data preparation, bias examination and data gaps. The goals are aligned, but firms may need more careful documentation to show that one governance process satisfies both financial-sector expectations and AI Act obligations.

Article 12 points in the same direction. It requires high-risk AI systems to technically allow automatic logging over the system's lifetime, with logs sufficient to support traceability, post-market monitoring and oversight. This does not necessarily mean that every institution must build a cryptographic, real-time and immutable audit trail. But it does make data lineage, model versioning, logging and auditability increasingly important compliance capabilities.

This is where AI provenance becomes central. Financial institutions will need infrastructure capable of tracking where data comes from, how datasets are prepared, how models change, who accesses them and how outputs are reviewed. Provenance is not merely a technical record-keeping tool. It is the infrastructure that allows firms to demonstrate that AI systems are governed, supervised and auditable over time.

The most delicate tensions arise where transparency duties meet confidentiality and trade-secret concerns. The AI Act gives affected individuals a right to meaningful explanations in certain cases, supporting the consumer's right to information and fair treatment. At the same time, it recognises that transparency must be balanced against legitimate interests such as trade secrets. Credit models may embody substantial technical investment and commercial know-how. Full disclosure could undermine competitive position or create model-security risks. Financial institutions will therefore need explanation practices that are intelligible to customers and supervisors while still protecting legitimate confidential information.

The AI Act is not blind to these complexities. It recognises that some high-risk requirements may overlap with sectoral rules and provides targeted derogations and synergies to avoid unnecessary duplication. It does not seek to replace decades of financial-sector rule-making. Instead, it creates a common AI governance baseline while relying on sector-specific supervision to make that baseline workable in practice.

The next stage depends on how horizontal AI rules interact with vertical financial supervision.

The future of AI governance in finance will depend not only on how quickly AI develops, but also on whether existing legal and institutional frameworks can adapt. AI is not entering an empty regulatory space. It is entering sectors already shaped by mature rules, established authorities and long-standing supervisory practices. The task is therefore not simply to regulate a new technology, but to determine how that technology fits within existing governance systems.

Provenance is likely to become a core compliance capability. As financial institutions bridge the gap between horizontal AI rules and vertical banking supervision, the ability to trace and verify AI data lineage may shift from best practice to practical necessity. Sector-specific standards for AI transparency are also likely to emerge. The AI Act supplies the framework, but concepts such as fairness and explainability will need to be operationalised by financial regulators in sector-specific ways.