Building a forward-looking AI compliance strategy

Abstract

Artificial intelligence (AI) is increasingly embedded in compliance-critical processes within financial services. While AI enables significant efficiency and scalability gains, its probabilistic, data-dependent, and adaptive characteristics challenge established compliance and governance models that rely on static documentation, episodic validation, and durable approval decisions. These tensions are particularly pronounced under principles-based financial supervision, where institutions retain technological discretion but must continuously demonstrate organisational control, accountability, and auditability.

This paper examines why prevailing AI governance and model risk management frameworks remain structurally misaligned with the operational realities of adaptive AI systems in regulated financial institutions. Drawing on literature from AI governance, model risk management, and responsible AI, as well as regulatory guidance relevant to financial supervision, the paper identifies persistent governance gaps that arise not from the absence of controls, but from temporal mismatches between static compliance mechanisms and continuously evolving system behaviour.

To address this misalignment, the paper introduces Continuous AI Compliance and Assurance (CAICA), a lifecycle-oriented governance coordination model. Rather than proposing new ethical principles, regulatory categories, or technical controls, CAICA reorganises established governance elements around time, accountability, and system behaviour. It reconceptualises compliance as a continuously produced organisational capability by shifting from episodic validation to continuous assurance, replacing permanent approval with conditional, time-bound authorisation, embedding oversight and accountability into operational workflows, and governing AI systems as models-in-context-over-time.

Focusing on the Swiss and Liechtenstein financial context, the paper demonstrates how lifecycle-oriented compliance architectures align with principles-based supervision and organisational accountability doctrines. It further outlines how modular and proportionate governance designs can support both established financial institutions and resource-constrained FinTech firms in scaling AI responsibly. The paper contributes a conceptual governance logic that clarifies how compliance can be operationalised for adaptive AI systems without expanding regulatory scope, reframing continuous assurance as governance infrastructure rather than additional regulatory burden.

1. Introduction

1.1 Motivation

Artificial intelligence (AI) has transitioned from experimental deployment to becoming a structurally embedded component of compliance-critical processes in financial services. AI models and advanced analytics increasingly support activities such as customer onboarding, transaction monitoring, sanctions screening, customer due diligence, fraud detection, and credit and risk assessment (Barredo Arrieta et al., 2024; OECD, 2025; BIS, 2025). In these domains, AI systems promise substantial efficiency gains, improved detection capabilities, and the ability to process volumes and complexity of data that exceed traditional rule-based approaches (Brynjolfsson & McAfee, 2017; Bughin et al., 2018; Ankenbrand et al., 2023). Their adoption therefore raises governance challenges that extend beyond technical performance and into the core of organisational accountability and supervisory oversight.

While AI systems offer significant operational benefits, their probabilistic, data-dependent, and adaptive characteristics challenge established compliance and governance models (Gama et al., 2014; Lu et al., 2020). Unlike traditional deterministic systems, AI behaviour tends to evolve over time as data distributions shift, user interactions change, or models are retrained (Hinder et al., 2024; OECD, 2025). Prevailing approaches in financial services governance—rooted in static documentation, episodic validation, and binary approval decisions—implicitly assume bounded system behaviour and temporal stability. These assumptions are increasingly misaligned with AI systems, creating risks that conventional control frameworks struggle to address.

In practice, many organisations continue to approach AI adoption through fragmented initiatives: isolated pilots, technology-driven experimentation, or vendor-led deployments that lack integration into enterprise governance, risk management, and compliance structures (Bughin et al., 2018; Raji et al., 2020). This has resulted in a well-documented “pilot-to-production gap” (Ettinger 2025; Batool et al., 2025; Weinberg, 2025; Sculley et al., 2015), where promising AI use cases fail to scale due to unresolved governance, data, and regulatory constraints (Van der Aalst, 2016; Shrestha et al., 2019). Such disconnects expose institutions to compliance risk, reputational harm, and supervisory intervention, particularly in regulated financial environments (FINMA, 2024; BIS, 2025).

This misalignment is particularly salient in jurisdictions characterised by principles-based supervision, such as Switzerland and Liechtenstein. Under such regimes, financial institutions retain significant technological discretion but are expected to align their governance, risk management and control systems with the materiality of the AI applications used, and to demonstrate effective and ongoing organisational control, auditability and accountability throughout the AI lifecycle rather than through a one-off compliance exercise (FINMA, 2024).

Supervisory guidance emphasises that risks associated with AI are not confined to design or deployment stages but require continuous identification, assessment, monitoring and mitigation as systems operate in practice (FINMA, 2024). Existing AI governance frameworks—including model risk management, ethical AI principles and emerging regulatory risk classifications—have advanced conceptual clarity regarding AI-related risks but remain predominantly oriented toward ex ante controls and point-in-time assessments. As a result, they provide limited guidance on how compliance can be operationalised as a continuous organisational capability for AI systems whose risk profile evolves throughout their lifecycle (Kurshan et al., 2025).

Against this backdrop, this paper emerges from the practical necessity faced by Technical Product Owners and compliance professionals in financial services, where increasing business interest in AI-driven initiatives encounters the absence of structured operational frameworks to assess suitability, governance, and ongoing compliance (Davenport & Ronanki, 2018; Ansari, 2022). Rather than proposing new ethical principles or regulatory categories, the paper advances a governance coordination model—Continuous AI Compliance and Assurance (CAICA)—that reorganises established governance elements around the temporal dynamics of AI systems in operation. The focus is on embedding compliance into everyday operational workflows, enabling institutions to demonstrate ongoing control while preserving innovation capacity.

1.2 The Problem of AI Governance in Regulated Financial Services

AI systems differ fundamentally from traditional IT and analytical tools in ways that are directly relevant to regulatory oversight. First, many advanced models operate with limited transparency, making it difficult to explain or reconstruct individual decisions (Burrell, 2016; Doshi-Velez & Kim, 2017). In financial services, where explainability, auditability, and the ability to justify decisions are core regulatory expectations, this opacity creates immediate governance challenges (Basel Committee on Banking Supervision, 2022; FINMA, 2024).

Second, AI systems are highly sensitive to their data environments. Changes in customer behaviour, market conditions, or upstream data quality can lead to model drift, degraded performance, or unintended bias (Widmer & Kubat, 1996; Gama et al., 2014; Lu et al., 2020). Without continuous monitoring and recalibration, models that were once compliant and reliable may silently become misaligned with regulatory requirements or organisational risk appetite (Breck et al., 2017; Amershi et al., 2019; Hinder et al., 2024).

Third, accountability for AI-supported decisions is often diffuse. Responsibilities are distributed across business owners, data scientists, IT teams, compliance functions, and external vendors (Batool et al., 2025). In the absence of clear governance structures, this fragmentation can undermine effective oversight and complicate supervisory scrutiny. Regulators, however, continue to hold institutions fully accountable for the outcomes of automated decision-making, regardless of technical complexity or outsourcing arrangements (FINMA, 2018; FINMA, 2024).

Fourth, the growing salience of technological risks—including misinformation, cyber insecurity, and adverse outcomes arising from artificial intelligence—necessitates risk management frameworks that more fully integrate technology governance within compliance and oversight functions (WEF, 2026). Governance models grounded in static controls, periodic audits, and episodic assurance are increasingly misaligned with the adaptive and rapidly evolving nature of contemporary digital systems. For such technologies, effective risk mitigation requires continuous monitoring mechanisms and operational assurance processes capable of detecting, interpreting, and responding to emergent risks in real time.

Traditional compliance and model governance frameworks—designed for static models and rule-based systems—are ill-suited to these dynamics. Periodic validation, documentation-centric controls, and ex post audits do not provide sufficient assurance for systems that learn, adapt, and operate continuously (Board of Governors of the Federal Reserve System, 2011; Power, 2007; OECD, 2025). As a result, organisations require governance approaches that recognise AI as a dynamic socio-technical system rather than a one-off technological artefact (Taeihagh 2025; Kolt et al., 2025; Orlikowski & Iacono, 2001).

1.3 From Compliance Constraint to Innovation Enabler

While AI governance is often framed as a constraint on innovation, this paper adopts a different perspective. Effective compliance, when embedded throughout the AI lifecycle, can function as an enabler of responsible and scalable innovation (Porter & Kramer, 2006; Floridi et al., 2018). Lifecycle-oriented governance provides the structural conditions under which AI systems can be deployed with confidence, enabling organisations to experiment, learn, and scale while maintaining regulatory alignment and stakeholder trust (Shrestha et al., 2019; OECD, 2025).

This shift requires reframing compliance from a retrospective verification activity into an operational capability. Rather than asking whether an AI system was compliant at the moment of deployment, institutions must be able to demonstrate that it remains compliant, explainable, and appropriately controlled throughout its operational life (Raji et al., 2020; ISO/IEC, 2023). This implies continuous monitoring, clear escalation mechanisms, meaningful human oversight, and robust auditability (Breck et al., 2017; Amershi et al., 2019; Floridi et al., 2018).

Such an approach aligns closely with emerging regulatory expectations. Swiss supervisory practice and international frameworks increasingly emphasise organisational responsibility, ongoing risk management, and demonstrable control effectiveness over time (FINMA, 2024; NIST, 2023; BIS, 2025). In this context, compliance is not antithetical to innovation; it is a prerequisite for deploying AI systems at scale in regulated environments.

1.4 Contribution and Approach

This paper proposes a forward-looking, lifecycle-oriented approach to AI compliance governance centred on the concept of Continuous AI Compliance and Assurance (CAICA). CAICA integrates governance, risk management, and operational controls across the full AI lifecycle—from use-case selection and system design to deployment, monitoring, and adaptation—reframing compliance as a continuous organisational capability rather than a point-in-time checkpoint (Raji et al., 2020; ISO/IEC, 2023; OECD, 2025).

The paper makes three primary contributions to the literature on AI governance in regulated financial services. First, it develops a lifecycle-oriented AI compliance architecture that explains why compliance failures in AI-enabled financial systems tend to emerge over time rather than at the moment of deployment. By synthesising insights from model risk management, AI governance, and organisational theory, the paper conceptualises AI systems as dynamic socio-technical systems whose risk profile evolves throughout their operational lifecycle (Gama et al., 2014; Hinder et al., 2024).

Second, the paper introduces CAICA as a governance coordination model that integrates regulatory accountability, operational workflows, and technical monitoring into a single assurance architecture. Unlike existing approaches that rely primarily on episodic validation or abstract principles, CAICA operationalises compliance through continuous monitoring, conditional authorisation, and lifecycle accountability, supported by operational evidence generated during system use.

Third, the paper situates this governance approach within the Swiss and Liechtenstein regulatory context, interpreting supervisory expectations and emerging international AI regulation through the lens of continuous compliance and proportionality. It demonstrates how modular governance architectures can support both large financial institutions and resource-constrained FinTech firms operating under principles-based supervision (FINMA, 2024; Basel Committee on Banking Supervision, 2023; European Union, 2024a).

Methodologically, the paper adopts a conceptual and design-oriented governance perspective. CAICA is positioned as a conceptual and operational framework rather than a predictive or explanatory theory. The contribution lies in synthesising regulatory requirements, academic insights, and observed governance patterns into a coherent and implementable architecture. The illustrative case material supports analytical clarity rather than empirical generalisation, and the framework is designed to be testable through future empirical research examining AI governance effectiveness across institutions and use cases.

Within the broader AI governance literature, the paper addresses a persistent implementation gap between high-level ethical principles, regulatory expectations, and day-to-day organisational practice (Batool et al., 2025; Ribeiro et al., 2025). By reframing compliance as a continuous lifecycle capability, CAICA extends existing work on Responsible AI and model governance toward a more operationally grounded and scalable approach for highly regulated financial environments, particularly for medium- and low-capacity actors.

1.5 Research Problem and Guiding Questions

Existing AI governance approaches in financial services address important dimensions of risk, including model validity, ethical principles, and operational reliability. However, their underlying governance logic remains largely static and episodic, reflecting assumptions that do not hold for adaptive, data-dependent systems whose risk profile evolves continuously over time.

