ProSight recently spoke with three subject matter experts who were instrumental in the creation of its 2026 CRO Outlook Survey to get their perspectives on the results and the risk challenges ahead. Oliver Wyman Partner Michael Duane and OW Principals Christian McNally and Jake Ritchken noted that cyber risk and AI were front and center in the survey, while the shift in regulatory focus under the Trump administration has been a significant development.
Conducted in collaboration with Oliver Wyman in August and September 2025, the survey captured insights from more than 140 bank CROs and their equivalents (primarily in the U.S. and Canada), highlighting the top trends in bank risk management and the most urgent CRO priorities.
Cyber risk and technology was cited as the top risk category, with 74% of CROs identifying it as a top five risk. Duane said that while these are “evergreen” threats because of their constantly changing nature, the increased use of AI and the digitization of banking were two of the key drivers of this year’s top ranking.
CROs cited fraud and financial crime as the second-largest risk, noting that the combination of AI, cyber platforms, and digital assets has accelerated the proliferation of fraud. AI, in particular, has democratized cybercrime, because one no longer must be a master hacker to execute, say, a ransomware or malware attack. “Innovations like AI and digital assets provide new avenues through which bad actors can operate,” Duane said. “For example, a consumer’s use of an AI agent in parts of his or her banking relationship will open up an entirely new vector for cybercriminals and fraudsters.”
Technology like AI-enabled deepfakes have made scams more difficult to detect than ever, and it should therefore come as no surprise that nearly a third of survey respondents (32%) said that the possibility that AI could be used to perpetrate fraud is a top AI-related risk to their institution. “CROs are increasingly concerned about the significant and evolving AI-enabled scams,” McNally said. “Banks are evaluating and enhancing governance frameworks and authentication methods in an effort to control increasingly sophisticated fraud threats.”
AI: Use Cases, Advancements, and Risks
According to this year’s survey, 54% of banks have adopted AI in production, with 48% expecting to have deployed the technology for risk management within the next two years. McNally said that banks are increasingly rolling out custom generative AI applications for specific use cases, including Know Your Customer and Anti-Money Laundering, credit memos, and regulatory change management.
Even though banks are taking a relatively cautious approach to AI overall, he said, they are increasingly moving from testing, pilots, and proofs of concept into scaled AI deployments. Agentic AI, a multi-tasking version of the technology that can actually make decisions without human input, is one tool that’s on the rise. But banks are more cautious toward adopting agentic AI than generative AI, which relies on human prompts to produce content.
Unlike GenAI, which generates content (like text, audio, video, and code) in response to input from people, agentic AI can act independently across multiple steps, potentially eliminating humans from the loop. “An agentic AI process will remove the human element, requiring different risk management techniques around things like testing and monitoring to get comfortable with an agentic AI use case,” said Duane.
When consumers begin to use agentic AI more frequently, it will “fundamentally change” the way in which banks and their customers interact, he said, forcing risk managers to build new frameworks for engaging with customers. “This will include developing ways to trust and authenticate the agent—to verify, for example, that the agent’s banking request is actually authorized by the end customer,” Duane said.
A key challenge for CROs in enabling more advanced AI uses is the nascence of their AI risk frameworks. Just consider, for example, that only 12% of survey respondents described their AI governance and approvals framework as “highly developed.”
Indeed, today, AI governance frameworks can be restrictive and sometimes complex, making it challenging for banks to implement higher-impact use cases. However, Ritchken said, this is likely to change across 2026, with CROs and chief information officers building out their AI governance frameworks, enabling their organizations to more rapidly evaluate, approve, and scale their AI deployments.
Banks can more effectively manage potential scams by developing multi-dimensional groups that cut across different types of financial crime. “One continued focus area for banks has been the build-out of insider threat teams,” Ritchken said. “These multidisciplinary teams cut across cyber, fraud, and AML/compliance and maintain a set of proactive monitoring tools and playbooks to take action when potential insider threats are identified. We’ve seen these teams be effective at managing many potential threats across large banks and have worked with several organizations to stand up and arm the teams with the right tools and frameworks.”
The Risk Impact of Deregulation
In the survey, CROs reported a decrease in supervisory findings in 2025, with some top risk executives noting that regulators have shifted their attention toward tangible risks (like liquidity) and away from less tangible, non-financial threats (like operational resilience and ESG risk). This regulatory shift towards material financial risks came into greater focus in late 2025 through the Board of Governors of the Federal Reserve System’s October 2025 Statement of Supervisory Operating Principles focusing supervisory work on risks threatening the safety and soundness of banking organizations; the joint Interagency Notice of Proposed Rulemaking defining “Unsafe or Unsound Practices” from the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation in October 2025; and the OCC’s proposed rule to increase the asset threshold to qualify for Heightened Standards requirements in December 2025.
Going forward, cybersecurity risk (49%) and governance/controls related to AI (45%) are the areas that survey respondents cited as most likely to see greater regulatory scrutiny in 2026. McNally said that regulators continue to pay close attention to these threats, despite the fact that regulatory enforcement has continued to decline following updated fourth quarter 2025 guidance and proposed rules from the OCC, FDIC, and the Federal Reserve.
Ritchken said, “The current administration has provided more leeway for banks to manage their risks in a bespoke manner, and that provides opportunities for them to review their processes and build what is most effective for their organization.”
Though banks may have more leeway to manage their own non-financial risks, rules are, of course, subject to revisions. Banks therefore remain alert to how regulatory expectations could change in three years after the next U.S. presidential election. Ritchken said that CROs think about a possible “whiplash effect,” but emphasized that it’s the responsibility of each top risk executive to stay current with any supervisory changes.
