AI Grounding Is a Control, Not a Prompt
AI grounding fails when it is requested rather than enforced, and traceability proves provenance, not truth.
Open most systems that describe themselves as grounded and you find the same arrangement. There is a retrieval step, and there is an instruction telling the model to cite its sources. The output arrives dressed in footnotes and links, and it looks trustworthy. Look harder and the citations are frequently decorative: the cited source does not say what the sentence claims, or the link was attached afterwards to lend the answer an air of evidence. This is the gap that turns AI grounding from a control into a costume, and often nobody verified the difference because nobody could.
What has been built in that arrangement is the visual grammar of evidence without the property of being evidenced, and it holds until someone acts on a confident, well-cited statement that turns out to be neither. In a casual setting that is an embarrassment. In a regulated institution it is a control failure with a supervisor attached, which is why grounding cannot be left as something you ask the model to do. It has to be something the system enforces on the output, a rule the platform refuses to break, checked automatically, with the authority to reject anything that fails.
The distinction between requesting good behaviour and enforcing an invariant is the whole argument, and many institutions are on the wrong side of it without realising.
Requesting is a tendency; enforcing is a property
The reason a prompt cannot deliver grounding is the same reason it cannot deliver a database constraint. An instruction shifts the distribution of what the model produces. It makes the good outcome more likely and the bad outcome rarer, and it never makes the bad outcome impossible. Grounding failures live in the tail, in the small fraction of outputs where the model was fluent and wrong, and a tendency does not close a tail. Only a check with the power to reject does. You cannot prompt your way to an invariant any more than you can politely request that a foreign key always resolve.
That is the conceptual move a CIO needs to insist on. Grounding is not a quality of the model, to be coaxed out with better wording. It is a property of the system, to be enforced at the boundary before an output is allowed to leave. Framed that way, it stops being a data-science tuning exercise and becomes an architecture and controls question, which is where it belongs.
What enforced AI grounding looks like in practice
I built a system whose entire premise was traceability. It generated forward-looking scenarios, and every projection it produced had to trace back to a real, present-day signal that gave rise to it; nothing was permitted to appear from nowhere. This part was real, working code rather than a diagram. Before anything was published, an automatic check walked the chain of reasoning behind each projection to confirm it connected back to a genuine starting signal, and it recorded a violation for anything that did not. The contract was that the system refused to emit a result that failed the check. Not flag it, not lower its score, but refuse it. That verb is the entire difference between grounding as a property and grounding as a hope. Either your platform can decline to publish an ungrounded claim, or it cannot, and if it can only nudge the model and inspect the results afterwards, it does not have grounding, it has good intentions and a review backlog.
The mechanics generalise cleanly into financial services, and they land on obligations institutions already hold. A model-assisted output that informs a decision, a fraud narrative, a suitability rationale, an alert summary, should carry the evidence that produced it as a structural part of the record, not as a free-text gesture towards various factors. That is not a novel demand invented for AI. It is the same expectation that sits behind risk-data-lineage and model-governance regimes: you should be able to show what an output was built from. The PRA's model risk management principles make governance, documentation and model inventory explicit. An AI system that cannot demonstrate lineage is failing a test the institution was already required to pass. This is validation done properly, as an enforced gate rather than a sampling exercise after the fact.
The trap that catches careful teams
Here is the part that many discussions of trustworthy AI get wrong, and I include my own approach in the criticism rather than exempting it. Tracing where a claim came from proves its provenance. It does not prove the claim is true. My reachability check guaranteed that every published claim had a genuine lineage. It could not guarantee that the source actually supported the conclusion drawn from it. A model can take a real, reputable document and draw an unsupported inference from it, and that inference sails through a provenance check with a spotless paper trail, because the lineage is intact even though the reasoning is wrong.
This distinction, between provenance and faithfulness, is the one a CIO most needs to hold onto, because it is where overconfidence hides. Enforced traceability buys you auditability, which is genuinely valuable and genuinely necessary: you can always reconstruct what a claim was built from, which is exactly what you need when something goes wrong and someone asks where it came from. But it is not, on its own, a cure for the model inventing things. Anyone selling lineage as an answer to hallucination is overclaiming. Closing the faithfulness gap needs a different and harder mechanism, an adversarial check that reads the claim against its cited evidence and judges whether the evidence actually bears the weight, and that check is a matter of degree rather than a clean yes or no. Which means it belongs on a confidence scale and in front of a human, not inside a hard gate pretending the question is binary.