Against this backdrop, this paper is guided by two analytical questions. First, how can continuous compliance mechanisms mitigate governance failures in adaptive AI systems operating under principles-based financial supervision? Second, which governance gaps remain unresolved by existing AI risk frameworks when applied to regulated financial institutions deploying AI in compliance-critical functions?

Rather than testing causal hypotheses, the paper adopts a design-oriented governance perspective. It synthesises regulatory expectations, academic literature, and practitioner experience to develop a lifecycle-oriented compliance architecture that addresses these questions at the level of organisational capability and governance design.

1.6 The Swiss and Liechtenstein Context

Switzerland and Liechtenstein provide a particularly relevant setting for examining lifecycle-oriented AI governance. Financial market supervision in these jurisdictions is characterised by principles-based regulation, strong emphasis on organisational adequacy, and a high degree of institutional accountability (FINMA, 2024; Gasser & Schmitt, 2019). Rather than prescribing specific technologies, supervisors focus on whether institutions can demonstrate effective risk management, governance, and control systems (FINMA, 2018).

This regulatory philosophy creates both opportunity and responsibility. On the one hand, it enables innovation by avoiding technology-specific prohibitions. On the other hand, it places the burden of proof squarely on institutions to show that AI-driven processes are explainable, auditable, and effectively controlled over time (FINMA, 2024). In such an environment, static or ad hoc compliance approaches are insufficient.

At the same time, the Swiss and Liechtenstein financial ecosystem benefits from a dense network of research institutions, FinTech innovators, and collaborative industry platforms. These conditions are conducive to the development of modular, reusable governance components that support trustworthy AI adoption across institutions of varying size and maturity (Ankenbrand et al., 2023).

1.7 Positioning of CAICA within AI Governance Approaches

This section positions Continuous AI Compliance and Assurance (CAICA) relative to existing governance approaches in regulated financial services. It contrasts CAICA with traditional model risk management frameworks, emerging regulatory risk classification regimes such as the EU Artificial Intelligence Act (European Union, 2024b) and established Responsible AI frameworks (Joshi, 2025). The section further illustrates the practical implications of these differences through a short case example. The objective is not merely to describe how CAICA differs from existing approaches, but to explain why these differences matter for governing AI systems whose risk profile evolves over time in compliance-critical environments.

Existing governance and assurance frameworks in financial services—including operational risk and internal control frameworks—are primarily designed to manage risks arising from process failures, human error, and system breakdowns within relatively stable operational settings. While these frameworks remain essential for AI-enabled processes, they implicitly assume bounded system behaviour and temporal stability. Adaptive AI systems challenge these assumptions: their behaviour tends to change continuously as a function of data drift, retraining, and evolving operational context (Kurshan et al., 2025; Nwachukwu et al., 2025; Paz 2025).

CAICA complements rather than replaces operational risk and assurance frameworks by explicitly addressing risk emergence over time, rather than focusing solely on risk occurrence within fixed processes. By embedding continuous monitoring, conditional authorisation, and lifecycle accountability into the operation of AI systems, CAICA provides a governance architecture that aligns more closely with the dynamic nature of AI-driven risk in regulated financial services.

CAICA builds on existing lifecycle-oriented governance frameworks (Batool et al., 2025; Agarwal & Nene, 2025) and continuous monitoring approaches (Thorne et al., 2025; Hinder et al., 2024), but introduces operational innovations—conditional, time-bound authorisation and the ‘model-in-context-over-time’ perspective—to embed accountability directly into workflows.

The framework does not claim to eliminate governance trade-offs between innovation, control, and human oversight; rather, it seeks to render these trade-offs explicit and governable.

1.7.1 CAICA and Traditional Model Risk Management (MRM)

Traditional model risk management (MRM) frameworks (Sudjianto, A. & Zhang, A., 2024), as reflected in supervisory guidance such as SR 11-7 and related Basel principles, were designed primarily for static or slowly evolving quantitative models used in areas such as credit risk, market risk, and capital adequacy (Board of Governors of the Federal Reserve System, 2011; Basel Committee on Banking Supervision, 2023). These frameworks emphasise ex ante validation, documentation, independent review, and periodic revalidation cycles.

While MRM provides a strong foundation for accountability and control, its underlying assumptions are increasingly misaligned with the characteristics of modern AI systems. Machine learning models are probabilistic, data-dependent, and subject to ongoing behavioural change through drift, retraining, or evolving data environments (Gama et al., 2014; Amershi et al., 2019). As a result, compliance risks often emerge between validation cycles rather than at discrete approval points.

CAICA extends rather than replaces traditional MRM by reframing compliance as a continuous operational capability. Instead of relying primarily on periodic validation and documentation, CAICA embeds monitoring, explainability, and escalation mechanisms throughout the AI lifecycle. This allows institutions to detect and address compliance-relevant deviations as they occur, rather than retrospectively. In this sense, CAICA can be understood as an evolution of MRM that preserves its accountability logic while adapting it to the dynamic risk profile of AI-driven systems.

1.7.2 CAICA and the EU AI Act Risk Classification

The EU Artificial Intelligence Act (European Union, 2024b) introduces a horizontal, risk-based regulatory framework that classifies AI systems into categories such as prohibited, high-risk, limited-risk, and minimal-risk, with corresponding obligations for governance, documentation, and oversight (European Union, 2024b). This classification-based approach represents a significant advance in regulatory clarity and has influenced supervisory expectations beyond the EU, including in Switzerland and Liechtenstein.

However, the EU AI Act primarily operates as a static ex ante classification regime. Once a system is designated as high-risk, a predefined set of obligations applies, regardless of how the system’s behaviour, context, or operational use evolves over time. While post-market monitoring is required, the Act provides limited guidance on how continuous compliance should be operationalised within organisations (Teichmann, 2026).

CAICA complements risk classification approaches by translating regulatory categories into lifecycle-oriented governance mechanisms. Rather than treating risk classification as an end point, CAICA uses it as an input into proportional governance design, determining monitoring intensity, human oversight requirements, and escalation thresholds. In this way, CAICA can also support conformity assessment and post-market monitoring obligations under the EU Artificial Intelligence Act (European Union, 2024b) by providing a structured, auditable governance backbone for high-risk AI systems. In doing so, CAICA addresses a key implementation gap between regulatory intent and operational practice (Kim et al., 2025; Agarwal et al. 2025).

1.7.3 CAICA and Responsible AI Frameworks

Responsible AI frameworks developed by international organisations, industry groups, and academic initiatives commonly emphasise normative principles such as fairness, transparency, accountability, robustness, and human-centricity (Floridi et al., 2018; Jobin et al., 2019; OECD, 2025). These frameworks play an important role in articulating societal expectations and ethical guardrails for the development and deployment of AI systems.

However, Responsible AI principles are typically articulated at a high level of abstraction and provide limited guidance on how ethical requirements should be embedded into concrete organisational processes, technical controls, and compliance workflows (Mökander & Floridi, 2021). In practice, this creates a well-documented implementation gap: institutions tend to formally endorse Responsible AI principles while lacking the operational capabilities required to enforce them consistently across AI systems, particularly in complex and regulated environments.

In regulated financial services, the central governance challenge is therefore not the articulation of ethical principles, but their continuous enforcement under operational conditions. CAICA addresses this implementation gap by translating Responsible AI principles into lifecycle-embedded assurance mechanisms that link ethical intent to organisational accountability and technical operation (Ribeiro et al. 2025; Manic et al. 2025).

Building on Responsible AI’s normative foundations, CAICA shifts the focus from ethical aspiration to operational assurance. Ethical and regulatory requirements are instantiated through specific governance components, lifecycle checkpoints, and continuous monitoring mechanisms embedded within the AI delivery pipeline. By doing so, CAICA reduces the risk of “ethics washing” and enables institutions to demonstrate—internally and to supervisors—how high-level principles are realised and sustained in day-to-day decision-making (Ribeiro et al. 2025; Manic et al. 2025).

1.7.4 Illustrative Case Example

To illustrate the practical implications of CAICA, consider a mid-sized Swiss financial institution deploying a machine learning model to support transaction monitoring in its AML function. Under a traditional MRM approach, the model is validated prior to deployment, approved by a model governance committee, and scheduled for annual revalidation. Performance metrics are reviewed periodically, but operational monitoring is limited (Sudjianto, A. & Zhang, A., 2024, Wolfsberg Group, 2025, AITE Group, 2021).

Following deployment, changes in transaction patterns and customer behaviour gradually reduce the model’s detection accuracy. Because performance degradation occurs incrementally and outside scheduled review cycles, the issue remains undetected until supervisory inquiries highlight anomalies in reporting outcomes.

Applying CAICA, the same use case would be subject to continuous performance and drift monitoring aligned with its high compliance criticality. Explainability tools and decision logs enable compliance officers to trace alerts and assess model behaviour in real time. Predefined thresholds trigger escalation to human oversight when performance deviates from expected parameters. As a result, corrective action is initiated before regulatory expectations are breached.

This example demonstrates how CAICA transforms compliance from reactive remediation into proactive assurance, reducing both regulatory risk and operational uncertainty. A detailed illustrative case study is presented in the Appendix.

1.7.5 The Distinguishing feature of CAICA

The distinguishing feature of CAICA is not that it introduces new ethical principles or regulatory categories, but that it integrates existing requirements into a coherent, lifecycle-oriented governance capability. Compared to traditional MRM, CAICA better reflects the dynamic risk profile of AI systems (Sudjianto, A. & Zhang, A., 2024). Compared to regulatory classification regimes, it offers a concrete operationalisation of proportionality and ongoing compliance. Compared to Responsible AI frameworks, it provides enforceable mechanisms rather than aspirational guidance.

By embedding compliance into the AI lifecycle, CAICA aligns innovation incentives with regulatory accountability. This integration enables institutions to scale AI use responsibly, reduces the likelihood of supervisory intervention, and supports sustained trust in AI-supported financial processes. In this sense, CAICA functions not merely as an alternative governance framework, but as an enabling infrastructure for responsible AI adoption in regulated financial environments.

1.7.6 What CAICA Adds Beyond Existing AI Governance Frameworks

While Continuous AI Compliance and Assurance (CAICA) draws on established elements of model risk management, DevOps/MLOps practices, and Responsible AI frameworks (Joshi, 2025), it is not reducible to their combination. CAICA introduces a qualitatively different governance logic by reframing compliance as a continuous, lifecycle-spanning organisational capability rather than a set of episodic controls, technical practices, or normative principles. Its contribution lies not in adding new ethical requirements or validation techniques, but in integrating regulatory accountability, operational workflows, and technical monitoring into a single assurance architecture that remains effective under conditions of model adaptivity and regulatory scrutiny.

1.8 Structure of the Paper

The remainder of the paper is structured as follows. Section 2 reviews the academic literature and regulatory landscape on AI adoption and governance in financial services, highlighting persistent gaps in current compliance approaches. Section 3 identifies the core technical, regulatory, and ethical risks associated with AI systems, motivating the adoption of lifecycle-oriented governance. Section 4 develops a modular AI compliance framework that integrates governance structures, data controls, explainability, and human oversight. Section 5 illustrates how this framework can be operationalised through a structured AI delivery pipeline and the CAICA model. Section 6 contrasts CAICA with existing AI governance approaches, and Section 7 discusses the framework’s limitations and unresolved tensions.

2. Literature Review and Regulatory Landscape

2.1 AI Adoption in Financial Services

The adoption of artificial intelligence in financial services has accelerated markedly over the past decade, driven by advances in machine learning, increased data availability, and declining computational costs (Brynjolfsson & McAfee, 2017; Bughin et al., 2018; OECD, 2025). Financial institutions increasingly deploy AI systems in compliance-critical and decision-intensive functions, including customer due diligence, transaction monitoring, fraud detection, sanctions screening, credit scoring, and risk management (FATF, 2021; BIS, 2025).

