How Asia/Pacific Financial Institutions Are Building AI Risk Frameworks That Actually Work

GenAI has moved from the innovation lab to the frontline across Asia/Pacific financial services. Yet IDC research shows a growing gap. Using the IDC 2025 Industry AI and Cloud Path Survey as our data source, the survey found that 40% of FSIs say governance and risk management are now their biggest AI hurdle. For FSIs, In 2026, the core question is no longer who adopts AI fastest, but who can govern it well enough to scale safely.

1. The governance gap
   Technology confidence is high: 74% of FSIs say they are at the “managed” or “optimized” stages of GenAI adoption, and boards are committing capital. The main obstacle to full-scale rollout is no longer the technology itself, but the institution’s ability to govern it.

   When GenAI sat in pilots, governance was treated as a compliance tick-box. That is no longer tenable now that 33% of FSIs already use GenAI in direct customer interactions with no human in the loop, and another 55% plan to follow within 12 months. Poor governance now carries clear legal, reputational, and financial consequences.

2. What AI governance means in financial services
   Traditional model risk management frameworks were not designed for large language models. LLMs do not have fixed decision boundaries and are capable of generating convincing but wrong outputs at scale. FSIs have to extend existing MRM practices to GenAI with fit-for-purpose validation, performance monitoring, drift detection, and explainability that can stand up to internal risk committees and regulators.

   Agentic AI raises the stakes further. FSIs in Asia/Pacific already have an average of 29 agent types in production, ahead of the cross-industry average of 24, and IDC expects that number to roughly double by end-2026. These agents query systems, execute transactions, and interact with customers. When an autonomous agent makes a consequential mistake, it is often unclear who is accountable, and most current governance frameworks in the region do not yet provide a clear answer.

   Regulators across Asia/Pacific are also moving at different speeds. MAS has issued detailed guidance on customer-facing AI, HKMA has focused on board-level responsibilities, and APRA is folding AI into broader operational risk frameworks. In ASEAN, high-level principles are in place but detailed implementation guidance is still taking shape. Institutions operating across multiple markets need to align with the most demanding regime they face today and anticipate where slower-moving regulators are heading.

3. The custom-build shift
   A clear structural trend in IDC’s data is the move from renting AI to building it. The share of FSIs using custom-built stacks is set to rise from 16% today to 23% over the next 12 months. Once an institution builds its own models, model risk sits directly on its balance sheet, and the burden of governance (validation, monitoring, documentation, and regulatory disclosure) scales accordingly.

   Key data points from the IDC 2025 Industry AI and Cloud Path Survey

   • 40% of FSIs cite governance and risk management as their top AI implementation barrier
   • 29 agent types in production at Asia/Pacific FSIs (vs 24 cross-industry average)
   • 2× expected growth in agent deployments by end-2026
   • 16% → 23% of FSIs building custom AI stacks (today vs next 12 months)
4. What good governance actually looks like
   Effective AI governance operates on three levels. First, the board must own AI risk, with AI a standing agenda item and a clear risk appetite. The board should hold management accountable for governance outcomes, not just deployment milestones.

   Second, there needs to be a dedicated AI risk function that sits alongside, not inside, AI development teams. This function owns model validation standards and provides the second line of defence that regulators expect.

   Third, governance has to be built into the design of AI initiatives. Risk assessments and approval gates need to be embedded in the development lifecycle, and monitoring must be in place before a model goes live, not retrofitted after the first incident.

   For agentic AI, institutions must set clear rules on where human oversight is mandatory: which decisions agents can make on their own, which require review, and which require formal approval. These thresholds have to be defined, documented, and enforced.

5. Governance as competitive advantage
   When done properly, governance helps institutions move faster, not slower. IDC notes here its experience with vendors stating that some of their clients now see regulation becoming a performance driver when properly accounted for and executed well. Firms with standing frameworks shorten time-to-production by using pre-approved paths, build customer trust in AI-enabled services, and attract technical talent that wants to work in organizations that take responsible AI seriously.

   The window to put robust AI governance in place is still open, but it is narrowing. Regulatory expectations are tightening, and agentic AI is scaling faster than many institutions anticipated. Firms that treat governance as a strategic investment now and a tool for accelerating initiatives will be better positioned than both regulators and peers. Conversely, those that delay will be forced to catch up under pressure.