AI Governance for Financial Services: The Tiered Governance Model
AI governance for financial services is not optional. The EU AI Act classifies many financial-services AI systems as “high-risk.” The UK FCA has SYSC rules for AI in regulated activities. NIST AI RMF is the de-facto US framework. This guide walks through the Tiered Governance Model — the 4-tier framework I developed at Neul Labs for production AI in financial services, applied in production at regulated financial-services firms and presented to the FCA sandbox.
The four tiers
| Tier | Name | What it means | Risk | Model risk management |
|---|---|---|---|---|
| T0 | Read-only | AI for summarisation, classification, search. No actions. | Lowest | None required |
| T1 | Advise | AI drafts, human reviews and approves. | Low | Standard |
| T2 | Act under supervision | AI acts, every action logged, attributed, reversible. | Medium | Enhanced |
| T3 | Act autonomously | AI acts without human approval. Logged and audited after the fact. | Highest | Full (EU AI Act high-risk) |
How to classify your AI system
Ask three questions:
- Can the AI take actions (not just generate text)? If no → T0. If yes → continue.
- Does a human review every action before it takes effect? If yes → T1. If no → continue.
- Can the human reverse the action within a defined window? If yes → T2. If no → T3.
Most financial-services AI starts at T0 or T1. T2 is for mature deployments. T3 is rare and requires the full EU AI Act high-risk system compliance.
The regulatory mapping
| Regulation | T0 | T1 | T2 | T3 |
|---|---|---|---|---|
| EU AI Act | Below threshold | Below threshold | Limited risk (transparency) | High-risk (full compliance) |
| NIST AI RMF | Map | Map + Measure | All four functions, elevated | All four functions, highest |
| ISO/IEC 42001 | Basic | Standard | Enhanced | Full |
| FCA SYSC | Not applicable | Notify | Document | Full governance |
| PRA SS1/23 | Not applicable | Document | Model risk management | Full model risk management |
Regulus: the implementation
Regulus is the EU + UK compliance plane for Google ADK (Agent Development Kit). It implements the Tiered Governance Model for production agent systems:
- 6 plugins (one per governance area)
- 10 regulations (EU AI Act, GDPR, DORA, NIS2, EHDS, UK GDPR, FCA SYSC, PRA SS1/23, PRA SS2/21, NHS DSPT)
- 6 governance frameworks (NIST AI RMF, ISO/IEC 42001, 23894, 23053)
- 4 GRC adapters (ServiceNow IRM, OneTrust, MetricStream, custom)
- Deploy on Vertex AI Agent Engine in 60 seconds
Regulus was open-sourced by Neul Labs and Skelf Research.
How to engage
The Fintech AI consulting engagement is designed for financial-services firms that need production AI agent systems with compliance built in. Audit: USD 50K. Full implementation: USD 50K-200K.
Read more about the Tiered Governance Model at dipankar.name/frameworks/tiered-governance-model/.
Related Articles
AI Agent Safety: The Substrate Pattern in Practice
How to implement the Substrate Pattern for AI agent safety in production. The layer below the model that decides what the agent is allowed to do.
Federated Learning Implementation: A CTO's Guide
How to implement federated learning in production. Framework selection, data partitioning, privacy mechanisms, aggregation, and deployment. The consulting practice of the Fed-Focal Loss author.
How to Take a Lovable Codebase to Production
A practical guide to taking an AI-generated codebase (Lovable, Bolt, v0, Cursor) to production. Code audit, Supabase RLS hardening, deployment, observability, and compliance.