Academic and practitioner literature consistently highlights the potential of AI to outperform traditional rule-based systems in detecting complex patterns, reducing false positives, and improving operational efficiency (Ankenbrand et al., 2023; Barredo Arrieta et al., 2024). In compliance contexts, AI-driven approaches are particularly attractive due to their ability to process high volumes of transactions and adapt to evolving typologies of financial crime (FATF, 2021).

Empirical and review studies indicate that AI adoption in financial services is often uneven and heterogeneous, with significant variation across use cases, institutional readiness, and governance maturity. Systematic reviews highlight persistent gaps in standardised implementation and governance frameworks for AI in finance, even as pilot projects proliferate. Industry surveys further show that many initiatives stall in early deployment stages, and only a minority achieve stable, production‑grade operations integrated with robust risk and compliance frameworks (Vuković et al., 2025; Gartner, 2025; McKinsey, 2025, Yuniawan et al., 2025, Aldasoro et al., 2025).

2.2 Characteristics of AI Systems Relevant to Governance

A central theme in the AI governance literature is that machine learning systems differ fundamentally from traditional information systems in ways that are directly relevant to regulatory oversight (Orlikowski & Iacono, 2001; Amershi et al., 2019). Unlike deterministic software, AI models are probabilistic, data-driven, and often adaptive, with performance and behaviour contingent on training data, feature engineering, and ongoing data inputs (Gama et al., 2014; Lu et al., 2020).

One widely discussed challenge concerns opacity and explainability. Many high-performing models, particularly ensemble methods and deep learning architectures, function as “black boxes,” making it difficult to explain individual predictions or reconstruct decision logic (Burrell, 2016; Doshi-Velez & Kim, 2017). In regulated financial services, this opacity conflicts with legal and supervisory expectations regarding transparency, auditability, and the ability to justify decisions affecting customers and counterparties (Basel Committee on Banking Supervision, 2022; FINMA, 2024).

A second characteristic concerns temporal instability. AI systems are vulnerable to concept drift, data drift, and performance degradation as underlying data distributions change over time (Kustitskaya et al., 2025; Fernández‑Narro et al. 2025; Gama et al., 2014, Widmer & Kubat, 1996). In financial contexts, changes in customer behaviour, market dynamics, or regulatory thresholds can materially affect model outputs. Without continuous monitoring and recalibration, models that initially perform well may become inaccurate, biased, or non-compliant (Breck et al., 2017; Amershi et al., 2019; Hinder et al., 2024).

Third, AI systems are embedded in complex socio-technical arrangements. Their outcomes depend not only on algorithms and data, but also on organisational processes, human decision-makers, and external vendors (Batool et al., 2025). This embeddedness complicates accountability, as responsibility for AI-supported decisions is often distributed across multiple roles and functions.

These characteristics challenge governance approaches that treat models as static artefacts subject to one-off validation or periodic review (Basir 2025).

2.3 Existing Approaches to AI Governance

In response to the challenges posed by adaptive and high-stakes AI systems, a growing body of literature has proposed frameworks for AI governance, ethics, and responsible deployment. At a high level, these approaches emphasise normative principles such as fairness, transparency, accountability, robustness, and human oversight (Floridi et al., 2018; Jobin et al., 2019; OECD, 2025). Several organisational governance structures have been suggested to operationalise these principles, including ethics boards, AI councils, and cross-functional oversight bodies (Mökander & Floridi, 2021; Batool et al., 2025). Technical mechanisms, such as explainable AI techniques, bias detection tools, and model documentation practices, are similarly highlighted as enablers of responsible deployment (Doshi-Velez & Kim, 2017; Barredo Arrieta et al., 2024).

Critical perspectives have, however, increasingly highlighted the limitations of these frameworks. Responsible AI principles, while conceptually robust, often remain highly abstract and aspirational, offering limited guidance on how ethical requirements should be translated into operational processes (Mökander & Floridi, 2021; Raji et al., 2020). This abstraction can result in “ethics washing,” where organisations formally endorse principles but fail to integrate them into daily decision-making or compliance workflows (Raji et al., 2020). Moreover, the alignment between ethical principles and regulatory compliance is not always straightforward: for example, pursuing fairness or robustness in model outputs may conflict with efficiency or timeliness requirements in compliance-critical processes (Barredo Arrieta et al., 2024; Jobin et al., 2019). These tensions suggest that high-level guidance alone is insufficient for institutions aiming to demonstrate operational accountability under regulatory scrutiny.

Within financial services, governance discussions often extend traditional model risk management (MRM) and internal control frameworks to cover machine learning systems (Board of Governors of the Federal Reserve System, 2011; Basel Committee on Banking Supervision, 2023). While these extensions are a crucial step toward operational oversight, they retain a predominantly episodic, validation-centric logic, assuming models remain relatively static and bounded. This misalignment is particularly salient for adaptive AI systems, whose behaviour evolves continuously due to data drift, retraining, or changing operational contexts (Gama et al., 2014; Amershi et al., 2019; Breck et al., 2017). As such, episodic validation and point-in-time approvals may fail to detect compliance-relevant deviations until they manifest in operational or supervisory incidents.

Recent industry-focused literature has emphasised end-to-end AI lifecycle management, integrating development, deployment, and monitoring processes (Breck et al., 2017; Amershi et al., 2019; Thorne et al., 2025). While these approaches address engineering and operational concerns, they often underemphasise regulatory compliance, proportionality, and supervisory accountability, which are critical in highly regulated environments. Additionally, smaller institutions and FinTechs face resource constraints that limit the operationalisation of these lifecycle-oriented practices (Finch & Butt, 2025; Vuković et al., 2025). The resulting asymmetries highlight that many frameworks implicitly assume organisational capacities that are not universally present, leaving low-capacity actors vulnerable to governance failures.

Another important critique concerns the fragmentation of responsibility. AI governance is frequently distributed across business, IT, risk, and compliance functions, and external vendors, creating potential gaps in accountability and escalation pathways (Batool et al., 2025; Finch & Butt, 2025). Supervisory expectations, however, continue to hold institutions fully accountable for AI-driven outcomes, regardless of the internal complexity or outsourcing arrangements (FINMA, 2018; FINMA, 2024). This tension underscores the need for governance approaches that integrate accountability, monitoring, and operational controls across the AI lifecycle rather than relying solely on high-level principles or episodic checks.

Taken together, these critiques suggest that while existing frameworks provide valuable guidance and a foundation for responsible AI governance, persistent gaps remain in operationalisation, continuous assurance, and alignment with regulatory obligations. They tend to focus either on abstract principles (Responsible AI) or on static, validation-centric controls (MRM), leaving adaptive AI systems insufficiently covered. These limitations motivate the development of lifecycle-oriented governance architectures, such as Continuous AI Compliance and Assurance (CAICA), which embed proportional, end-to-end compliance mechanisms directly into AI operational workflows, reconciling ethical, technical, and regulatory requirements in practice.

2.4 Regulatory Expectations for AI in Financial Services

Regulators and standard-setting bodies have increasingly addressed the risks associated with AI systems, particularly in high-stakes and regulated domains. International organisations such as the OECD, the Basel Committee on Banking Supervision, and the BIS have issued guidance emphasising the need for sound governance, risk management, and human oversight of AI-driven processes (OECD, 2025; Basel Committee on Banking Supervision, 2023; BIS, 2025).

In Switzerland, financial market supervision is characterised by principles-based regulation and a strong emphasis on organisational adequacy. FINMA does not prescribe specific technologies but requires institutions to demonstrate that they maintain effective governance, risk management, and internal control systems commensurate with their activities and risk profile (FINMA, 2018; FINMA, 2024). This includes outsourced and automated processes, for which institutions remain fully accountable.

Judicial decisions by the Swiss Federal Supreme Court reinforce a substance-over-form approach to regulatory accountability, holding that supervised persons remain responsible for regulated outcomes even where activities are embedded in complex organisational or transactional structures (Federal Supreme Court, 2C_571/2018, E. 5.1–5.3). While not addressing automated decision-making as such, this jurisprudence confirms that reliance on intermediaries, technical arrangements, or internal complexity does not attenuate supervisory responsibility.

From a governance perspective, this logic underscores the need for demonstrable control, oversight, and auditability over AI-supported processes (FINMA, 2018; FINMA, 2024). At the international level, emerging regulatory initiatives such as the EU Artificial Intelligence Act further signal a shift toward lifecycle-oriented oversight, particularly for high-risk AI systems. Although Switzerland is not directly subject to EU regulation, these developments influence supervisory expectations and market practices, especially for institutions operating cross-border (OECD, 2025).

2.5 Limitations of Existing Compliance and Governance Frameworks

Despite increasing regulatory and organisational awareness of AI-related risks, prevailing compliance and governance frameworks exhibit structural limitations when applied to AI systems in financial services. First, many frameworks remain predominantly documentation-centric, emphasising policies, model documentation, and ex ante approval processes rather than mechanisms for continuous assurance of operational behaviour in live environments (Power, 2007; ISO/IEC, 2023; Finch, 2025; Batool et al., 2025). While such artefacts are necessary for accountability and auditability, they provide limited visibility into how AI systems evolve, interact with their context, or generate outcomes over time.

Second, governance approaches frequently rely on periodic validation and review cycles that are poorly aligned with the dynamic and adaptive characteristics of many AI systems. Although periodic validation is appropriate for relatively static models, it offers limited protection against performance drift, data quality degradation, and emergent behaviours in continuously operating or learning systems (Gama et al., 2014; Breck et al., 2017). As a result, material risks tend to accumulate between review cycles, remaining undetected until they manifest in adverse outcomes or supervisory findings.

Third, responsibility for AI governance is often distributed across organisational silos, with compliance, risk management, information technology, and business functions each addressing discrete aspects of the AI lifecycle. In the absence of an integrated, end-to-end governance model, this fragmentation can obscure accountability, weaken escalation pathways, and create blind spots at the interfaces between development, deployment, and operation (Weill & Ross, 2004).

Taken together, these limitations mean that institutions may achieve formal compliance with governance requirements while lacking effective capabilities to monitor, interpret, and intervene in AI system behaviour in real time. This disconnect between documented controls and operational assurance risks creating a false sense of security, thereby increasing exposure to supervisory, operational, and reputational risks as AI systems become more embedded in critical financial processes.

2.6 Research Gap and Implications

Recent literature has provided valuable diagnoses of structural shortcomings in AI governance frameworks, particularly with respect to their suitability for low-capacity actors and the emergence of compliance asymmetries within complex regulatory ecosystems. Finch and Butt (2025), for example, offer a comprehensive review of complementary AI governance frameworks and demonstrate how existing approaches often presuppose organisational capacities that smaller institutions and FinTech firms do not possess. Their analysis highlights important structural gaps between regulatory ambition and operational feasibility.

This paper builds on, but departs from, such diagnostic contributions in two key respects. First, rather than further cataloguing governance gaps, it shifts analytical focus toward the temporal dynamics through which these gaps materialise in practice—specifically, the misalignment between static compliance mechanisms and adaptive AI system behaviour. Second, the paper advances an operational governance architecture that translates high-level regulatory expectations into continuous assurance mechanisms embedded within AI delivery and operational workflows.

In this sense, CAICA does not seek to replace existing governance frameworks or resolve all capacity constraints identified in the literature. Instead, it offers a complementary approach that reduces governance fragility by embedding proportional, lifecycle-oriented compliance mechanisms into everyday system operation, thereby mitigating some of the structural asymmetries identified by Finch and Butt (2025) without assuming idealised organisational conditions.

Addressing this gap requires a governance approach that is lifecycle-oriented, modular, and proportionate, embedding compliance and assurance mechanisms directly into AI development and operation. The following sections build on this insight by mapping the core risks associated with AI systems (Section 3) and developing a modular framework for Continuous AI Compliance and Assurance (Sections 4 and 5).

3. Mapping AI Risks in Regulated Financial Services

3.1 Why AI Risk Must Be Addressed Across the Lifecycle

Risk management in financial services has traditionally focused on identifying, measuring, and controlling risks at discrete points in time. This approach aligns well with deterministic systems and relatively stable analytical models. AI systems, however, challenge this logic. Their behaviour and risk profile evolve throughout their lifecycle—from design and training to deployment, operation, and ongoing adaptation—making point-in-time assessments insufficient (Gama et al., 2014; Amershi et al., 2019; OECD, 2025).

