A new report has warned that generative AI presents financial services firms with risks that cannot be fully resolved - only managed - and that the industry has not yet found comfortable answers to the governance questions the technology raises.
Published by the London Foundation for Banking and Finance (LFBF) and the Institute and Faculty of Actuaries (IFoA), It's Still Not Magic: Framing the Risks Facing Financial Services in the Gen AI Era updated a 2019 predecessor study and drew on a survey of senior practitioners. It found that 70% of respondents agreed AI risks are among the greatest facing their sector over the next five years, while 75% said those risks had increased substantially since generative AI became widely available. The top three concerns were cyber threats, misleading outputs and knowledge gaps.
The report's central argument is that generative AI's most significant risks are not incidental flaws to be patched but structural features of the technology itself. The same capabilities that make AI useful - its persuasiveness, accessibility and ability to operate at scale - also make it difficult to govern, explain, trust or contain. The authors described these as "uncomfortable tensions."
As firms embed AI more deeply into tools and infrastructure, many of the most complex risks are not firm-level but ecosystem-level, the report warns. Decisions that appear sensible for individual organisations can create hidden dependencies and shared points of failure across the financial system.
The framework identified nine risks grouped into three categories: outcomes, operating environment and system - tracing how AI risk moves through the financial ecosystem from customer experience through to systemic dynamics.
Keyur Patel, LFBF research associate and report author, said the question firms face is not simply whether risks can be mitigated, but how much risk they are prepared to accept in exchange for AI's benefits.
"Generative AI gives these tensions new force," Patel said. "It lowers barriers to use, makes AI feel relatable and trustworthy, and is increasingly embedded in how financial institutions think and work. That matters because AI outputs can be useful, confident and wrong at the same time - and 'mostly right' can be dangerous."
Paul Sweeting, IFoA President, added that the actuarial profession has a specific role to play.
"With our unique combination of technical skill, communication and professional oversight, actuaries must play a key role in making sure that AI is working as it should," he said.
The report arrives as AI adoption across UK insurance reaches near-saturation levels. The Bank of England and the FCA's 2024 joint survey found that 95% of insurance firms were already using AI, the highest rate of any financial services subsector. Yet adoption has outpaced understanding, with 46% of firms reporting only a partial understanding of the AI they use, against just 34% claiming complete understanding.
Concentration of AI infrastructure compounds the concern. A third of all AI use cases in UK financial services now rely on third-party implementations, up from 17% in 2022, with the top three providers accounting for the lion's share of cloud, model and data supply. This is precisely the kind of shared dependency the report identified as a systemic risk, where individually rational outsourcing decisions create collective points of failure.
The FCA has warned that AI-enabled hyper-personalisation of pricing could benefit many policyholders through more tailored premiums, while simultaneously risking rendering others uninsurable. AI systems used in pricing, policy drafting and claims handling also carry direct Consumer Duty implications. Where a model generates a misleading output in a customer-facing context, the firm bears the regulatory consequences regardless of whether it built the model or bought it.
The UK's approach to AI governance remains principles-based. The FCA's strategy for 2025 to 2030 commits the regulator to a "tech-positive" outlook focused on outcomes rather than prescriptive rules, with no AI-specific regulation planned.
In December 2025, FCA chief executive Nikhil Rathi reaffirmed that position, citing the technology's rapid evolution every three to six months as a reason to avoid locking down fixed rules. That places the burden of governance firmly on firms.
Meanwhile, political scrutiny is intensifying. A Treasury Committee inquiry has been examining whether existing frameworks are adequate. The Critical Third Parties regime, introduced by the Bank of England, PRA and FCA in November 2024, gives regulators new oversight powers over firms providing critical AI and cloud services, with formal designations expected in 2026. Insurers with EU clients face additional obligations under the EU AI Act, which classifies AI used in life and health underwriting as high-risk.
The LFBF/IFoA framework offers a practical lens for governance that goes beyond compliance.
As AI becomes embedded in underwriting, claims triage and customer communications, the governance infrastructure around those systems must keep pace. The report's finding that misleading outputs rank among the top three AI risks is not abstract. In an insurance context, a confident but wrong AI output in a claims decision or policy recommendation carries real regulatory and reputational consequences.
