LOADING
LOADING
An AI governance program — built before scaling LLMs and agents — that made saying yes faster than saying no.
This is a representative engagement — a composite of work patterns Maverin runs with regulated financial-services clients. It is not a named client, and engagement outcomes labeled illustrative are modeled, not measured. Industry figures are cited to public sources.
A Tier-1 North American bank wanted to scale LLM and agent use across the front and back office, but its risk and model-risk teams had become the bottleneck — every AI request stalled in committee. We stood up an AI governance program before the scaling, not after: model-risk integration, ISO 42001 alignment, EU AI Act readiness, and prompt-injection and DLP controls wired into a single approval gate. The result was a risk function that sponsors AI instead of blocking it, with a documented control posture a regulator can read.
AI is no longer a side project at the bank. By 2024, 78% of organizations reported using AI in at least one function, up from 55% a year earlier, and nearly 30% now say their CEO is directly accountable for AI governance — with financial services among the leaders. This bank was no exception: front-office copilots, an underwriting assistant in pilot, agent prototypes in IT and operations.
What was missing was the part regulators ask about. Across the market, 63% of breached organizations either have no AI governance policy or are still building one. Compliance — not technology — is now the #1 barrier to GenAI adoption, rising from 28% to 38% of leaders in two years. For a Tier-1 bank, that gap is not a research statistic. It's a supervisory finding waiting to happen.
The risk team was doing its job — and that was the problem. Every AI request landed in the same place: a committee with no AI-specific control framework, reviewing each model by hand, with no way to tell a low-risk internal summarizer apart from a customer-facing agent that touches PII. So everything got the heavy treatment, or nothing got approved.
The business read this as obstruction. The risk team read it as the only responsible answer they could give without controls to lean on. Both were right. The cost of getting it wrong is not abstract: the 2025 average data breach now runs USD 4.44M globally and a record USD 10.22M in the US, and breaches involving ungoverned 'shadow AI' cost about 16% more. Of organizations that reported an AI-model or application breach, 97% lacked proper AI access controls.
Meanwhile the regulatory clock was running. The EU AI Act's prohibited-use ban took effect February 2025; high-risk obligations land August 2026, with penalties up to EUR 35M or 7% of worldwide turnover. And the bank could see the other failure mode coming: Gartner projects over 40% of agentic AI projects will be canceled by end of 2027 on cost, unclear value, or weak risk controls. Stalling and shipping recklessly were both losing strategies.
We didn't write a policy and hand it over. We placed senior, AI-literate engineers and a governance lead inside the bank's risk and model-risk functions — staff augmentation, weekly billing — and ran a fixed-fee design sprint to stand up the program.
The operating principle: the gate has to be faster than the workaround. If governance is slower than going around it, people go around it — and you get the shadow AI that costs 16% more per breach. So we designed for speed at low risk and rigor at high risk, not uniform friction.
The program is one gate with three layers underneath it: intake and tiering, technical controls, and continuous attestation. Nothing reaches production without passing through it, and low-tier cases pass through in days.
## Intake and tiering Every AI use case registers in a single inventory — the thing the bank could not produce before. Each entry carries owner, data classes touched, model and hosting, EU AI Act tier, and NIST RMF risk mapping. Tiering is rule-driven, not a meeting: touch PII or make a customer-affecting decision and you're high-risk automatically.
## Technical controls (where prompt injection and DLP live) Prompt injection ranks #1 in the OWASP Top 10 for LLM Applications (LLM01) for the second straight edition, and accounted for 17% of observed AI-specific attack types. We treated it as a first-class threat, not a footnote: - Prompt-injection defenses — input/output mediation, instruction-data separation, and allow-listed tool calls for any agent that can take an action. - DLP at the model boundary — egress inspection on prompts and completions so PII and material non-public information can't leak into a third-party model. This is the control that directly answers the 97%-lacked-access-controls finding. - Identity and least-privilege for agents — scoped credentials, no standing access, full call logging. - Human-in-the-loop gates on any high-risk output before it affects a customer.
## Continuous attestation Controls are attested at the gate and re-checked on a schedule, with the evidence stored against the inventory entry — so an exam request is a query, not a fire drill, and the program is on a path to ISO 42001 certification rather than a binder that goes stale.
Concrete artifacts the bank now owns, not slideware:
The deliberate choice throughout: the bank operates this without us. Senior staff augmentation built and transferred it; no platform lock-in, no permanent dependency.
| Label | Value |
|---|---|
| Global average breach (USD M) | 4.44 |
| Breach involving shadow AI (USD M) | 4.63 |
| US average breach (USD M) | 10.22 |
Shadow AI adds roughly 16% to the average breach. Cited figures, IBM 2025.
The headline change is behavioral: the risk team stopped being the place AI went to die. With a tiered gate and a fast-track, low-risk use cases clear in days instead of waiting on a monthly committee — and the risk team's name is now on approvals, not just rejections. (Engagement outcomes here are illustrative — modeled on the program design, not a measured client metric.)
What the controls buy, grounded in cited industry evidence: - The DLP-at-the-boundary control attacks the exact failure behind the 97% of AI-breach victims that lacked access controls, and the shadow-AI premium of roughly 16% higher breach cost that comes with ungoverned tools. - Treating prompt injection as a first-class threat targets the #1 OWASP LLM risk, responsible for 17% of AI-specific attacks. - The ISO 42001-aligned posture and EU AI Act tiering put the bank ahead of the August 2026 high-risk deadline and its EUR 35M / 7%-of-turnover penalty ceiling — and on the right side of the 40%+ of agentic projects Gartner expects to be canceled on weak controls.
The deeper outcome is sequencing. Governance came before scaling, so the bank can now expand LLM and agent use against a control posture a regulator can read — instead of retrofitting controls onto a sprawl it can't inventory.
| Label | Value |
|---|---|
| Orgs using AI in ≥1 function | 78 |
| Breached orgs with no/immature AI governance policy | 63 |
| Compliance as #1 barrier to GenAI adoption | 38 |
| Prompt injection share of AI-specific attacks | 17 |
Adoption is near-universal; controls are not. Cited industry figures.
If you're a CISO or COO staring at an AI backlog your risk committee can't clear, the move is the same one this bank made: stand up the gate first, then let the volume through.
Tier-driven intake, model-boundary controls, continuous attestation — fast at low risk, rigorous at high risk.
The fix wasn't more review. It was a gate so clear that saying yes became faster than saying no.
A fixed-fee build with a harness, evals, and a one-click rollback — payback proven in a paid Discovery Assessment before a line of production code shipped.
Healthcare — multi-site health systemFrom a stalled clinical-documentation pilot to a governed, monitored, SLA-backed AI stack — drift, accuracy, cost, and 24×5 on-call owned by one accountable partner.
Staring at an AI backlog your risk committee can't clear? We build the gate first, then let the volume through — senior, AI-literate, no lock-in. Let's talk.
Start a conversation