Academic literature and regulatory guidance increasingly emphasise that AI risks are not confined to model development or initial validation, but emerge continuously as systems interact with changing data, users, and organisational processes (Breck et al., 2017; Raji et al., 2020; Hinder et al., 2024). As a result, effective governance requires a shift from episodic controls toward continuous risk identification, monitoring, and response.

This section develops a structured mapping of AI risks relevant to regulated financial services. Rather than cataloguing all possible AI-related risks, it focuses on those dimensions that directly affect regulatory compliance, accountability, and supervisory expectations. These risks are analytically distinct but interrelated, reinforcing the need for an integrated, lifecycle-oriented governance approach.

3.2 Opacity, Explainability, and Auditability

One of the most widely discussed risks associated with AI systems concerns their limited transparency. Many machine learning models, particularly complex ensemble methods and deep neural networks, do not readily expose interpretable decision logic (Burrell, 2016; Doshi-Velez & Kim, 2017; Miller, 2019). This opacity poses significant challenges in financial services, where institutions must be able to explain and justify decisions to customers, auditors, and supervisors (Basel Committee on Banking Supervision, 2022; FINMA, 2024).

Explainability is not solely a technical issue but a governance concern. Even where post hoc explanation techniques are available, institutions must determine what level of explanation is sufficient for different stakeholders and regulatory purposes (Barredo Arrieta et al., 2024; Lipton, 2018). Inadequate explainability can undermine legal defensibility, hinder internal oversight, and weaken trust in AI-supported processes.

Auditability is closely related. Regulators expect institutions to reconstruct decision processes, assess control effectiveness, and demonstrate compliance retrospectively if required (FINMA, 2018). AI systems that lack robust logging, documentation, and traceability mechanisms make such assurance difficult, increasing regulatory and reputational risk.

3.3 Data Dependence, Bias, and Fairness

AI systems are fundamentally dependent on data, both for training and ongoing operation. As a result, data quality, representativeness, and governance are central determinants of AI performance and risk (OECD, 2025; Barredo Arrieta et al., 2024, Mehrabi, N. et al., 2021). In financial services, where decisions can have significant legal and social consequences, deficiencies in data governance can lead to biased, discriminatory, or otherwise inappropriate outcomes.

Bias tends to arise from historical data reflecting past practices, structural inequalities, or incomplete coverage of relevant populations (Jobin et al., 2019; Floridi et al., 2018). Even when initial training data are carefully curated, changes in customer behaviour or market conditions can introduce new biases over time. Without continuous monitoring, such issues may remain undetected until they trigger customer complaints or supervisory scrutiny (Raji et al., 2020; Hinder et al., 2024).

Regulatory expectations increasingly require institutions to demonstrate that AI-supported decisions are fair, proportionate, and aligned with legal standards, including non-discrimination obligations (FATF, 2021; OECD, 2025). Addressing these expectations requires not only technical bias mitigation techniques but also organisational processes for data governance, review, and escalation.

3.4 Model Drift and Performance Degradation

A defining feature of AI systems is their susceptibility to change over time. Concept drift, data drift, and model decay can occur when the statistical properties of input data or target variables shift, leading to reduced accuracy or unintended behaviour (Widmer & Kubat, 1996; Gama et al., 2014). In financial services, such shifts tend to result from changes in customer behaviour, economic conditions, regulatory thresholds, or adversarial adaptation by financial criminals.

Empirical studies highlight that model performance degradation is often gradual and difficult to detect without systematic monitoring (Breck et al., 2017; Amershi et al., 2019). In compliance-critical applications such as AML or fraud detection, undetected drift can have severe consequences, including increased false negatives, regulatory breaches, and financial losses.

Traditional validation practices, which rely on periodic reviews or scheduled recalibration, are poorly suited to managing these risks. Instead, institutions require continuous performance monitoring, clear thresholds for intervention, and defined processes for retraining, redeployment, or decommissioning models when necessary (Hinder et al., 2024; OECD, 2025).

3.5 Human Oversight and Organisational Accountability

Regulatory frameworks consistently emphasise the importance of human oversight in automated decision-making processes, particularly where outcomes affect customers or regulatory compliance (OECD, 2025; FINMA, 2024). However, implementing meaningful human-in-the-loop or human-on-the-loop controls in AI-driven systems remains a practical challenge.

In complex organisational settings, responsibilities for AI systems are often distributed across multiple functions, including business units, data science teams, IT operations, compliance, and external vendors (Batool et al., 2025). Without clear governance structures, this fragmentation can obscure accountability and weaken oversight.

Swiss supervisory practice underscores that accountability cannot be delegated to algorithms or third-party providers. Institutions remain fully responsible for AI-supported decisions and must be able to demonstrate effective control and escalation mechanisms (FINMA, 2018; FINMA, 2024). This requires clearly defined roles, decision rights, and documentation across the AI lifecycle.

3.6 Interdependencies and Risk Amplification

While the risk dimensions discussed above are analytically distinct, they are deeply interconnected in practice. Opacity can hinder the detection of bias or drift; inadequate data governance can exacerbate performance degradation; weak accountability structures can delay corrective action. These interdependencies can amplify risks and create cascading failures if not addressed holistically (Orlikowski & Iacono, 2001; Raji et al., 2020).

From a governance perspective, this reinforces the limitations of siloed risk management approaches. Addressing individual risk dimensions in isolation may create the appearance of control while leaving systemic vulnerabilities unaddressed. Instead, institutions require integrated governance mechanisms that recognise AI systems as dynamic, socio-technical constructs operating within broader organisational and regulatory environments.

3.7 Implications for AI Compliance Governance

The risk mapping presented in this section highlights a central insight: AI risks in regulated financial services are inherently dynamic and lifecycle dependent. Static compliance frameworks, periodic validation cycles, and documentation-centric controls are insufficient to manage these risks effectively.

To meet regulatory expectations and support sustainable AI adoption, institutions must embed compliance and assurance mechanisms throughout the AI lifecycle. This includes continuous monitoring of performance and data quality, robust explainability and auditability mechanisms, clear human oversight structures, and defined processes for intervention and adaptation (Burrell, J., 2016).

These requirements motivate the development of a modular, lifecycle-oriented governance framework that integrates technical, organisational, and regulatory controls. The following section builds on this risk analysis by introducing the design principles and structure of such a framework, forming the foundation for Continuous AI Compliance and Assurance.

4. A Modular Framework for Lifecycle-Oriented AI Compliance

4.1 Design Rationale and Objectives

The risk analysis in the preceding section demonstrates that AI-related risks in regulated financial services are dynamic, interconnected, and distributed across technical, organisational, and operational domains. Addressing these risks requires governance approaches that move beyond static controls and episodic validation toward continuous oversight embedded throughout the AI lifecycle (Gama et al., 2014; Breck et al., 2017; Raji et al., 2020).

The framework developed in this section is guided by three overarching objectives. First, it aims to ensure regulatory compliance and accountability by enabling institutions to demonstrate effective control, auditability, and human oversight of AI-supported processes (FINMA, 2024; Basel Committee on Banking Supervision, 2023). Second, it seeks to support scalable AI adoption, allowing organisations to move from isolated pilots to production-grade systems without accumulating unmanaged risk (Shrestha et al., 2019; OECD, 2025). Third, it is designed to be proportionate and modular, recognising the diversity of institutional sizes, resources, and risk profiles in the Swiss and Liechtenstein financial ecosystem (Baldwin & Clark, 2000; Weill & Ross, 2004).

While ISO/IEC 42001 (2023), Breck et al. (2017), and other lifecycle-oriented frameworks provide foundational guidance, they often assume sufficient organisational capacity and technical expertise, which may not reflect the realities of smaller institutions or FinTech firms. Similarly, Responsible AI frameworks offer valuable principles but are criticised for limited operationalisation and potential ‘ethics washing’ (Jobin et al., 2019; Mökander & Floridi, 2021). CAICA addresses these gaps by embedding modular, risk-proportionate mechanisms that can be scaled according to institutional capacity, while explicitly acknowledging trade-offs between oversight, complexity, and innovation.

Rather than prescribing specific technologies or algorithms, the framework focuses on governance structures, processes, and control mechanisms that can be adapted to different AI use cases and maturity levels. In doing so, it aligns with principles-based supervisory expectations while providing concrete operational guidance.

4.2 Core Design Principles

The proposed framework rests on four interrelated design principles that reflect both academic insights and regulatory expectations.

4.2.1 Lifecycle Orientation

AI systems must be governed across their full lifecycle, from initial use-case selection and system design through deployment, operation, monitoring, and eventual decommissioning (Amershi et al., 2019; ISO/IEC, 2023). Early-stage governance is critical for shaping objectives, defining acceptable risk, and embedding safeguards into data selection, model architecture, and evaluation criteria. However, governance cannot end at deployment. Once operational, AI systems interact with dynamic social, organizational, and technical environments, giving rise to emergent risks that tends to not have been foreseeable during development. These include model drift due to changing data distributions (Gama et al., 2014, Schröder & Schulz 2022), the amplification or reintroduction of bias over time, degradation in performance, and new forms of misuse or repurposing by users or downstream actors (Hinder et al., 2024).

Governance mechanisms that focus solely on development or point-of-deployment controls therefore provide an incomplete risk management framework. Effective AI governance requires continuous oversight practices such as post-deployment monitoring, regular audits, incident reporting mechanisms, and clearly defined accountability structures for responding to harms as they arise. In addition, lifecycle governance should include criteria and processes for system modification, retraining, or withdrawal when risks can no longer be adequately mitigated. By treating AI systems as evolving sociotechnical artifacts rather than static products, lifecycle-based governance better aligns with the realities of long-term AI use and supports more robust, adaptive, and responsible system management (Agarwal et al. 2025, Batool et al., 2025).

Despite its theoretical appeal, full lifecycle governance is resource-intensive and may be difficult to operationalise in practice. Institutions must balance the benefits of continuous oversight with staffing constraints, tool availability, and integration with existing risk management processes (Finch & Butt, 2025). Smaller institutions may implement a subset of lifecycle controls, prioritised according to risk classification, while larger institutions can adopt more comprehensive monitoring. Explicit recognition of these trade-offs enhances the framework’s practical applicability.

4.2.2 Continuous Assurance

Compliance should be treated as an ongoing organisational capability rather than a one-off assessment conducted at the point of approval or deployment. While pre-deployment reviews and conformity assessments are necessary, they are insufficient for ensuring sustained regulatory and ethical alignment over time. AI systems operate in changing legal, technical, and social contexts, and their behaviour tends to evolve as models are updated, data distributions shift, or usage patterns change. As a result, compliance that is initially demonstrated may erode in practice if not actively maintained (Ribeiro et al. 2025).

Continuous monitoring, logging, and periodic review are therefore essential to detect deviations from regulatory requirements, internal policies, and organisational risk appetite (Breck et al., 2017; Raji et al., 2020; OECD, 2025). These practices support traceability, enable timely identification of performance degradation or emergent harms, and provide evidence for internal oversight and external accountability. Treating compliance as a continuous capability also requires clear ownership, escalation pathways, and integration with broader risk management and assurance functions. By embedding compliance into day-to-day operations rather than isolating it as a discrete checkpoint, organisations are better positioned to respond to regulatory change, adapt to evolving risks, and sustain responsible AI use over the long term.

4.2.3 Human Accountability

While AI systems tend to automate, support, or augment decision-making processes, accountability must remain firmly anchored in identifiable human roles and established governance bodies. The delegation of analytical or operational tasks to AI does not transfer responsibility for outcomes, particularly in regulated or high-risk contexts. Without clearly assigned ownership, AI-enabled decisions risk falling into accountability gaps, where it becomes unclear who is responsible for oversight, intervention, or remediation when harms occur (Herrera-Poyatos et al, 2026; Kandikatla et al., 2025; Batool et al., 2025).

