January 2026 - Inaugural Issue

Welcome to AIxRisk!

Welcome to AIxRisk’s inaugural newsletter. The AIxRisk team - Aarona Chou and Penny Cagan - has launched a consultancy in response to a period of great change. We are two risk professionals who have lived through great change in the past, including the introduction of Basel 2, the Dodd Frank Act, and the OCC’s Heightened Standards. The difference now is that the palatable change is not regulatory driven - although there are meaningful regulatory changes - but rather driven by a technology change that will fundamentally change how the industry manages its risk and control environment.

Who We Are

There are those that have proclaimed the use of generative and agentic AI as “much ado about nothing” and others who believe that it could ultimately lead to the end of civilization. We are optimists and believe that the introduction of AI holds the potential to reshape how we manage risk, and conversely, we believe that risks associated with its deployment can/must be managed with the right focus and tools. We call this Side A and Side B of the AI risk equation (if any of you are old enough to remember spinning 45 records with two sides of music selections!) Our mission is to assist our financial services colleagues with both sides.

Many of you know us from the industry. We have decades of experience managing through change in the risk management discipline, including implementing frameworks in response to the introduction of Basel 2, preparing for Basel 3 endgame, and meeting the requirements of regulations that were passed following the Great Financial Crisis. We have a global mindset and have worked on mapping to requirements of landmark EU and UK legislation. Our skillset is both deep and varied, as we have managed risk functions across risk domains and businesses.

We are passionate about risk management and consider it part of our DNA. In addition to advisory services, we want to add value to an industry that has provided us with decades of experience, challenges, and career growth. We are positioned to bring our industry colleagues together into small groups to discuss both Side A and Side B of the AI risk management challenge, through focus groups, webinars, industry forums, and training sessions.

What Good Looks Like

We have spoken to many of you over the last few months and what we are hearing is that there are two strong needs in the industry right now related to both deploying AI to manage risk and developing a framework to manage AI risk. This includes a consensus on “what good looks like” and how organizations compare with each other. To address these needs, our two-sided AI Risk Maturity Model is designed to assist organizations with understanding what a well-developed framework looks like, where they currently are on the AI risk management journey, and how to articulate their target state.

We have designed our AI Risk Maturity Model to be iterative and to incorporate changes in the industry as they occur. “Side A” of our model includes the articulation of a maturity scale related to AI deployment related governance, risk appetite, risk assessments, key risk indicators, scenarios, reporting and training, while “Side B” includes how AI can be deployed to manage many of these core risk management framework elements.

We believe that 2026 is the year where the industry will make significant progress in deploying AI to manage risk while there is visibility into the risks they are taking on as they integrate AI into their business processes. Our maturity model can help with providing a roadmap for that work and can be applied across business challenges.

2026 Pivotal for AI Risks

ChatGPT was rolled out in November 2022 and Google released Gemini in December 2023 (originally known as Bard). In little more than two years the technology has become integrated into many core business processes, such as what many of us experience when we interact with customer service bots on websites. Compare this with the full integration of the worldwide web into business processes, which took decades.

It is imperative that risk and control management must keep pace with the integration of AI into business processes. We are experiencing a potential pause on hiring across industries due to the common belief that AI can replace employees - especially entry level ones - that are responsible for some mundane and repeatable tasks. Many CEOs have gone from being circumspect about layoffs to wearing them as a badge of honor to demonstrate efficiency and technology acumen.

What this means for risk management is that to be effective it must be as innovative, forward-looking, and adaptive. We have all heard about “human in the loop” (which we agree is an imperative to manage risk effectively), but 2026 must be the year that “risk and control management” is in the loop. This means proactively rolling out AI enabled risk management tools, including embedding controls in the technology itself, and having robust frameworks to manage AI risks. We believe that this is the year when it all comes together.