Enterprise AI|8 min read

Beyond monolithic AI controls: a classification framework for financial services

A four-tier framework — Assistive, Augmented, Semi-autonomous, Peer — for proportionate AI governance in financial services, with controls matched to each autonomy tier.

Abhay Chrungoo
Share
Series: Regulated AI · Part 1

The problem with monolithic controls

The financial services industry is deploying AI at pace. The regulatory frameworks designed for an earlier era of model risk are showing their seams.

Monolithic AI controls — uniform expectations applied across all AI use cases — settle to the least common denominator. They are heavy enough to stifle basic, low-risk use cases, and inadequate for the most complex and consumer-consequential ones.

Firms respond in one of two ways. Either over-control everything (slowing safe adoption, frustrating the work that should be cheap). Or apply notional governance that fails when real risk materialises. Neither outcome serves consumers. Neither serves firms either.

The pattern that works — and is already established in adjacent regulatory areas — is classification-led control.

The recommendation

Firms providing financial services, and the technology firms supplying them, should be required to classify each AI use case by autonomy tier. Control postures should be defined per tier.

Bugni's working four-tier classification:

Assistive. AI suggests; a human accepts, rejects, or modifies every output. Code completion. Drafting assistants. Document summarisation used internally. The human is in the loop on every decision.

Augmented. AI extends what a human can do at scale or speed, with human oversight at decision boundaries. Alert triage. Customer-service co-pilots. Investigation pre-summarisation. The human still owns the decision; the AI changes what's possible to handle.

Semi-autonomous. AI executes within defined limits, with human review at exception or escalation points. Routine fraud screening. Eligibility pre-checks. Automated workflows with human-in-the-loop gates. The AI decides within a defined scope; the human owns the exceptions.

Peer. AI executes decisions independently within domain, with audit trail and rollback capability rather than per-decision human review. Limited today; growing.

Each tier carries a different control posture. Review cadence, monitoring intensity, rollback triggers, human escalation paths, infrastructure isolation, recovery requirements. Applying autonomous-grade controls to assistive use kills productivity. Applying assistive-grade controls to autonomous use creates real consumer risk.

This pattern is not novel

Data already gets this treatment in every regulated firm. Public, limited, confidential, highly confidential. Each tier has handling protocols defined. Where data must live, who can access it, how it must be transmitted, what audit it leaves behind.

AI is more sophisticated and moves faster, but the pattern transfers cleanly. The regulatory ask is simply that firms classify, declare, and operate to the controls appropriate to each tier.

What this enables

Differential expectations. Smaller firms exploring assistive AI use cases can move quickly. Larger firms running semi-autonomous workflows in production carry the heavier governance overhead — proportionate to consumer risk.

Clearer audit posture. When an incident occurs, the relevant question becomes "what controls were required for this tier, and were they applied?" — not the current "did the firm have any AI governance at all?"

Cross-firm comparability. Regulators can compare like with like. A bank's semi-autonomous fraud screening compared with another bank's semi-autonomous fraud screening, not with a third bank's assistive code completion.

Adoption acceleration in the low-risk tiers. Many of the productivity benefits of AI sit in the assistive and augmented tiers. Today, those benefits are gated by the same governance overhead applied to peer-level autonomy. Classification unlocks adoption where it should be unlocked.

A consumer-facing implication

Consumers today have little visibility into the autonomy level of the AI making decisions about them — credit, fraud, eligibility, service.

There is a case for disclosure. Firms should make clear what tier of AI the consumer is interacting with, so that public awareness can develop alongside technical adoption. A consumer denied a credit application by a semi-autonomous decision should be able to know that. A consumer being assisted by an AI co-pilot in a customer service interaction should know that too.

What we are asking regulators and industry decisionmakers to consider

For industry decision-makers:

  1. Begin internal classification now, ahead of regulatory clarity. The classification work generates immediate operational benefit — clearer control posture, better audit-readiness, faster onboarding of new AI use cases — and prepares the firm for the regulatory shape that is coming.
  2. Audit current controls against the tier the AI is actually operating at. Many firms apply assistive-grade governance to semi-autonomous workflows, or autonomous-grade governance to assistive ones. Both create real problems.
  3. Set the boundaries explicitly. The tier an AI use case sits in is a designed property of the system, not a description of the technology. Decide where the human-in-the-loop gate is; build the system to enforce it.

For regulators:

  1. A classification standard for AI use cases in financial services. The four-tier shape above is one option; the precise tiers and dimensions are for the regulator to define.
  2. Control postures defined per tier — review intensity, monitoring requirements, rollback capability, escalation paths, infrastructure isolation expectations.
  3. A reporting expectation — firms classify and declare their AI use cases by tier as part of regulatory engagement.
  4. A consumer-facing disclosure requirement — consumers should know the tier of AI making decisions about them.

Where this comes from

Bugni Labs is an engineering-led organisation building AI-native systems for regulated industries. We work in production across UK retail banks, challenger banks, and specialist lenders. We see the architectural and governance questions recur across firms in slightly different shapes.

The classification framework above is a synthesis from production engagements. It is offered as a practitioner contribution to the industry conversation, written to inform regulators alongside the firms doing the work.

enterprise-aiai-safetyresponsible-aiai-policyai-regulationclassificationgovernancefinancial-services
Was this useful?
Share

Abhay Chrungoo

Managing Director

Managing Director and Chief Scientist at Bugni Labs. Platform engineering, AI-native systems, and architecture for regulated enterprises. 20+ years building systems in complex, high-stakes environments.

You might also enjoy

Perspective

Agentic AI Is Not a Chatbot With Extra Steps

Unpack why agentic AI enterprise surpasses chatbots. Explore definitions, mechanisms, financial services examples, benefits like 3-5x velocity, and misconceptions for CIOs building governed AI systems.

Perspective

Build vs Buy for Enterprise AI

Compare building in-house AI solutions versus buying from vendors for enterprises. Review costs, timelines, pros, cons, stats, and top platforms to decide.

Perspective

Why the EU AI Act Changes the Calculus for Financial Services AI

Most financial institutions are treating the AI Act as a compliance problem. It is an architecture problem in disguise. The banks that recognise this early will pay the cost once. The ones that do not will pay it twice.

← Back to all posts