Clear decision rights, escalation pathways, and robust documentation are therefore essential to meeting supervisory expectations and legal standards (FINMA, 2018). Decision rights should specify which actors are authorised to rely on, override, or modify AI-generated outputs, as well as under what conditions human review is required. Escalation mechanisms must ensure that anomalies, incidents, or disputes can be promptly raised to appropriate governance bodies with the authority to act. Comprehensive documentation—including rationale for system use, role definitions, and records of key decisions—supports transparency, auditability, and enforceability of accountability. By embedding human accountability within AI-enabled workflows, organisations can better align automated decision-making with legal responsibility, ethical obligations, and effective governance practice (Papagiannidis et al., 2025, Winecoff & Bogen, 2024, Cheong, 2024).

4.2.4 Modularity and Proportionality

Governance mechanisms for AI should be modular and composable, enabling institutions to tailor controls to the risk profile, scale, and materiality of specific use cases rather than applying uniform requirements across all systems. AI applications vary widely in their potential impact, from low-risk operational efficiencies to high-stakes decision-making affecting individuals, markets, or financial stability. A modular governance approach allows organisations to calibrate oversight, assurance, and control measures, accordingly, ensuring that governance effort is commensurate with risk (Danks & London, 2017, Floridi et al., 2020).

This principle of modularity directly supports proportionality, enabling both large, complex institutions and smaller FinTech firms to implement effective AI governance without unnecessary procedural burden or organisational complexity (Baldwin & Clark, 2000; OECD, 2025). By structuring governance controls as interoperable components—such as model validation, monitoring, human oversight, and reporting—institutions can selectively deploy and scale them as needed. This flexibility not only lowers barriers to responsible AI adoption but also enhances adaptability, allowing governance frameworks to evolve alongside technological change, regulatory expectations, and organisational maturity.

4.3 Governance Layers

To operationalise these principles, the framework distinguishes three interdependent governance layers: strategic, operational, and technical. Each layer addresses different aspects of AI risk while remaining tightly integrated.

4.3.1 Strategic Governance Layer

The strategic layer establishes organisational accountability and oversight for AI use. It includes senior management and board-level responsibilities, AI policies, risk appetite definitions, and alignment with organisational strategy (Weill & Ross, 2004; Batool et al., 2025; Agarwal et al., 2025).

Key elements include:

• Clear ownership of AI-supported processes

• Defined approval criteria for AI use cases

• Integration of AI risks into enterprise risk management

This layer ensures that AI adoption decisions reflect not only technical feasibility but also regulatory, ethical, and strategic considerations.

4.3.2 Operational Governance Layer

The operational layer translates strategic intent into concrete processes and controls. It governs how AI systems are developed, deployed, monitored, and reviewed in practice (Amershi et al., 2019; ISO/IEC, 2023, Thorne et al., 2025).

Key elements include:

• AI project intake and classification processes

• Model validation and approval workflows

• Monitoring, incident management, and escalation procedures

This layer plays a central role in ensuring that governance principles are consistently applied across the AI lifecycle.

4.3.3 Technical Governance Layer

The technical layer comprises the tools, infrastructure, and engineering practices that enable monitoring, explainability, and auditability (Breck et al., 2017; Barredo Arrieta et al., 2024, ISO/IEC 42001, 2023, NIST, 2023, Thorne et al., 2025).

Key elements include:

• Model performance and drift monitoring

• Explainability and interpretability tools

• Logging, versioning, and documentation systems

While technical in nature, this layer directly supports regulatory compliance by enabling transparency and traceability.

4.3.4 Example Implementation

For example, a mid-sized Swiss bank deploying an AI model for AML monitoring could face drift in transaction patterns (Section 3.4) and opacity-related explainability challenges (Section 3.2). At the strategic layer, senior management defines risk appetite and approval criteria; at the operational layer, compliance teams track alerts and escalate anomalies; at the technical layer, performance monitoring tools detect drift and generate audit logs. This multi-layered integration demonstrates how CAICA translates lifecycle-oriented governance into actionable, risk-aligned practices.

4.4 Modular Governance Components

The governance framework described here comprises modular, interoperable components that can be tailored and scaled according to the anticipated risk profile and operational context of the specific AI application. A structured approach to governance aligns AI deployment with organizational priorities, regulatory expectations, and broader societal values.

4.4.1 AI Use‑Case Selection and Classification

Not all AI deployments present equivalent levels of regulatory, operational, or ethical risk. A systematic process for selecting and classifying AI use cases allows organizations to allocate governance resources proportionately and prioritize oversight where the potential for harm is greatest. Key dimensions for classification include the criticality of decisions supported by the AI system, the extent of automation, potential impacts on stakeholders, and regulatory relevance. These factors align with risk‑based governance principles that inform both public and private sector frameworks for trustworthy AI (Jobin, Ienca & Vayena, 2019; Mittelstadt, 2019; Hagendorff, 2020).

4.4.2 Data Governance and Quality Controls

Robust data governance underpins governance frameworks for AI systems. This includes documented data lineage, rigorous quality assurance protocols, and access control mechanisms that ensure integrity, representativeness, and appropriate stewardship of data used in model training and inference. Effective data governance mitigates risks associated with bias, fairness, and model degradation, ensuring that AI systems operate over reliable datasets and adhere to legal and ethical standards (Barredo Arrieta et al., 2024; Binns, 2018; Floridi et al., 2018).

4.4.3 Explainability and Transparency Mechanisms

Explainability and transparency are central requirements of accountable AI governance. Explainability mechanisms—including model‑agnostic interpretability tools, structured documentation, and decision logs—support both internal oversight and external accountability. These mechanisms should be designed with consideration for distinct stakeholder needs, such as compliance functions, auditors, regulators, and affected users. Traceability of decisions and documented rationales enhance stakeholder understanding and facilitate auditing and evaluation (Doshi-Velez & Kim, 2017; Arrieta et al., 2020; Samek et al., 2019).

Explainability mechanisms, while critical for internal and external accountability, may not fully satisfy regulatory expectations for highly complex models, such as deep neural networks or ensemble methods. Similarly, human-in-the-loop oversight, though essential for accountability, introduces potential bottlenecks and can reduce operational efficiency if applied uniformly (Rahwan, 2018; Wang et al., 2021). CAICA addresses these limitations by calibrating oversight and explainability requirements according to risk classification and stakeholder needs, rather than enforcing uniform thresholds.

4.4.4 Human‑in‑the‑Loop and Escalation

Meaningful human oversight is essential for mitigating risks inherent in automated decision making, particularly in high‑stakes contexts. Governance frameworks should specify intervention points, decision thresholds, and escalation procedures where human judgment is required to validate or override AI outputs. The degree of human involvement ought to be calibrated to the risk, complexity, and material impact of decisions to balance between unnecessary manual intervention and under‑supervised automation. Oversight is increasingly viewed as a continuum of roles and responsibilities distributed between humans and AI systems (Rahwan, 2018; Wang et al., 2021).

4.5 Modularity as an Enabler of Innovation

A key contribution of the framework lies in its emphasis on modularity. By decomposing AI compliance governance into reusable components, institutions can incrementally expand their AI capabilities without redesigning governance structures from scratch (Baldwin & Clark, 2000; Shrestha et al., 2019).

For FinTech firms and smaller institutions, modular governance enables targeted investment in high-impact controls while maintaining regulatory alignment. For larger institutions, it supports consistency and scalability across diverse AI portfolios. In both cases, modularity reduces friction between innovation and compliance by embedding governance into existing workflows rather than imposing parallel structures.

While modularity supports scalability and proportionate governance, it may create integration challenges if components are not well-aligned or standardised. Fragmented modules could produce gaps in assurance or obscure accountability if interfaces between strategic, operational, and technical layers are poorly defined. Effective implementation requires disciplined coordination and clear integration protocols.

4.6 Positioning Within Continuous AI Compliance and Assurance

The framework outlined in this section establishes the structural foundation for Continuous AI Compliance and Assurance (CAICA). By integrating governance layers and modular components across the AI lifecycle, it facilitates continuous visibility into AI system behavior, associated risks, and implemented controls. Such an integrated approach operationalizes regulatory expectations by linking strategic accountability, operational processes, and technical monitoring within a coherent assurance capability.

Continuous monitoring and governance mechanisms ensure that AI systems remain aligned with legal, ethical, and operational requirements throughout their lifecycle, supporting both organizational risk management and regulatory compliance (Gartner, 2025; Binns, 2018; Floridi et al., 2018). The subsequent section expands on this foundation by examining practical implementation through structured AI delivery pipelines and ongoing monitoring frameworks, highlighting methods for embedding accountability and transparency into operational practice (Rahwan, 2018; Arrieta et al., 2020; Wang et al., 2021).

5. Operationalising Continuous AI Compliance and Assurance (CAICA)

5.1 From Governance Architecture to Operational Capability

The modular governance framework presented in Section 4 establishes the structural foundations necessary for lifecycle-oriented AI compliance. However, governance architectures alone are insufficient if they are not operationalised through concrete practices that guide day-to-day decision-making. Effective AI compliance requires integration into the processes by which AI systems are designed, deployed, monitored, and adapted throughout their operational lifecycle (Amershi et al., 2019; Sculley et al., 2015; Breck et al., 2017; ISO/IEC, 2023).

Continuous AI Compliance and Assurance (CAICA) operationalizes these principles by embedding governance, risk management, and technical control mechanisms into a coherent, closed-loop workflow. CAICA does not constitute an additional oversight layer; rather, it functions as a coordination mechanism linking strategic accountability, operational processes, and technical monitoring into a continuous assurance capability (Raji et al., 2020; OECD, 2025).

The central premise of CAICA is that compliance cannot be achieved at a single point in time—such as model approval or deployment—but must be continuously demonstrated throughout the AI system’s operational life. This approach aligns closely with supervisory expectations in Switzerland and Liechtenstein, where authorities emphasise demonstrable organisational control and ongoing risk management over procedural formalism (FINMA, 2024).

While CAICA provides a structured operational framework, smaller institutions or resource-constrained FinTech firms may face practical challenges in embedding continuous monitoring, logging, and human oversight. Staffing limitations, limited access to advanced monitoring tools, and the need to integrate with legacy systems can constrain implementation (Finch & Butt, 2025). Recognising these constraints, CAICA is designed to allow phased or risk-prioritised adoption of governance components, enabling institutions to focus resources on high-impact areas without compromising baseline compliance.

5.2 The AI Delivery Pipeline as a Compliance Backbone

Operationalising CAICA necessitates structuring AI development and deployment around a clearly defined delivery pipeline, within which compliance and governance mechanisms are embedded at every stage (Breck et al., 2017; Amershi et al., 2019). By integrating assurance activities directly into the pipeline, CAICA ensures that regulatory and ethical considerations are operationalised continuously rather than episodically.

5.2.1 Use-Case Intake and Classification

The pipeline begins with structured intake and classification of AI use cases. At this stage, institutions evaluate regulatory relevance, decision-criticality, degree of automation, and potential stakeholder impact (Davenport & Ronanki, 2018; OECD, 2025). These assessments inform the scope and intensity of subsequent governance and compliance measures, operationalising proportionality by aligning oversight efforts with the assessed risk profile of each AI application.

5.2.2 Design and Development

During design and development, compliance considerations are systematically incorporated into data selection, model architecture, and system design choices. Comprehensive documentation—including assumptions, limitations, and intended use—supports later auditability and regulatory oversight (ISO/IEC, 2023; Barredo Arrieta et al., 2024). At this stage, human oversight requirements and escalation thresholds are defined ex ante, embedding accountability and risk mitigation measures prior to operational deployment.

5.2.3 Validation and Approval

Prior to deployment, AI models undergo rigorous validation that extends beyond conventional performance evaluation to include compliance-relevant criteria, such as explainability, robustness, and alignment with regulatory expectations (Carvalho et al., 2019; Board of Governors of the Federal Reserve System, 2011; Basel Committee on Banking Supervision, 2023). Approval decisions are explicitly tied to use-case classification and documented governance requirements, ensuring that validation outcomes are proportionate, contextually grounded, and consistent with supervisory guidance.