The same boundary appears in explainable AI for regulated enterprises: the evidence trail and the quality of the inference are related controls, not interchangeable claims.
Say how sure you are, and mean it
The other half of honest grounding is admitting when you are not on solid ground. The same system I built labelled every projection with how confident it was, grounded, probable, or speculative, and gave a reason for the label, and it ran a deliberate challenge pass whose job was to attack weak chains and flag overconfidence. These were operational routing labels, not calibrated probabilities; a system should only present them numerically when their calibration has been measured. It also drew a distinction I had to make explicit because it blurs so easily: a claim marked as confidently grounded is not the same as a claim that actually carries a citation. Some projections legitimately had no source, because you cannot cite evidence about the future, and the honest move there is to label them as extrapolation rather than dress them as fact. Present a guess as established evidence and you have spent the credibility that made the grounded parts worth anything.
For a regulated institution the discipline is to structure uncertainty rather than suppress it, and then to route it. A confident, well-grounded output can move quickly. A low-confidence or thinly evidenced one should go to a person, not downstream as if it were settled. Confidence, expressed as a first-class attribute of every output rather than an adjective buried in prose, is not merely honesty. It is a control surface, and it is how you keep human attention on the cases that actually need it.
The steelman, and its boundary
The fair counter-argument is that a hard refuse-to-emit gate is brittle in exactly the domains where grounding matters most. If the validator is too strict, or its notion of an acceptable source too narrow, it will reject legitimate output, either starving users of information they needed or, worse, teaching engineers to loosen the check until it becomes theatre. That is a real danger, and it defines where the hard gate belongs rather than dismissing it. Reserve the hard, refuse-to-emit gate for provenance, which is a crisp and checkable property with a clear right answer. Route faithfulness and confidence, which are graded and contestable, to human judgement, and do not pretend a threshold turns a matter of degree into a binary. A gate is only as good as the definition behind it, and a bad definition fails closed on good data, so the discipline is to gate the thing that is genuinely binary and to review the thing that is not.
What to do differently on Monday
Ask a hard question of every AI system that touches a customer outcome or a regulatory report: can it decline to publish an output it cannot ground, and does it actually do so, or does it merely ask the model nicely and hope? Where the answer is that it asks nicely, you have a controls gap, and it should be logged as one. Make lineage a structural requirement for any model-assisted output that informs a decision, so the evidence travels with the claim rather than being reconstructed under pressure later. Then insist your teams distinguish, in writing, between what they can prove and what they can only estimate, because provenance you can guarantee and faithfulness you can only assess, and a supervisor will eventually ask you to tell the two apart. Build the confidence label into the output as a routing signal, so uncertainty pulls a human in rather than passing silently downstream.
These controls should be part of the AI-Native Engineering governance model, not a prompt template owned by one delivery team.
Grounding begins where prompting ends
Trustworthy AI in a regulated institution is not built by instructing a model to behave. It is built by a system that can refuse to publish what it cannot ground, that knows the difference between proving where a claim came from and proving it is true, and that says out loud how sure it is. “Cite your sources” is an instruction. Grounding is a control. A citation nobody checked is worth about as much as no citation at all.
Capabilities this supports
The Engineering Notebook
Once a month, a long read on what we're learning building governed AI for regulated enterprises. No hot takes, no roundups.
Ankur Chrungoo
Principal Engineer and Architect
Principal Engineer and architect at Bugni Labs, writing about production AI systems, agent governance, model controls, and regulated decisioning.
Related case studies
- Automating evidence extraction for regulatory narrativesReducing manual effort in regulatory narratives while improving traceability and consistency.
- Cloud-native credit decisioning for a digital-first bankFrom blank sheet to production-grade credit decisioning in four months.
- Modernising customer screening for agility and oversightFrom vendor-driven black boxes to a configurable, event-driven screening platform.
You might also enjoy
Agentic AI Is Not a Chatbot With Extra Steps
Unpack why agentic AI enterprise surpasses chatbots. Explore definitions, mechanisms, financial services examples, benefits like 3-5x velocity, and misconceptions for CIOs building governed AI systems.
PerspectiveBuild vs Buy for Enterprise AI
Compare building in-house AI solutions versus buying from vendors for enterprises. Review costs, timelines, pros, cons, stats, and top platforms to decide.
PerspectiveAI Vendor Lock-In Is a CIO Problem, Not Procurement's
AI vendor lock-in is usually fought as a pricing negotiation. In regulated institutions it is an architecture and concentration-risk decision the CIO owns.