In most regulated firms, artificial intelligence reached the business before it reached the risk framework. A team adopted a tool. A process was quietly improved. A vendor added a feature, and that feature used a model. By the time the second line was asked to form a view, AI was already in use, often in several places, and the question was no longer whether to allow it but how to govern something already running.

That sequence, capability first and governance afterwards, is the source of much of the discomfort around AI in regulated firms. But it is worth being precise about that discomfort, because the common framing that AI is a new and unprecedented risk is only half right.

The risk is not unprecedented. Regulated firms have governed models for decades. Credit models, pricing models, capital models, fraud detection models: the discipline of model risk management exists precisely because firms have long relied on systems whose outputs are probabilistic, whose behaviour depends on data, and whose errors can be expensive. The second line knows, in principle, how to govern a model.

What is new is the speed, the spread and the accessibility. Model risk is used to attach to a manageable number of models, built deliberately by specialist teams, on a timescale that governance can keep up with. Generative AI breaks all three assumptions at once. This article is about what that means for the second line, and why the answer is less about inventing a new discipline than about scaling one the firm already has.

Why it feels new, and where that feeling misleads

Three things make AI feel like a different kind of risk, and each contains a half-truth worth separating.

The first is that the models are not built in-house. A traditional model risk framework often assumes the firm developed the model, or at least commissioned it, and can inspect how it works. Much generative AI is consumed as a service, trained by someone else, on data the firm cannot see, and updated on a schedule the firm does not control. That is a genuine change. But it is a change of degree, not of kind: firms have long had to govern vendor-supplied models and outsourced analytics. The task is to extend that discipline to a wider and faster-moving set of tools.

The second is that the models are general. A credit model does one thing, and its scope of use is known. A general-purpose AI tool will be used for whatever the people who have it decide to use it for, and that set of uses grows without anyone deciding it should. This is the most genuinely novel feature, and it is the one the rest of this article keeps returning to, because it is what breaks the traditional model inventory.

The third is that the models are accessible. Using a sophisticated model once required a specialist. Now it requires a login. Anyone in the business can put a model into a process without recognising that this is what they have done, which means the second line cannot assume it knows where the firm's models are. That is uncomfortable, but it is not mysterious. It is a control problem, and control problems are familiar ground.

The honest summary is that AI is not a stranger to the second line. It is a familiar risk, model risk, arriving faster than the intake process was built for, spreading wider than the inventory was designed to track, and entering through hands the framework did not expect to be holding it.

The problem that has to be solved first

Every model risk framework rests on a single foundation: the firm knows what models it has. The model inventory is the thing everything else is built on. You cannot assess, monitor, or govern what you have not catalogued.

Generative AI attacks that foundation directly. When using a model requires only a login, and when general-purpose tools are used for purposes that nobody formally scoped, the inventory stops being a reliable picture of reality. The firm has models in use that the second line has never seen, not because anyone concealed them, but because the people using them did not recognise that a tool they typed into was a model the firm needed to know about.

So the first task is not to write an AI policy. It is to find where AI is actually being used. That is partly a discovery exercise, looking honestly across the business at what tools are in use and which vendor features have quietly become AI features. It is also a permanent change in how the firm keeps its inventory current, because a one-off sweep will be out of date within months. The inventory has to become something that updates as adoption happens, rather than something audited once a year.

This is unglamorous work, and it is tempting to skip ahead to the more interesting questions of policy and principle. But a policy that sits on top of an inventory the firm knows to be incomplete is a policy governing the wrong thing. The discovery has to come first.

Governing by use, not by tool

Once a firm can see where AI is used, the next instinct is often the wrong one: to govern every use by the same standard. That produces one of two failures. Either the standard is set high, and the firm spends disproportionate effort governing trivial uses, while real adoption moves faster than the process. Or the standard is set low to keep up, and genuinely consequential uses are governed too lightly.