5.2.4 Deployment and Integration

Deployment marks the transition from controlled development environments to operational contexts, which inherently alters the risk landscape. Within CAICA, this phase entails enhanced monitoring, logging, and human oversight to identify and mitigate emergent risks in real time (Breck et al., 2017; FINMA, 2024). Integration with pre-existing business processes ensures that AI-supported decisions remain embedded within organisational control structures, thereby sustaining accountability and regulatory alignment.

5.3 Continuous Monitoring and Assurance Mechanisms

Following deployment, AI systems require continuous monitoring to maintain compliance and operational effectiveness. CAICA integrates technical monitoring with organisational oversight processes, creating a closed-loop feedback system that enables timely identification and remediation of emergent risks.

5.3.1 Performance and Drift Monitoring

Continuous assessment of model performance and underlying data characteristics facilitates the early detection of concept drift, data distribution shifts, and performance degradation (Widmer & Kubat, 1996; Gama et al., 2014; Hinder et al., 2024; Sculley et al., 2015). Monitoring thresholds and alerting mechanisms are calibrated according to the materiality and risk profile of each AI application, ensuring proportionate and context-sensitive oversight.

Continuous monitoring is resource-intensive and may generate large volumes of alerts, leading to potential ‘alert fatigue’ among operational teams (Power, 2007; Ribeiro et al., 2025). Institutions must implement risk-based thresholding and automated triaging to ensure that monitoring remains actionable and proportionate to the risk profile of each AI application.

5.3.2 Explainability and Decision Traceability

CAICA requires that AI-supported decisions remain traceable and explainable throughout operational deployment. Detailed logs, version histories, and structured documentation enable reconstruction of decision-making processes for internal review or supervisory inquiry, reinforcing accountability and auditability (Doshi-Velez & Kim, 2017; FINMA, 2018).

Despite advances in post hoc interpretability methods, highly complex models may remain partially opaque, limiting the ability of institutions to fully satisfy supervisory scrutiny (Burrell, 2016; Doshi-Velez & Kim, 2017). CAICA mitigates this risk by calibrating explainability requirements according to the criticality of decisions, but institutions must recognise that residual opacity may necessitate complementary oversight or contingency measures.”

5.3.3 Incident Management and Escalation

When monitoring identifies anomalies, performance deviations, or potential compliance breaches, pre-defined escalation protocols are invoked. These procedures specify responsibilities, timelines, and decision rights, thereby ensuring timely and transparent resolution in alignment with organisational governance frameworks (ISO/IEC, 2023; FINMA, 2024).

5.4 Human Oversight in Practice

A central tenet of Continuous AI Compliance and Assurance (CAICA) is the integration of substantive human oversight throughout AI operations. CAICA does not prescribe uniform or blanket human intervention; instead, it differentiates oversight mechanisms according to the assessed risk profile, degree of automation, and regulatory sensitivity of each AI application (OECD, 2025; FINMA, 2024).

Human-in-the-loop configurations entail direct engagement with individual decisions, enabling operators to validate or override outputs in real time. In contrast, human-on-the-loop arrangements emphasize supervisory monitoring of system behaviour, with interventions triggered when predefined thresholds are exceeded. Effective oversight is contingent upon clearly delineated roles, responsibilities, and appropriate training, thereby ensuring that human involvement is substantive and operationally meaningful rather than purely formalistic or symbolic (Rahwan, 2018; Wang et al., 2021; Batool et al., 2025).

Implementing human-in-the-loop or human-on-the-loop mechanisms across multiple AI applications can create operational bottlenecks and increase latency in decision-making. Institutions must carefully balance the depth of oversight with operational efficiency, potentially prioritising direct human intervention for high-risk decisions while applying supervisory monitoring for lower-impact processes (Rahwan, 2018; Wang et al., 2021). Explicit calibration of oversight intensity is therefore essential to avoid both under- and over-supervision.

5.5 Auditability and Supervisory Readiness

A core objective of the Continuous AI Compliance and Assurance (CAICA) framework is to ensure auditability and facilitate effective engagement with supervisory authorities. By embedding comprehensive documentation, logging, and monitoring mechanisms directly into operational workflows, CAICA enables institutions to demonstrate the effectiveness of controls without reliance on extensive ex post reconstruction (Power, 2007; FINMA, 2024).

From a supervisory standpoint, CAICA provides clarity regarding the following critical inquiries:

• Which AI systems are operational, and for what specific purposes?

• By what mechanisms are risks identified, monitored, and mitigated over time?

• Which individuals or governance bodies hold accountability for AI-supported decisions?

Providing systematic and verifiable responses to these questions enhances institutional credibility, reinforces accountability, and reduces regulatory uncertainty, thereby strengthening the organisation’s ability to meet both legal and supervisory expectations.

5.6 Scaling CAICA Across the Organisation

A salient advantage of CAICA lies in its inherent scalability. The modular and proportionate design of its governance components allows institutions to incrementally extend the framework in alignment with the growth and diversification of their AI portfolios (Baldwin & Clark, 2000; Shrestha et al., 2019).

For smaller financial institutions and FinTech enterprises, CAICA enables targeted investment in high-risk or high-impact AI applications while maintaining regulatory compliance. Conversely, within larger organisations, the framework provides a cohesive structure that harmonises AI governance practices across multiple business units and geographies. In both contexts, CAICA reduces friction between innovation and compliance by embedding assurance activities within existing AI delivery pipelines, rather than imposing parallel or externally siloed governance mechanisms.

While modularity facilitates scalability, integration challenges can arise when governance components are implemented across multiple business units or geographies. Misaligned practices or inconsistent application of CAICA modules could create gaps in oversight, reduce accountability, or obscure risk ownership. Effective coordination, standardised processes, and regular audits are necessary to maintain coherence across the organisational AI portfolio.

5.7 Summary and Transition

This section has demonstrated the operationalisation of the modular governance framework introduced in Section 4 through the CAICA model. By integrating compliance checkpoints within the AI delivery pipeline, embedding continuous performance monitoring, establishing structured human oversight, and ensuring auditability, CAICA reconceptualises compliance as a dynamic organisational capability. Rather than functioning as a static, episodic checkpoint, CAICA constitutes an ongoing mechanism for risk management, regulatory alignment, and operational assurance, establishing the foundation for responsible AI deployment at scale.

6. What CAICA Changes Compared to Existing AI Governance Approaches

A central concern when introducing new AI governance frameworks is whether they represent genuine conceptual progress or merely a synthesis and relabelling of established practices such as Model Risk Management (MRM), MLOps, and Responsible AI principles. Continuous AI Compliance and Assurance (CAICA) does not claim novelty through the introduction of new ethical principles, regulatory categories, or technical controls. Its contribution lies instead in reorganising existing governance elements around time, accountability, and system behaviour, thereby altering how compliance is produced, maintained, and demonstrated in practice.

Rather than asking whether CAICA introduces “new” controls, the more relevant question is whether it changes governance behaviour in ways that existing approaches do not. This section clarifies that contribution by identifying four dimensions along which CAICA departs from traditional AI governance models.

A common critique of new governance frameworks is that they amount to incremental relabelling rather than substantive change, particularly in domains where Model Risk Management, MLOps, and Responsible AI practices are already well established. From this perspective, CAICA risks being perceived as a conceptual aggregation rather than a distinct governance advance. This critique is not unfounded: many large financial institutions already implement continuous monitoring, periodic reassessment, and human oversight in fragmented forms. The contribution of CAICA should therefore be evaluated not on the presence of individual controls, but on whether its reorganisation meaningfully alters accountability structures, decision timing, and supervisory engagement.

6.1 Timing of Compliance: From Episodic Validation to Continuous Assurance

Traditional AI governance approaches in financial services are largely episodic. Compliance evidence is produced at discrete moments—during model validation, approval, or periodic review—and then relied upon until the next scheduled assessment. This logic reflects the assumptions of relatively stable models and bounded system behaviour (Breck et al., 2017).

CAICA introduces a fundamentally different temporal logic. Compliance is not inferred from past approvals but continuously generated through system operation. Monitoring outputs, drift indicators, explainability artefacts, and escalation events become ongoing compliance signals rather than purely technical metrics. As a result, deviations in model behaviour are treated as potential compliance-relevant events at the moment they occur, rather than as issues to be discovered retrospectively (Raji et al., 2020; Gama et al., 2014).

The novelty of CAICA therefore lies not in what is monitored, but in when compliance is considered to exist. Compliance becomes time-sensitive and dynamic, aligning governance with the evolving risk profile of AI systems (OECD, 2025).

It should be noted, however, that elements of continuous monitoring and reassessment are not entirely absent from existing governance regimes. Advanced MRM and MLOps practices increasingly incorporate post-deployment monitoring and periodic recalibration. CAICA’s contribution lies less in introducing continuous practices per se, and more in formally recognising their outputs as compliance-relevant signals rather than purely technical indicators. Whether organisations and supervisors are willing to treat operational metrics as regulatory evidence remains an open empirical question.

6.2 Nature of Approval: From Binary Sign-Off to Conditional, Time-Bound Authorization

In conventional governance models, model approval is typically binary and durable: a system is either approved or not, and approval remains valid until revoked through a formal review process (Basel Committee on Banking Supervision, 2023). While effective for static models, this approach is poorly suited to adaptive systems whose behaviour may change between review cycles.

Under CAICA, approval is explicitly conditional and time bound. Authorisation to operate is linked to predefined operational conditions, such as acceptable drift thresholds (Amershi et al., 2019), explainability coverage, data quality constraints, and human oversight readiness. Breaching these conditions triggers predefined escalation, intervention, or rollback mechanisms.

This transforms approval from a static governance state into a continuous assurance relationship between technical operation and organisational accountability. The innovation here is not the introduction of new controls, but the reconceptualization of approval as something that must be continuously reaffirmed through operational evidence.

6.3 Location of Compliance: From External Review to Embedded Operational Capability

Existing governance frameworks often position compliance as an external review function, operating alongside or after system development and deployment. Compliance evidence is primarily documentation-based and reconstructed post hoc through audits or validation reports.

CAICA relocates compliance into the AI delivery and operations pipeline itself. Logging, monitoring, version control, and explainability mechanisms are not merely engineering best practices, but primary compliance artefacts (Breck et al., 2017). Assurance is produced natively by system operation rather than reconstructed after the fact.

This shift alters the role of compliance functions. Rather than acting primarily as ex post reviewers, they become curators and interpreters of continuously produced assurance signals. The result is a governance model in which regulatory defensibility emerges from everyday operation, not exceptional review processes (Barredo Arrieta et al., 2024; FINMA, 2024).

Relocating compliance into operational pipelines also introduces new risks. Embedding compliance into technical artefacts may obscure normative judgment behind automated signals, potentially reinforcing a form of ‘technical compliance’ that privileges measurability over substantive accountability. Scholars have warned that such shifts can contribute to performative governance, where the production of assurance artefacts substitutes for critical reflection on system impact (Power, 2007; Binns, 2018). CAICA mitigates this risk by maintaining explicit human accountability, but it does not eliminate the possibility of over-reliance on operational metrics.

6.4 Governance Unit of Analysis: From Models to Lifecycle Risk Trajectories

Traditional governance approaches typically treat the model as the primary unit of analysis. Risk assessments, validations, and approvals focus on the model as a bounded artefact, abstracted from its evolving operational context (Agarwal et al., 2025; Batool et al., 2025).

CAICA adopts a different unit of analysis: the model-in-context-over-time. Governance attention shifts from isolated model properties to lifecycle risk trajectories shaped by data evolution, usage patterns, human interaction, and organisational processes. This perspective allows institutions to identify systemic risks—such as gradual performance degradation, interaction effects, or oversight erosion—that remain largely invisible in model-centric frameworks (Raji et al., 2020). By governing AI systems as dynamic socio-technical systems rather than static artefacts, CAICA aligns compliance with how AI risk actually manifests in regulated environments (Jobin, Ienca & Vayena, 2019).

