Page 32 - gs260402
P. 32
Insights and Expertise
Auditability is the A need for higher standards
This is a common problem with mainstream, general-pur-
real AI requirement pose AI platforms designed for broad use across a variety
of industries. Many are designed to run outside an institu-
in financial services tion's environment and to work across large datasets and
training systems.
In a regulated setting, however, this inevitably creates un-
acceptable uncertainty and risk as to where processing is
actually occurring, whether sensitive data stays under in-
stitutional control, and whether outputs can be traced to
vetted, internal material only. Serious consequences can
arise, including unauthorized third-party data exposure,
legal liabilities and erosion of trust.
Many early deployments of these general-purpose AI plat-
forms in financial services have centered on chat inter-
faces and pilots. These tools are proving useful, but they
can also distract from the real danger. When AI is part of
a highly regulated environment, it needs to meet higher
standards for showing accuracy, traceability and consis-
tent access enforcement.
A new approach
One new approach that the regulation-heavy financial in-
dustry can utilize to address these challenging questions
By David Moscatelli is "on-prem AI." This model operates strictly within an
Go Abacus organization's own environment, on premise, and is con-
trolled by the same security architecture, regulations and
n the financial services sector, AI deployments often policy practices that secure existing core systems.
stall because they are difficult to audit. If there's
uncertainty as to how the system processes data, Financial institutions can then be certain—and prove—
I how files are handled, and why particular outputs that sensitive information stays inside the institution, is
are produced, it will be hard to defend results during a tracked, and never pulled out to train outside LLM models
bank exam or security review. or reference unknown, unreliable sources.
Before a bank or payments organization adds AI into real Permissions control is the first hurdle. When an AI layer
workflows, the first question is not, Which model is best? is privy to more data than personnel are, a governance
The more fundamental one is, Can we prove what hap- gap has been created. A safer pattern is an AI operating
pened to data in any scenario? layer that inherits existing role-based permissions and
preserves the audit trails, so the system does not become a
This requires digging into: shortcut to restricted information.
• Where and how does the system run? If asked, internal reviewers can reconstruct who accessed
• What data can it access, and under which role-based what and when. Prompts and responses can be filed like
permissions? records: logged, retained and linked to the sources that
• What gets logged and retained, including prompts, informed the responses.
outputs, and the sources the system relied on? Source control is another safeguard. Indexing and docu-
• If there is a problem later, can your team reconstruct ment management are crucial aspects for creating consis-
who asked the question, what information the sys- tently correct responses. When content is limited to ref-
tem pulled, and what it returned? erencing only approved internal materials (procedures,
manuals, product guides), users can be confident that out-
If you cannot answer those questions with transparency, puts align with the institution's policies.
detailed records, logs and documentation, you do not have
a well governed system. You have a black box, meaning An efficient system will also update what materials it
you have a non-transparent system. sources as they get revised.
32