The way out is the same principle that has always underpinned good model risk management: govern in proportion to consequence. What matters is not that a model is being used, but what depends on its output.

A model used to draft an internal summary that a person will read, check, and could easily write themselves is a low-consequence use. It deserves light governance. A model whose output informs a customer decision, supports a regulatory submission, shapes a financial figure, or affects how the firm treats a person is a higher-consequence use. That kind of use deserves much stronger governance, regardless of how easy the tool was to adopt.

The distinction that matters is not the sophistication of the model. It is the question of what happens if the model is wrong, and who would notice. A use where a confident error would be caught immediately by a competent human is in a different category from a use where a confident error would flow through into a decision unchallenged. The second line's job is to make that distinction clearly, and to concentrate its limited attention where the consequences live.

The explanation problem

There is one respect in which generative AI genuinely is harder to govern than the models that came before it, and it deserves to be stated plainly rather than minimised.

Earlier models often allowed a firm to describe, with reasonable specificity, the factors that drove an output and the basis on which a result was relied upon. Many generative AI systems do not offer that same level of traceability. They can produce an output, and they can produce a fluent account of that output, but a fluent account is not the same thing as a reliable explanation of how the result was reached.

That matters because regulated firms are often expected to account for material decisions to customers, regulators, auditors, boards, or their own control functions. The exact legal and regulatory basis will vary by context. In data protection law, the UK rules on solely automated decision-making turn in part on whether a decision has legal or similarly significant effects, and current guidance in this area is under review. But the practical point is broader than any one regime: if a firm cannot explain, evidence, or challenge how an output was used, it should be cautious about placing that output in a high-consequence decision.

In practice, that usually means putting meaningful human judgement in the right place. The answer is not to wait for the technology to become perfectly explainable. It is to design higher-consequence uses so that a person is responsible for the decision, can interpret the output in context, can depart from it where needed and can give the reasons for the decision actually taken. The model may inform the judgement. It should not quietly replace it.

Where this sits across the lines of defence

The underlying allocation of responsibility does not need to be rewritten for AI. It needs to be applied properly, with first-line ownership, second-line oversight and third-line assurance kept clear.

The first line owns the use. The team that adopts an AI tool assumes the risk of using it, just as it assumes any other operational risk it takes on. The most important first-line shift is simply recognition: the people adopting these tools have to understand that putting a model into a process is a risky decision, and one that the rest of the framework needs to know about. Much of the inventory problem is really a first-line awareness problem.

The second line owns the framework and the challenge. It sets the standard for how AI use is assessed, helps ensure the inventory is credible, defines what "high-consequence" means in the firm's context, and provides a real challenge to the uses that warrant it. The second line does not need to build these models itself. It does need to ask, for any consequential use, what depends on this output, what happens if it is wrong, what controls surround it, and who will know in time to intervene. Those are familiar questions. The tool is new. The questions are not.

The third line provides assurance that the framework is real. An independent audit asks whether the inventory reflects reality, whether the proportionality judgements are made honestly, and whether high-consequence uses are genuinely governed by the standard the framework claims. The third line is the check against the most likely failure: a framework that looks complete on paper while adoption quietly outruns it in practice.

Final thought

The pressure to treat AI as an entirely new category of risk is understandable and largely a mistake. Treating it as wholly new invites two errors: building a separate governance regime that duplicates the firm's existing model risk framework, and assuming none of the firm's existing experience applies. Both waste the very thing the second line most needs: the discipline it has already built.

The more useful framing is harder and less dramatic. The second line was already in the business of governing models it did not fully control, whose outputs were probabilistic and whose errors could be expensive. Generative AI has taken that familiar problem and changed its speed, its spread and its point of entry. Much of the discipline still holds. What has to change is the scale at which it operates, the way it keeps inventory, and the honesty with which the firm admits how much AI is already in use. The firms most likely to manage AI well will not be the ones that treated it as wholly unprecedented. They will be the ones who recognised how much of the existing discipline still applies and then resized the framework to match.