While lifecycle risk trajectories provide a richer analytical lens than model-centric governance, they also increase governance complexity. Tracking evolving risks across time, context, and organisational boundaries demands significant coordination and interpretive capacity. There is a risk that expanding the unit of analysis dilutes responsibility rather than strengthening it, particularly in large organisations with fragmented ownership structures. Empirical investigation is needed to assess whether lifecycle-oriented governance improves accountability in practice or merely redistributes it.

6.5 A Governance Design Pattern: Conditional Model Approval

The behavioural implications of CAICA can be illustrated through the Conditional Model Approval design pattern (Danks & London 2017; Floridi et al., 2020). Under this pattern, AI models are approved subject to explicitly defined operational conditions rather than permanently authorised at deployment. These conditions specify measurable expectations regarding performance stability, explainability availability, data integrity, and oversight effectiveness. Continuous monitoring assesses adherence to these conditions, while predefined thresholds trigger escalation or suspension.

This pattern is not reducible to traditional MRM validation, MLOps monitoring, or Responsible AI principles alone. Its novelty lies in linking operational signals directly to governance status and accountability, thereby transforming approval into a living governance mechanism rather than a historical decision (Shrestha et al., 2019; Baldwin & Clark, 2000).

6.6 Summary: Novelty Through Reorganisation, Not Reinvention

CAICA does not compete with existing AI governance frameworks by proposing alternative principles or controls. Instead, it introduces a different governance logic—one in which compliance is continuous rather than episodic, approval is conditional rather than permanent, and assurance is operationally produced rather than retrospectively inferred.

By reorganising established governance elements around the lifecycle dynamics of AI systems, CAICA enables institutions to demonstrate ongoing regulatory control under conditions of adaptivity and uncertainty. In this sense, its contribution is not the invention of new compliance requirements, but the transformation of how compliance is enacted, experienced, and evidenced in practice.

7. Limitations and Tensions

The framework and arguments developed in this paper are subject to several limitations and inherent tensions. Acknowledging these is essential for situating the contribution appropriately and for guiding future research and practical application.

7.1 Conceptual and Empirical Limitations

First, the paper adopts a conceptual and design-oriented approach rather than an empirical evaluation. While the proposed framework is grounded in academic literature, regulatory guidance, and practitioner experience, it has not been tested through large-scale empirical studies or comparative quantitative analysis. As a result, the paper does not claim to demonstrate causal relationships between lifecycle-oriented compliance and improved AI performance or regulatory outcomes. Future research could empirically examine how continuous AI compliance practices affect risk incidence, supervisory interactions, or innovation outcomes across institutions.

Second, the framework abstracts from sector- and use-case-specific differences within financial services. While this abstraction supports generalisability and modularity, it may overlook nuances associated with particular applications such as credit underwriting, trading, or wealth management. Institutions implementing CAICA must therefore adapt the framework to their specific regulatory, organisational, and technological context.

Beyond empirical limitations, CAICA also faces structural constraints. Continuous compliance presupposes that relevant risks can be meaningfully detected, measured, and interpreted through operational signals. However, certain harms—such as gradual shifts in social impact, distributional effects, or institutional dependency on automated systems—may resist timely detection through monitoring alone. Lifecycle-oriented governance improves visibility into system behaviour, but it cannot fully capture all normative or societal dimensions of AI risk.

7.2 Tension Between Flexibility and Formalisation

A central tension inherent in lifecycle-oriented AI governance lies between flexibility and formalisation. On the one hand, continuous compliance requires structured processes, documentation, and monitoring mechanisms to ensure auditability and accountability. On the other hand, excessive formalisation risks slowing innovation, discouraging experimentation, and creating procedural compliance that adds limited substantive value.

This tension is particularly pronounced in fast-moving innovation environments and among resource-constrained FinTech firms. While modularity and proportionality mitigate this risk, they do not eliminate it. Striking an appropriate balance between governance rigor and operational agility remains a managerial and organisational challenge rather than a purely technical one.

There is also a risk that continuous compliance regimes evolve into a form of compliance theatre, in which the ongoing production of metrics, dashboards, and reports creates an appearance of control without corresponding improvements in substantive governance. This risk is well documented in audit and risk management literature, where increased formalisation can paradoxically reduce critical engagement (Power, 2007). CAICA seeks to counteract this tendency through explicit accountability and escalation mechanisms, but its effectiveness ultimately depends on organisational incentives and supervisory interpretation.

7.3 Tension Between Automation and Human Oversight

Another fundamental tension concerns the relationship between automation and human oversight. While AI systems are often introduced to reduce manual effort and improve efficiency, regulatory expectations consistently require meaningful human accountability for AI-supported decisions. Designing oversight mechanisms that are effective, scalable, and non-perfunctory is inherently difficult.

There is a risk that human-in-the-loop controls become symbolic rather than substantive, particularly in high-volume or time-sensitive processes. Conversely, overly conservative oversight arrangements may negate the efficiency gains that motivate AI adoption in the first place. The framework highlights this tension but cannot fully resolve it, as appropriate oversight depends on contextual factors such as risk tolerance, decision criticality, and organisational maturity.

More fundamentally, CAICA should not be interpreted as a self-sufficient solution to AI governance challenges. Like all governance frameworks, it operates within broader institutional, cultural, and political contexts that shape how rules are interpreted and enforced. Where organisational incentives reward speed, revenue, or experimentation over control, even well-designed lifecycle governance may be weakened in practice. Frameworks such as CAICA can enable responsible behaviour, but they cannot substitute for sustained leadership commitment or effective regulatory oversight.

7.4 Organisational and Capability Constraints

Implementing continuous AI compliance requires significant organisational capabilities, including cross-functional coordination, technical infrastructure, and specialised expertise. Not all institutions possess these capabilities to the same degree. Smaller institutions tends to struggle to implement comprehensive monitoring or documentation practices, while larger institutions may face challenges related to organisational complexity and siloed responsibilities.

Moreover, governance effectiveness depends on organisational culture and incentives. Even well-designed frameworks tends to fail if accountability is unclear, if compliance functions lack authority, or if business pressures prioritise speed over control. These factors lie largely outside the scope of formal governance models.

7.5 Regulatory Uncertainty and Evolution

Finally, AI governance operates in a context of ongoing regulatory evolution. While the framework aligns with current supervisory expectations and international standards, future regulatory developments may introduce new requirements or reinterpret existing principles. Lifecycle-oriented governance reduces sensitivity to regulatory change but does not eliminate uncertainty.

Institutions must therefore treat frameworks such as CAICA as evolving artefacts rather than fixed solutions, subject to periodic reassessment and adaptation as regulatory, technological, and organisational conditions change.

7.6 Summary

In summary, the proposed approach to lifecycle-oriented AI compliance offers a structured and pragmatic response to the governance challenges of AI in regulated financial services, but it does not provide a universal or definitive solution. Its effectiveness depends on empirical validation, contextual adaptation, and sustained organisational commitment. Recognising these limitations and tensions is essential for applying the framework responsibly and for advancing future research on AI governance and compliance.

8. Conclusion

Artificial intelligence has moved beyond experimental deployment to become embedded in compliance-critical processes within financial services. As AI systems increasingly shape regulatory outcomes, customer treatment, and institutional risk exposure, the central governance challenge is no longer whether AI can be deployed, but whether it can be governed credibly as a dynamic socio-technical system whose behaviour and risk profile evolve over time. This paper has argued that many prevailing compliance approaches—characterised by static documentation, episodic validation, and durable approval decisions—are structurally misaligned with the adaptive, data-dependent, and context-sensitive nature of contemporary AI systems.

To address this misalignment, the paper introduced Continuous AI Compliance and Assurance (CAICA) as a lifecycle-oriented governance coordination model. Rather than proposing new regulatory principles, ethical frameworks, or technical controls, CAICA reorganises established governance elements around temporal system behaviour and organisational accountability. It conceptualises compliance as a continuously produced organisational capability by shifting from episodic validation to continuous assurance, replacing permanent approval with conditional and time-bound authorisation, embedding oversight directly into operational workflows, and treating AI systems as models-in-context-over-time. The contribution of CAICA therefore lies not in regulatory or technical novelty, but in altering how compliance is generated, sustained, and evidenced in practice.

The Swiss and Liechtenstein regulatory context underscores the relevance of this approach. Principles-based supervision affords institutions considerable technological discretion while simultaneously requiring demonstrable, ongoing organisational control and accountability. Lifecycle-oriented governance architectures such as CAICA offer a concrete operationalisation of this supervisory logic: auditability, accountability, and supervisory readiness emerge from everyday system operation rather than from retrospective reconstruction or procedural formalism.

At the same time, CAICA does not eliminate the inherent tensions between innovation and control, automation and human oversight, or flexibility and formalisation. Instead, it renders these tensions explicit and governable by linking operational signals—such as performance drift, explainability degradation, or oversight breakdowns—to governance status, escalation rights, and conditional authorisation. In doing so, the framework enables institutions to manage adaptive risk dynamically while avoiding both unchecked automation and purely symbolic compliance.

The broader implication of this analysis is that effective AI governance must itself be designed for temporality, context, and adaptivity. Institutions that continue to govern AI as static software artefacts risk accumulating hidden governance debt and regulatory exposure, even where formal compliance requirements appear to be met. Conversely, lifecycle-oriented assurance reframes AI governance as infrastructure rather than constraint, supporting responsible scaling while maintaining regulatory credibility. Ultimately, the capacity to govern AI as a living socio-technical system will play a decisive role in determining whether AI strengthens or undermines trust in regulated financial services

9. References

AITE Group, (2021). AML Model Risk Management: Too Critical to Ignore. Aite Group Report.

Agarwal, A. & Nene, M.J., (2025). A five-layer framework for AI governance: integrating regulation, standards, and certification. arXiv:2509.11332 [cs.AI]

Aldasoro, I., Gambacorta, L., et al., (2025). Intelligent financial system: How AI is transforming finance. Journal of Financial Stability, 81, 101472

Amershi, S., Begel, A., Bradley, D. et al. (2019) Software engineering for machine learning: A case study, in Proceedings of the 41st International Conference on Software Engineering: Software Engineering in Practice, IEEE Press.

Ansari, S. (2022) Aligning artificial intelligence initiatives with business strategy, Journal of Digital Transformation, 6(2), pp. 45–58.

Ankenbrand, T., Bieri, D., Kronenberger, T. and Reichmuth, L. (2023) IFZ FinTech Study 2023: An Overview of Swiss FinTech. Rotkreuz: Institute of Financial Services Zug (IFZ), Lucerne University of Applied Sciences and Arts

Baldwin, C.Y. and Clark, K.B. (2000) ‘The power of modularity. Cambridge’, MA: MIT Press.

Basel Committee on Banking Supervision (2021) ‘Supervisory principles for operational resilience’, Basel: Bank for International Settlements.

Basel Committee on Banking Supervision (2023) Sound practices: implications of fintech developments for banks and bank supervisors. BIS.

Barredo Arrieta, A., Díaz-Rodríguez, N., Del Ser, J. et al. (2024) Explainable artificial intelligence (XAI): Concepts, taxonomies, opportunities and challenges toward responsible AI, Information Fusion, 89, pp. 1–42.

Basel Committee on Banking Supervision (2023) Principles for operational resilience and AI governance, BIS.

Basir, O.A., 2025. The Social Responsibility Stack: A control‑theoretic architecture for governing socio‑technical AI. arXiv:2512.16873 [cs.AI].

Batool, A., Zowghi, D. and Bano, M. (2025), AI governance: A systematic literature review. AI Ethics. 5, 3265–3279

Binns, R., 2018. Fairness in machine learning: Lessons from political philosophy. Proceedings of Machine Learning Research, 81, pp.149–159.

BIS (2025) Annual Economic Report 2025, Bank for International Settlements, Basel.

Board of Governors of the Federal Reserve System (2011) Supervisory Guidance on Model Risk Management (SR 11-7). Washington, DC.

