Regulators’ own AI models escape scrutiny, for now

AI

AI is reshaping the financial sector at pace, approving loans, drafting disclosures and flagging suspicious transactions inside regulated firms, while the rules meant to govern it are still being debated. Writing those governance frameworks today is akin to painting the centre line on a motorway before the concrete has been poured.

According to Sherlocq, the Covid era accelerated digital adoption across financial services, and AI has now pushed that transformation into overdrive, opening gaps between performance and expectation that are far from hypothetical.

Sherlocq recently discussed a critical topic of who regulates the regulator’s algorithm?

Supervisors worldwide are actively constructing AI oversight frameworks, yet every few months a new capability or failure mode emerges that existing drafts never anticipated. Firms are being asked to comply with expectations that are, in places, still being written. The pragmatic path for supervisors is to focus on governance and outcomes rather than chasing individual technologies, and increasingly, to deploy their own AI to match the industry’s capabilities.

This raises a question receiving far too little attention: who will regulate the regulators as they begin using their own AI models?

The arithmetic behind the shift is simple. The volume, speed and opacity of model-driven decisions inside a modern bank have already outrun what examiners can review manually. A team of humans cannot read a million automated lending decisions; software can. Regulators will increasingly use AI to supervise AI, and several already are, quietly. On its face this is sensible, even overdue. Machine review excels at exactly the work that defeats human reviewers, sifting vast volumes of model output for bias or drift and spotting suspicious patterns hidden across thousands of unremarkable decisions.

But the moment a regulator deploys a model to judge a firm, it inherits every problem it spent the last decade telling firms to fix. A supervisory model carries its own assumptions, training data, biases and blind spots. Trained largely on historical enforcement cases from one sector, geography or era, it will faithfully reproduce the priorities of that past, looking hardest where regulators have already looked and staying quietest precisely where the next problem is forming. When a model’s output can trigger an investigation or a fine, that stops being a technical footnote and becomes a question of legitimacy.

Enforcement also needs an explanation. Regulated firms are entitled to understand the basis of a finding against them, to challenge it and to seek review. If a supervisory model flags a lender for bias in its credit decisions and the honest answer to “on what basis?” is that the tool is itself a black box, the enforcement action stands on thin ice. The regulator would be demanding a standard of transparency it could not meet itself.

Four questions remain unanswered in any jurisdiction. Who reviews the supervisory tools authorities use, given the inspector’s software currently inspects itself? What is the remedy when supervisory AI is wrong, since adding a second AI layer pushes the burden of disproving a machine onto the supervised? What happens when a model inherits the bias embedded in enforcement data, which records past investigative choices as if they were the shape of risk itself? And who is liable when an automated supervisory decision causes harm to a firm, consumers or a market?

None of this argues against AI-assisted regulation, which may prove fairer and more thorough than the overstretched human version it replaces. The argument is narrower: a regulator’s own tools should be held to at least the standard imposed on the firms it supervises. The longer that gap persists, the more it erodes confidence in the entire architecture of oversight.

For firms, uncertainty about the rules is no excuse to wait. They should inventory their AI systems with named owners, document data sources, testing and oversight as they deploy, build for a common regulatory core with regional variations, and treat AI readiness like inspection readiness.

Compliance and risk professionals need not become data scientists, but “the output can’t be explained” must be treated as a red flag, and boards need plain dashboards and honest narratives. “I don’t understand this model” has stopped being a defensible position in a senior seat. The firms that come through well will be those that built accountability into their governance early, not those that waited for perfect rules.

Read the full Sherlocq post here. 

By Daniel Willis, Editor of RegTech Analyst 

Read the daily RegTech news

Copyright © 2026 RegTech Analyst

Enjoyed the story? 

Subscribe to our weekly RegTech newsletter and get the latest industry news & research

Copyright © 2018 RegTech Analyst

Investors

The following investor(s) were tagged in this article.