Creating centralized, updatable, and cost-effective risk controls testing and monitoring relies on greater adoption of standardized protocols. In turn, standardization reaches peak potential when boosted by well-placed automation.
Financial institutions (FIs) roundly desire these efficiencies, according to a recent multi-part survey and analysis by PwC and ProSight. But not all FIs have aligned the resources or secured full organizational buy-in to meet these objectives; yet more banks and credit unions reveal a preference to stagger their upgrades.
“We are undertaking an overhaul of our three lines of defense, and our first line of defense does not have a testing protocol currently,” offered one survey respondent as part of a broad collection of feedback reflecting varied program status.
- “While the first line of defense testing program is mature, there continues to be opportunities for automation and efficiency as our process is very manual,” said another participant in the survey of roughly two dozen practitioners across institutional size. The survey took place in August and September of 2025.
Survey emphasis and analysis in the associated report highlighted banks’ transition from mostly decentralized controls testing and monitoring (TM) to centralized or hybrid models. Hybrid is also known as hub and spoke. Banks that have already adopted centralized and hybrid models credit these formats for gains in efficiency, standardization, and workload sharing, according to the PwC thought leaders. The analysts stress that clear TM roles and responsibilities across operational lines are easier to establish, lowering redundancies and closing gaps.
While select FIs reflected on achieving degrees of standardization, automation remains far less widespread. More than 73% of respondents reported no automation, only manual processes spanning the TM lifecycle.
Some FIs have tapped generative artificial intelligence (gen AI) for targeted in-house use or are increasingly aware of third-party affiliate AI applications to automate banking workflows, including controls TM. Most banks report selective approval, continued experimental phases, or minimal use. Recognizing the interest in automation and lingering questions around adoption, ProSight has added controls testing as a focus topic at its Peer Sharing event scheduled for September 22-23, 2026. Scope for AI in controls TM is sure to feature among other considerations when compliance practitioners convene for this session and others.
For now, measured use cases and upside potential are already emerging, as survey participants shared. “While I feel like our control methodology is fairly mature and has certainly evolved substantially in the past five years, we have some opportunities to improve,” one compliance leader offered. “Most notably, increasing the percentage of controls that are automated and leveraging gen AI to facilitate testing, especially script-based controls.”
According to PwC, gen AI-supported applications might help compliance and risk departments focus on automating control validation, sample selection, test script generation, and narrative drafting. As for the monitoring phase, AI models might be leveraged for real-time analysis and strategic data collection.
At a higher level, the banking strategists emphasized their belief that standardization and automation create efficiencies, clearer data output, and advanced reporting that position banks to more nimbly compete without losing their safety and soundness pedigree.
And newfound flexibility leaves room for time-sensitive adjustment within a bank’s guardrails, as the report’s messaging stressed. Teams can regularly, and with less potential expense, assess and refine TM programs to align with evolving risks and shifting regulatory requirements.