Breck, E., Cai, S., Nielsen, E. et al. (2017), The ML Test Score: A Rubric for ML Production Readiness and Technical Debt Reduction, Proceedings of the 2017 IEEE International Conference on Software Quality, Reliability and Security.

Brynjolfsson, E. and McAfee, A. (2017) Machine, Platform, Crowd: Harnessing Our Digital Future. New York: W.W. Norton & Company.

Bughin, J., Seong, J., Manyika, J. et al., (2018), Notes from the AI Frontier: Modeling the Impact of AI on the World Economy, McKinsey Global Institute, December.

Burrell, J. (2016), How the machine “thinks”: Understanding opacity in ML algorithms.

Carvalho et al. (2019), A systematic literature review of machine learning methods applied to predictive maintenance

Cheong, B.C., (2024). Transparency and accountability in AI systems: Safeguarding wellbeing in the age of algorithmic decision‑making. Frontiers in Human Dynamics, 6, p.1421273.

Danks, D. & London, A.J., (2017), Algorithmic bias in autonomous systems. In: Proceedings of the Twenty‑Sixth International Joint Conference on Artificial Intelligence (IJCAI’17). pp.4691–4697

Davenport, T.H. and Ronanki, R. (2018) Artificial intelligence for the real world, Harvard Business Review, January–February, pp. 108–116.

Doshi‑Velez, F. and Kim, B. (2017) Towards a rigorous science of interpretable machine learning. arXiv preprint arXiv:1702.08608.

Ettinger, A. (2025). Enterprise Architecture as a Dynamic Capability for Scalable and Sustainable Generative AI Adoption: Bridging Innovation and Governance in Large Organisations. arXiv, 2505.06326.

European Union (2024a) Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act). Brussels.

European Union (2024b), EU Artificial Intelligence Act. Brussels.

Fernández‑Narro, D., Ferri, P., Gutiérrez‑Sacristán, A., García‑Gómez, J.M. & Sáez, C. (2025), Unsupervised characterization of temporal dataset shifts as an early indicator of AI performance variations: Evaluation study using the Medical Information Mart for Intensive Care‑IV dataset, JMIR Medical Informatics, 13, e78309. doi:10.2196/78309.

Financial Action Task Force (FATF) (2021) Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers.

Finch, W.W. & Butt, M., (2025). Gaps in AI-Compliant Complementary Governance Frameworks’ Suitability (for Low-Capacity Actors), and Structural Asymmetries (in the Compliance Ecosystem)—A Review. Preprints.org.

FINMA (2018) Circular 2018/3 Outsourcing – banks and insurers, Swiss Financial Market Supervisory Authority, Bern.

FINMA (2024) Governance and risk management when using artificial intelligence, Bern: Swiss Financial Market Supervisory Authority.

Floridi, L., Cowls, J., Beltrametti, M. et al. (2018) AI4People—An ethical framework for a good AI society: Opportunities, risks, principles, and recommendations, Minds and Machines, 28(4), pp. 689–707.

Garcia, M.T.M. & de Mendonça, F.C., (2023), Compliance with the Basel Core Principles and supervisory structure: A cross-country analysis. Journal of Financial Stability.

Gama, J., Žliobaitė, I., Bifet, A., Pechenizkiy, M. and Bouchachia, A. (2014) A survey on concept drift adaptation, ACM Computing Surveys, 46(4), pp. 1–37.

Gartner, (2025). Gartner survey shows finance AI adoption remains steady in 2025. Gartner Press Release, 18 November 2025.

Gasser, U. and Schmitt, C. (2019) The Role of Professional Norms in the Governance of Artificial Intelligence by Urs Gasser, Carolyn Schmitt. Berkman Klein Center Research Publication No. 2019-13.

Global AI Governance Survey, (2025), AI governance survey reveals critical gaps between AI ambition and operational readiness.

Hagendorff, T., (2020). The ethics of AI ethics: An evaluation of guidelines. Minds and Machines, 30(1), pp.99–120.

Herrera-Poyatos, A., Del Ser, J., López de Prado, M., Wang, F.-Y., Herrera-Viedma, E. & Herrera, F., 2025. Responsible Artificial Intelligence Systems: A Roadmap to Society’s Trust through Trustworthy AI, Auditability, Accountability, and Governance. arXiv:2503.04739 [cs.AI].

Hinder, F., Schirneck, M., Schmid, U. & Kersting, K., (2024). Monitoring and maintaining machine learning models in production. Machine Learning

ISO/IEC 42001, (2023) Information technology — Artificial intelligence — Management system standard

ISO/IEC (2023) ‘ISO/IEC 23894: Artificial intelligence — Risk management’, Geneva: International Organization for Standardization.

Jobin, A., Ienca, M. and Vayena, E. (2019) The global landscape of AI ethics guidelines, Nature Machine Intelligence, 1(9), pp. 389–399.

Joshi, S., 2025. AI and Financial Model Risk Management: Applications, Challenges, Explainability, and Future Directions. Preprints.org, March 2025.

Kandikatla, L. & Radeljic, B., (2025). AI and Human Oversight: A Risk-Based Framework for Alignment. arXiv:2510.09090 [cs.AI].

Kustitskaya, T.A., Esin, R.V. & Noskov, M.V. (2025), Model drift in deployed machine learning models for predicting learning success, Computers, 14(9), 351. doi:10.3390/computers14090351.

Kim, B.J., Jeong, S., Cho, B. & Chung, J.-B. (2025) AI Governance in the Context of the EU AI Act: A Bibliometric and Literature Review Approach, IEEE Access, published 12 August 2025

Kolt, Noam, Shur-Ofry Michal, Cohen Reuven (2025), Lessons from complex systems science for AI governance

Kurshan, E., Balch, T. & Byrd, D. (2025) The Agentic Regulator: Risks for AI in Finance and a Proposed Agent-based Framework for Governance, arXiv:2512.11933 [cs.AI].

Lipton, Z.C., (2018). The mythos of model interpretability. Communications of the ACM, 61(10), pp.36–43.

Lu, J., Liu, A., Dong, F., Gu, F., Gama, J. and Zhang, G. (2020) Learning under concept drift: A review, IEEE Transactions on Knowledge and Data Engineering, 31(12), pp. 2346–2363.

Mökander, J. and Floridi, L. (2021) ‘Ethics-based auditing of automated decision-making systems’, AI & Society, 36, pp. 751–768.

Machucho, R., (2025). The impacts of artificial intelligence on business innovation. Systems Research and Behavioral Science, 13(4), pp.264–280.

Manic, M. & De Silva, D. (2025,) A systematic review of responsible artificial intelligence principles and practice. Applied Systems Innovation, 8(4), pp. 97.

McKinsey & Company, (2025). The State of AI 2025: Global Survey 2025. McKinsey.

Mehrabi, N. et al. (2021). A Survey on Bias and Fairness in Machine Learning.

Miller, T., (2019). Explanation in artificial intelligence: Insights from the social sciences. Artificial Intelligence, 267, pp.1–38.

Mittelstadt, B.D., (2019). Principles alone cannot guarantee ethical AI. Nature Machine Intelligence, 1(11), pp.501–507.

NIST (2023), Artificial intelligence risk management framework (AI RMF 1.0) Gaithersburg, MD: NIST.

Nwachukwu, P.S., Chima, O.K. & Okolo, C.H. (2025) The Artificial Intelligence Governance Framework for Finance: A Control‑By‑Design Approach to Algorithmic Decision‑Making in Accounting, Finance & Accounting Research Journal, 7(8), pp. 350–379.

OECD, (2025), ‘The Adoption of Artificial Intelligence in Firms’, OECD Publishing, Paris

Orlikowski, W.J. and Lacono, C.S. (2001) Research commentary: Desperately seeking the “IT” in IT research, Information Systems Research, 12(2), pp. 121–134.

Papagiannidis, E., Mikalef, P. & Conboy, K., (2025). Responsible artificial intelligence governance: A review and research framework. Journal of Strategic Information System

Paz, H.R. (2025), From Linear Risk to Emergent Harm: Complexity as the Missing Core of AI Governance, arXiv:2512.12707 [cs.GV].

Porter, M.E. and Kramer, M.R. (2006) Strategy and society, Harvard Business Review, 84(12), pp. 78–92.

Power, M. (2007) Organized uncertainty Designing a world of risk management. Oxford: Oxford University Press.

Raji, I.D. et al. (2020) Closing the AI accountability gap, Proceedings of FAT, pp. 33–44.

Raftopoulos, M. & Hamari, J., 2024. Organizational challenges in the adoption and implementation of artificial intelligence. In: Hawaii International Conference on System Sciences (HICSS).

Rahwan, I., (2018). Society-in-the-loop: Programming the algorithmic social contract. Ethics and Information Technology, 20, pp.5–14.

Ribeiro, D., Rocha, T., Pinto, G., Cartaxo, B., Amaral, M., Davila, N. & Camargo, A., (2025). Toward Effective AI Governance: A Review of Principles. arXiv:2505.23417 [cs.GI].

Samek, W., Wiegand, T. & Müller, K.R., (2019). Explainable artificial intelligence: Understanding, visualizing and interpreting deep learning models. IT - Information Technology, 61(5-6), pp.385–403.

Schröder & Schulz, (2022), Monitoring machine learning models: a categorization of challenges and methods, Volume 5, Issue 3, September 2022, Pages 105-116

Sculley et al. (2015). Hidden Technical Debt in ML Systems.

Shrestha, Y.R., Ben-Menahem, S.M. and von Krogh, G. (2019) Organizational decision-making structures in the age of artificial intelligence, California Management Review, 61(4), pp. 66–83.

Sudjianto, A. & Zhang, A., (2024). Model validation practice in banking: A structured approach for predictive models.

Swiss Federal Supreme Court (2019) Eidgenössische Finanzmarktaufsicht FINMA, judgment of 30 April 2019, 2C_571/2018, II. Public Law Division. Lausanne: Bundesgericht.

Taeihagh, Araz, (2025), Governance of Generative AI, Policy and Society, Volume 44, Issue 1, Pages 1–22

Teichmann, F., (2026). Risk, reasonableness and residual harm under the EU AI Act: A conceptual framework for proportional ex-ante controls. European Journal of Risk Regulation.

Thorne, M., Hassan, A. & Tanaka, K., 2025. Explainable AI and Model Governance in Regulated Enterprise Environments: Frameworks, Compliance, and Trust.

Van der Aalst, W.M.P., (2016), Process Mining: Data Science in Action (2nd edn), Springer, Berlin.

Vuković, D., Dekpo‑Adza, S. & Matović, S., (2025). AI integration in financial services: a systematic review of trends and regulatory challenges. Humanities and Social Sciences Communications.

Wang, D., Yang, Q., Abdul, A. & Lim, B.Y., (2021). Designing Theory-Driven User-Centric Explainable AI. Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, pp.1–20.

Weill, P. and Ross, J.W. (2004) IT Governance: How Top Performers Manage IT Decision Rights for Superior Results, Harvard Business School Press, Boston.

Weinberg, A. I. (2025). A Framework for the Adoption and Integration of Generative AI in Midsize Organizations and Enterprises (FAIGMOE). arXiv, 2510.19997.

Widmer, G. and Kubat, M. (1996) Learning in the presence of concept drift’, Machine Learning, 23(1), pp. 69–101.

Winecoff, A.A. & Bogen, M., (2024). Improving governance outcomes through AI documentation: Bridging theory and practice. Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems, pp.1–15.

Wolfsberg Group, (2025). The Wolfsberg Statement on Effective Monitoring for Suspicious Activity, Part II: Transitioning to Innovation.

World Economic Forum, (2026). The Global Risks Report 2026. 21st ed. Geneva: World Economic Forum.

Yuniawan, A., Hersugondo, F. M., Latan, H., & Renwick, D.W.S., 2025. Determinants of artificial intelligence adoption in the financial services industry: Understanding employees’ perspectives. Journal of International Journal of Management and Enterprise Innovation, 12(1), pp.100371.