AI Risk: What Firms Should Worry About vs What They Shouldn’t

In 2026, adopting AI is no longer a question of if, but how. It is clear that AI offers significant benefits to almost every business. However, businesses operating in highly regulated industries like finance must adopt AI with more caution due to the significance of the potential risks involved.

The significance of these risks varies from one company to another, which is why a tailored assessment is critical for every firm. I have encountered several leaders who are hesitant to adopt AI because they focus too much on the risks. This often causes them to move too slowly or avoid AI adoption altogether.

While AI does carry real risks if it is poorly implemented or governed, some of these risks are often overstated. Today, I will discuss the risks firms should focus on and those that should not be heavily prioritised.

What Is AI Risk?

Before assessing different risks and determining where firms should focus their attention, it is important to understand what AI risk actually is.

AI risk refers to the potential for AI systems to cause harm to a firm through poor decision-making, data misuse, security gaps, compliance failures, or over-reliance on tools that are not well understood or properly governed.

When assessing AI risks, firms need to consider the impact and likelihood of these factors across their specific business context.

What Firms Should Worry About

Data exposure and leakage

Financial firms handle a lot of sensitive data, so one of the biggest AI risks for firms is how this data is handled. Employees may unintentionally include sensitive or regulated information in AI prompts, or data may be used to train models in ways the firm does not fully control.

Without clear rules on where data is stored, how it is processed, and who can access it, AI tools can easily become a source of data leakage and compliance breaches. Therefore, firms must treat data management as a major priority when choosing AI tools for their workflows. In some situations, using open-source AI tools that run on their own hardware may be the only viable option.

Access and identity risk

Just like other technology solutions, the use of AI tools requires effective identity and access management, which becomes a risk if not handled well. AI tools are only as secure as the identities that use them. Firms need to be clear about who is allowed to access AI systems and what actions they are permitted to take.

Over-privileged users, shared accounts, or poorly managed identities increase the risk of misuse, data exposure, and unauthorised decision-making. Strong identity and access controls are critical to reducing this risk. There should also be systems in place to monitor what different users use these AI tools for.

Model transparency and explainability

For regulatory purposes, firms need to be able to explain how decisions are made. Many AI models today operate as “black boxes,” making it difficult to understand or justify their outputs.

For instance, if an AI tool is used to determine who gets credit and who does not, there should be a clear decision-making protocol that the tool follows, and firms should be able to explain it to relevant parties whenever needed.

Not having clear explanations for decisions made by AI becomes a serious issue when AI tools are used in areas that affect customers, financial decisions, or compliance, as auditors and regulators often require transparency and accountability.

Third-party and vendor risk

AI is increasingly embedded into SaaS platforms and third-party tools. Platforms like Microsoft 365 and Google Workspace have several AI integrations aimed at making their products better. While this can improve productivity, it also introduces risk.

Firms often have limited visibility into how these vendors secure data, train models, or manage AI systems. Weak controls or poor practices at the vendor level can quickly become a direct risk to the business. As a result, firms need to assess both standalone AI tools and those integrated into other products, as both carry the same risks if not properly managed.

Operational misuse

Even well-designed AI systems can create risk if they are used incorrectly. As generative AI is a relatively new technology, many organisations may not have clear standards on how it should be used. Employees may rely on AI outside approved workflows, make decisions without proper oversight, or use unauthorised tools altogether.

This “shadow AI” creates blind spots for security, compliance, and risk teams, making it harder to manage and control how AI is actually used across the organisation. Even though the technology is new, it is crucial for organisations to have clear guidelines on how their teams use it in their workflows.

What Firms Shouldn’t Worry About (As Much)

AI replacing core staff overnight

As with any new revolutionary technology, there is a common fear that AI will quickly replace large parts of the workforce. While this is already happening at some companies, it is not a massive shift like it is made out to be - at least for now.

Most enterprise AI tools are designed to support and augment existing roles, not eliminate them. Generative AI has not yet reached a level of reliability where it can handle tasks independently without human oversight. This is especially true in the finance sector, where every decision is sensitive and could have serious consequences if things do not go as expected.

Perfect accuracy

AI does not need to be perfect to deliver value to an organisation. Expecting zero errors from any technology often leads firms to over-engineer solutions, increasing cost, complexity, and friction. The focus should be on whether AI improves outcomes compared to existing processes, not whether it eliminates every possible mistake.

Generative AI, in its current form, has several weaknesses, including hallucinations, lack of explainability, and unpredictability in some cases. That is why human oversight is crucial when using these tools. Organisations should also ensure their teams understand the limitations of AI before adoption, so it is used where it performs best.

Vendor Lock-in

Every AI company today is trying to make sure users do not switch to competing products. And yes, when users rely on a specific AI tool for a long time, it often delivers better results because it has learned more about them. For example, someone who has been using Microsoft Copilot for three years will usually get more personalised responses than if they switch to a different AI tool.

The good news is that most mainstream AI tools, including ChatGPT, allow users to export their conversations data. For tools that do not offer this directly, there are workarounds. So, if the time comes and you want to switch to another solution, it is generally possible to move with your data.

Best Practices for Managing AI Risk Practically

Here are some best practices that, if followed, can help financial firms navigate the risks of AI:

• Choose AI vendors carefully: With many AI companies all claiming to offer the best solution, firms must select one that aligns with their goals and meet compliance and regulatory requirements in their jurisdiction.

• Governance: Managing AI risk starts with governance, not technology. Firms should define clear policies on how AI can be used, who can use it, and for what purposes before deploying any tools.

• Strong identity controls and monitoring: Firms need visibility into who is interacting with AI systems and what data they can access. Monitoring AI usage helps teams identify and address inappropriate or risky use.

• Alignment with firm needs: AI use should align with existing risk, security, and compliance frameworks. Treating AI as a separate or special case often creates gaps.

• Long-term monitoring and review: Like any other critical business system, AI tools should be monitored, reviewed, tested, and improved over time.