As AI becomes embedded in core banking operations, many institutions still lack tested kill-switch protocols and clear regulatory reporting processes when AI systems fail.
Your AI models have no off switch. Most banks haven’t noticed yet — because nothing has gone wrong yet.
Banks are deploying AI faster than at any point in the industry’s history. They are automating customer service, transaction monitoring, trade surveillance, and credit decisioning. They are announcing AI strategies in earnings calls and approving AI roadmaps at the board level. They are, in many cases, simultaneously eliminating the human roles that historically caught the errors those systems produce. And 72% of them cannot tell you how to shut a failing AI model down.
72% of bankers identified AI governance — specifically kill-switch protocols or regulatory reporting of AI failures — as the area where their institution is least prepared. — Wolters Kluwer, 2026
That figure comes from a 2026 Wolters Kluwer survey of banking risk and compliance professionals. Wolters Kluwer is not a fringe research house. It is a global compliance and risk management software firm that works directly with the institutions being surveyed. When they report that nearly three quarters of banks lack reliable mechanisms to either stop a failing AI model or report that failure to regulators, that is not an opinion. That is a self-assessment from the people responsible for the controls.
The 72% breaks into two distinct gaps, each serious on its own:
34% identified kill-switch protocols as their least prepared area — no reliable mechanism to stop a failing model
38% identified regulatory reporting of AI failures as their least prepared area — no defined process to tell regulators what went wrong
Together, they describe a single structural failure: banks have built AI systems they cannot control and cannot explain. The gap between deployment speed and governance readiness has never been wider, or more consequential.
The Control Vacuum No One Is Naming
Every bank in this survey has an AI governance policy. Most have AI risk frameworks. Many have model risk management teams. The documentation exists. What the Wolters Kluwer data reveals is that the documentation and the operational reality are not the same thing.
A kill-switch protocol is not a policy paragraph. It is a tested, operational procedure: who makes the call, through what chain of authority, in what time window, with what technical mechanism for execution, and with what notification requirements to
counterparties and regulators. Most banks have the paragraph. Few have tested the procedure. Fewer still have confirmed that the technical mechanism actually works against a live model in a production environment.
The operational definition matters. A kill-switch that exists in a risk framework document but has never been executed is not a kill-switch. It is a statement of intent. The difference between the two is only visible when something fails — which is precisely the wrong moment to discover the gap.
The regulatory reporting gap is, if anything, more immediate. Banks are legally required to report material operational failures to their primary regulators. As AI systems become embedded in core operational processes, a model failure in transaction monitoring, credit decisioning, or fraud detection is not a technology incident. It is a potential material
operational failure. Banks that have not pre-defined what constitutes a reportable AI failure, who makes that determination, and what the reporting timeline looks like are not managing a future risk. They are already exposed.
The European context makes this concrete. The European Supervisory Authorities reported this month that in the first year of DORA enforcement, 29% of the 3,383 major operational incidents recorded originated from third-party provider failures. One in three material incidents traced back to a vendor, not an internal system. For banks that have embedded third-party AI into their operations without clearly defined failure reporting obligations in their contracts, this is not a statistic from another jurisdiction. It is a preview.
What I Have Seen From The Inside
I have spent more than two decades watching banks manage technology risk. The pattern is consistent, and it applies directly to what the Wolters Kluwer data is describing.
Banks are exceptionally good at building governance frameworks for the technology they already understand. The model risk management function that exists in most large banks was built in response to the 2008 financial crisis and the regulatory guidance that followed. It was designed around quantitative models with known inputs, defined outputs, and interpretable logic. Apply a stress scenario. Validate the assumptions. Document the results. Approve the model for use.
Generative AI and agentic AI systems do not fit that framework cleanly. The inputs are not always defined. The outputs are not always predictable. The logic is not always interpretable. Banks are taking governance frameworks designed for one class of model and applying them to a fundamentally different class, without always acknowledging that the fit is imperfect.
“The banks that manage technology risk well share one characteristic: they treat operational controls as infrastructure, not paperwork. The difference is not visible in the policy document. It is visible the moment something breaks.” — Rick Mavrovich, The Strategic Flywheel: How to Run, Change and Innovate the Bank, 2nd Edition
The kill-switch gap is a specific instance of a broader pattern: banks are treating AI governance as a documentation exercise rather than an operational one. The risk committee reviewed the framework. The board approved the policy. The checkbox exists. What has not happened, in most institutions, is the operational test: a cross-functional exercise, run against a real production system, that confirms the bank can actually execute what the policy describes.
That distinction, between a governance framework that exists and a governance capability that works, is where the exposure lives. And it is growing, because AI deployment is accelerating while governance capability is not keeping pace.
Why The Timing Has Changed
For the past several years, the AI governance gap was a theoretical risk. No major AI failure at a bank had triggered a material regulatory action. The kill-switch question was academic. That window is closing, from multiple directions simultaneously.
The first direction is workforce. Bloomberg and Fortune both reported this month that major banks are actively preparing workforce reduction plans targeting entry-level analysts and junior processing roles directly tied to AI automation. This is not a future trend. It is an active program at institutions that are simultaneously acknowledging the governance gaps the Wolters Kluwer survey documents.
Banks are removing the human checkpoints that historically caught model errors at the same time they are admitting they have no reliable automated mechanism to catch those errors instead. That is not a transition. That is a control gap that expands with every headcount reduction announcement.
The second direction is regulatory. The Reserve Bank of India directed all regulated entities this month to complete a board-approved AI risk gap assessment and submit a time-bound remediation plan by June 30. That is a hard deadline, not guidance. Colorado’s comprehensive AI Act takes effect on the same date, applying to any business deploying high-risk AI systems. California has enacted 24 separate AI laws across two legislative sessions. The state-level patchwork is accelerating faster than any federal framework, and the compliance architecture for AI governance needs to be modular and jurisdiction-aware right now.
The third direction is the deployment curve itself. Volante Technologies announced this month that its full payments processing platform is now powered by an agentic AI layer making autonomous routing, exception handling, and compliance decisions without human intervention. Agentic AI systems operating at the payments infrastructure layer are not a pilot. They are production. When those systems fail, the kill-switch question is not theoretical. It is operational, measured in minutes, and consequential to counterparties, regulators, and customers simultaneously.
The banks that build genuine kill-switch capability in 2026, not documentation but operational procedure, will have a compounding advantage as AI embeds deeper into core processes. The banks that do not will face that test on a timeline they do not control, under conditions they did not choose.
Rick’s Take
The 72% number is the most important data point in banking AI this month, and most banks are treating it as a survey result rather than an action item. Here is the question I would ask every CRO and Chief Compliance Officer reading this: When did you last run an end-to-end test of your AI failure response? Not a tabletop exercise. Not a policy review. An actual test, against a production system, with the people who would actually execute it, confirming that the technical mechanism works and the regulatory notification process has been defined and rehearsed.
If the honest answer is never, or you are not sure, that is your answer.
The job cut announcements and the governance gap are not separate stories. They are the same story. Banks are making a structural bet that AI systems are reliable enough to operate without the human error-catching layer that historically existed beneath them. That bet may prove correct. But it is a bet that should be made with eyes open, with tested controls in place, and with a clear answer to the question: if it fails, what happens next?
Most banks do not have a clear answer. That is the kill-switch gap. And the regulators, from New Delhi to Denver, are starting to ask the same question.
