The Bank of England, FCA and HM Treasury have taken the unusual step of issuing a joint statement on ‘Frontier AI models and cyber resilience’ to emphasise the need for Boards and senior management to take action. Their focus is on:

• the rapid development and importance of AI

• its adoption in regulated firms, and

• concerns that it may fall into the hands of ‘bad actors’

WHAT IS FRONTIER AI?

In an arena of constantly changing and developing terms, what is ‘Frontier AI’? The term is loosely used by different organisations but probably the best definition is that given by the National Cyber Security Centre, part of GCHQ, as:

‘Frontier AI models refer to the most capable models available at any given time. It’s worth noting that capabilities developed in frontier models can be transferred into smaller, cheaper, or open-weight models through a process called distillation – meaning advances at the frontier set the direction of travel for the whole ecosystem.’

A recent example of a Frontier AI model would be Anthropic’s Claude Mythos program which was only launched just over a month ago but, because it is a generational leap in AI capability, able to uncover vulnerabilities in programs that have remained undiscovered for, sometimes, decades, it is already causing great alarm should it fall into the wrong hands and its release is being highly controlled.

Not surprisingly, in their joint statement the regulators emphasise that ‘firms should ensure that their boards and senior management have sufficient understanding of frontier AI risks.’ In these days of personal regulatory responsibility, through the Senior Managers and Certification Regime (SMCR), it is imperative that Board members keep up to date with AI developments, understand the risks and set strategies for their firms, as they will be the first port of call in regulatory inspections to explain the risks they run in their business.

SO, HOW SHOULD BOARDS APPROACH THE QUESTION STRATEGICALLY AND TACTICALLY?

A helpful joint guide on AI governance principles for Boards has recently been published by INSEAD and KPMG and in her opening foreword Professor Annet Aris of INSEAD says that she sees a growing recognition that AI is now shaping how decisions are made and how value is created. Equally though, she sees shared uncertainty about what it means, in practice, for Board directors.

The joint INSEAD/KPMG report (‘the joint report’) goes on to list 5 AI Governance Principles for Boards and which they believe directors should engage with when addressing the AI risks in their firms.

The 5 principles are:

1. Strategic Oversight for Value Creation

2. Active Technology and Security Oversight

3. Workforce Transformation and Human Accountability

4. Building Trustworthy AI

5. The Work of the Board

and it is the last of these principles, "The Work of the Board", that boards of regulated firms should particularly address given the government’s and regulators’ stressed concerns about the rapid development of AI in the financial sector and the regulators emphasis on personal responsibility.

Drawing on the recommendations of the Joint Report and tailoring the ‘Work of the Board’ for regulated firms:

• The Board should adopt appropriate oversight capabilities for AI and other emerging technologies

It must continuously advance its collective knowledge of AI and other emerging technologies so that board members possess the technical fluency, agility, diversity of perspective and strategic insight needed to govern AI’s rapid evolution, and to seek expert advice when appropriate. The Board should regularly review and, where appropriate, adapt board composition and governance structures based on the needs of the company and its strategic objectives in the emerging AI landscape.

• Effective AI oversight processes

The board should dynamically adapt its processes to help enable effective oversight of AI, which reflect the unique, ongoing and training oriented nature of AI projects, including the need for different types of milestones and metrics.

Senior Management should subject any new AI products to their firm’s full New Product assessment process.

The board should have its own policy for its strategic use of AI e.g. regarding information gathering and processing, and the use of AI to support its own decision-making, as well putting in place safeguards for issues including, but not limited to, confidentiality and legal privilege.

• AI tailored risk management

The board must ensure that AI-specific risks are included in the firm’s risk management framework, that existing risks are reevaluated based on the impact of AI, and that the potential for disruption is properly assessed.

Risk management frameworks should reflect internal operational risks and external environmental, competitive, regulatory, and reputational risks from AI. They should consider how these risks could expose the firm to vulnerabilities and impact the company’s viability and competitiveness.

The board should appoint a specific member of its senior management team to establish and be responsible for AI-specific metrics, risk metrics, operational controls, reporting lines, and escalation procedures, especially where risks are significant or outcomes are uncertain.

The board and its Audit Committee must oversee the firm’s risk mitigation strategies, including insurance, contingency planning, and incident response. These strategies should address potential data breaches, third party risks and supply chain disruptions, and other AI-related threats.

• Adherence to a globally diverse regulatory AI landscape

The board should be regularly briefed on current and emerging relevant regulations, and on their impact on the firm in all jurisdictions where the organization and its value chain operate, including national and multi-jurisdictional AI law. Senior management must also confirm to the Board that relevant jurisdictional regulations are complied with.

• Transparent and outcome-based reporting

The board should require senior management to report systematically, explicitly and transparently about where and why AI is being adopted, specifying whether it presents a risk (and if so, the category of risk), an opportunity, or both, and about how it is being responsibly integrated into strategy and risk management.

The board must also oversee external communication of the company’s AI policy and the board’s own oversight of AI governance through transparent narrative reporting that clearly explain the principles applied, the business processes and risk management, and the outcomes achieved.

The board should expect management to provide easily understood and accessible explanations of major AI capital allocation decisions to the board, auditors and regulators including alignment with the company’s long-term strategy and the board should foster a culture of accountability, where both successes and failures in risk-taking and capital allocation are openly discussed.

The BoE, FCA and HMT Joint Statement have added one further tenet to the requirement of The Work of the Board’:

• Response and Recovery

Firms should be able to respond to and recover from the disruption quickly. Firms should read the effective practices on cyber resilience published by the Bank, the PRA and the FCA in October 2025.

SUMMARY: It cannot be emphasised strongly enough that Boards and senior management must keep abreast of developments in AI and fully understand and account for the risks of AI where it is integrated into their business.

ABOUT FMCR

FMCR is a network of senior practitioners, former COOs, global business heads, traders and risk leaders from Tier 1 global banks, providing advisory services to Markets and Banking leadership teams across risk management and performance. We have considerable experience at C-Suite and Board level and can help tailor AI risk management strategies for clients and prospective clients. To discuss how FMCR can help your firm, please contact us at contact@fmcr.com.

Written by Peter Manning, a Senior Advisor at FMCR with over 40 years of experience in the City in senior management, risk, compliance and regulation.