At FundsTech 2026, the first panel titled “The New Regulatory Frontier – AI, Cloud & Digital Assets” brought together industry experts to unpack how asset managers can stay ahead of evolving rules on artificial intelligence ( AI)
For Daniel Lousqui, associate general counsel, Vanguard, interoperability between systems remains a hurdle, particularly as firms invest in AI models that may fall under the “high-risk” categories outlined in the EU AI Act. Governance, he said, must bridge “technical oversight” with traditional compliance frameworks. While agentic AI systems can support repetitive processes, their autonomy is still limited, and there is a certain reluctance to deploy them broadly until stronger risk management frameworks are in place.
Cybersecurity adds another layer. