Using AI in finance is a bit like using a calculator: it’s a game-changer, but as a best practice, you need to be able to show your work.
With the release of FINRA’s 2026 Regulatory Oversight Report, it’s clear that every financial institution’s biggest hurdle is no longer how to embrace AI — but how to demonstrate its governance. It’s why regulators have sharpened their focus on AI record-keeping, documentation, and human supervision.
“You’ve got to prove you’ve actually done your work,” says Box Managing Director of Banking Matthew Midson.
Midson, whose career path spans bank engineering to CIO leadership, highlights the critical gap: Firms need airtight logs and lineage for governance, yet data and app sprawl frequently obscure the trail.
To help businesses navigate this scrutiny, he outlines three key recommendations to enhance resiliency and hardening compliance.
Key takeaways
- Proof over promise: Regulatory bodies prioritize evidence-based governance that documents reasoning for every AI-generated decision
- Rationalize your tech stack: Move away from experiments and consolidate into a unified platform that serves specific and strategic needs
- Efficiency is a revenue driver: Transitioning from manual processes to agentic AI is a lever for revenue growth and risk mitigation
- Use human-in-the-loop (HITL) validation: Human oversight is an essential component for validating outputs
- Protect assets with content-native security: Hardening AI compliance requires a framework of least-privilege access and confidence scoring
Tip 1: Choose adoption over fragmented experiments
Midson identifies organization-wide AI adoption, rather than isolated experiments, as a crucial first step in building regulatory trust:
“It’s important to move from AI experimentation into adoption and to leverage technologies that can remediate a lot of manual processes,” he says.
With disparate functions common across institutions, experimentation on a large scale might seem logical. But, Midson explains, automating heavy, manual processes across complex fields like capital markets can lead to dangerous fragmentation.
“Products like bank software are complex, and client needs are nuanced — and when there’s more complexity, there’s more fragmentation.”
Midson says this fragmentation is exactly what makes supervision and recordkeeping — the “showing your work” part of the equation — a daunting task. By consolidating tools, banks can more easily meet compliance requirements while capturing the speed and revenue growth that manual, siloed processes block.
Eliminating redundant tools also empowers companies to focus on scaling key initiatives. Therefore, Midson says, the shift from experiment to adoption also helps drive a business’ bottom line.
“Reducing document-heavy processes is correlated to revenue growth, and it creates operational efficiency,” he explains. “It helps speed up things like lending and loan origination or certain training so that they can then capture more revenue-generating or revenue-supporting initiatives.”
Tip 2: Purchase on purpose
Another barrier to trust is a surplus of products that aren’t tied to business strategy.
“If you’re not careful, you can end up with tech debt, and then you’ve created a whole load of other challenges,” Midson adds.
His advice for building a governable infrastructure is simple: Rationalize your stack. Make sure every piece of technology is tied to a specific outcome rather than a trend.
Make sure you’re using the full capabilities of any technology you’ve either acquired or already own.
“Simplify the amount of technology platforms you have,” he says, “and rationalize them so they’re all serving a purpose and they’re correlated to support an underlying strategy or specific use case or need. When you’re implementing or buying technology, it has to be for a reason.”
Adding to the challenge, solutions often go unused (or even unnoticed) by teams. From a regulatory perspective, “dark” or unused features create blind spots in documentation. By maximizing existing investments, firms can ensure their AI workflows stay within a controlled, supervised environment.
“Make sure you’re using the full capabilities of any technology you’ve either acquired or already own,” he says.
Tip 3: Ensure a two-way street of checks and balances
In the eyes of regulators, an AI agent acting in a vacuum is a high-risk liability. Ironically, AI can help with that — powering everything from Know Your Customer (KYC) and Anti-Money Laundering (AML) to accelerating credit reviews.
“The problem with KYC is it’s traditionally manual,” Midson notes. “There are only so many humans you can throw at a problem. Agentic AI can empower humans to add more value.”
Technology is an enabler. It needs to facilitate revenue and keep costs down — but most importantly, it has to keep you out of trouble.
Midson emphasizes that, even with proper confidence scoring, the most resilient firms should create a two-way street where humans provide oversight to validate AI-generated outcomes. The trick, Midson says, is pairing the speed of an AI agent with the nuance of human judgment — plus a framework of content-native controls and least-privilege access limiting agentic reach to only that which is strictly necessary.
“You don’t see agents just running banks and settling trades,” he says. “There’s always going to be humans involved with that. You need a human to validate the output. ”
Combining the speed of an agent with the judgment of a professional empowers organizations to move fast without breaking the very compliance structures that keep them in business. It also ensures companies can explain why a given decision was made.
Ultimately, the shift toward agentic technology is a competitive necessity, and those firms that can prove their agents’ homework will be best positioned to capture revenue.
“Technology is an enabler,” Midson concludes. “It needs to facilitate revenue and keep costs down — but most importantly, it has to keep you out of trouble.”
Learn more about Box for finance here.
