Artificial intelligence is rapidly becoming embedded across investment management. It is helping to automate research, support portfolio monitoring and draft investment committee materials. In many firms, AI is no longer experimental; it is already shaping day-to-day operations.
The problem is that governance is not keeping pace. That gap is creating a new class of risk spanning technology, compliance and operations. For investment firms, the central question is no longer whether to use AI, but how to control, secure and monitor it. The clearest sign of that challenge is the rise of shadow AI.
The rise of shadow AI in investment firms
Shadow AI refers to employees using AI tools outside official policies, governance frameworks or IT oversight. It is already widespread. Industry research suggests that nearly 70% of enterprise employees access public generative AI tools through personal accounts.
That often begins innocently: summarizing research, analyzing spreadsheets or drafting documents more quickly. But in investment firms, where information is highly sensitive, it can create serious data governance problems. Once material is entered into a public AI tool without proper safeguards, the firm may lose visibility into how that data is stored, processed or reused.
This is a familiar pattern. The industry has already dealt with shadow IT, when employees adopted unapproved platforms to work more efficiently. Shadow AI is a more powerful, less visible version of the same problem.
Firms therefore need clear policies on approved tools, acceptable use, access controls and data handling. They also need oversight of prompts, outputs and third-party AI vendors. Without those controls, sensitive data can move outside the firm’s environment with little traceability.
And that naturally pushes the issue upward. If AI oversight is really about accountability for enterprise risk, then responsibility does not end with the technology function. It ultimately sits with the board.
Why AI risk is becoming a board-level issue
AI governance is becoming a board-level issue because AI risk now touches resilience, regulatory exposure and reputation. Cybersecurity has already made the shift from IT concern to enterprise risk. AI is accelerating the same shift by creating new, often invisible pathways for data exposure.
For investment firms, this matters because the board is both the ultimate oversight body and a potential source of risk. Board materials are among the most sensitive documents an organization holds, yet they are exactly the kind of content that may be summarized or queried using AI tools.
That creates a specific governance challenge. Board members and non-executive directors may operate outside the firm’s day-to-day technology controls. A director using a public AI platform to extract insights from a board pack could inadvertently expose confidential information without the firm having any visibility that the interaction took place.
So the board is not only responsible for asking whether AI is governed properly across the business; it must also examine whether its own practices are expanding the risk perimeter.
Vendor oversight and the expanding AI risk perimeter
The challenge also extends beyond internal use. Investment firms operate through interconnected ecosystems of cloud providers, analytics platforms, data vendors and specialist AI tools. Many of these partners have access to sensitive systems or investment data.
Regulation is evolving in response. Frameworks such as the EU’s Digital Operational Resilience Act are pushing firms to treat third-party technology risk as part of their own operational risk framework.
That means vendor oversight can no longer rely on annual reviews alone. Firms increasingly need visibility into critical providers, mapped dependencies and evidence that vendors apply equivalent standards around security, resilience and incident response.
AI as both the problem and the solution
Despite these governance challenges, AI will also be part of the answer. Advanced AI systems are already being used to automate routine tasks, analyze large volumes of system activity and detect anomalies in real time.
Instead of relying only on periodic reviews, firms can move toward real-time risk classification and earlier intervention. That shift from retrospective reporting to proactive risk management could materially strengthen operational resilience.
Governance will determine the winners
AI adoption across investment management will continue to accelerate. But the firms that benefit most will not simply be those that deploy the most tools first. They will be the firms that embed AI within governance, security and operational control frameworks from the outset.
Treating AI as part of the control environment, rather than just a productivity layer, will be essential. Those that get that balance right will be best placed to capture AI’s benefits while preserving the trust, resilience and discipline that underpin long-term success.
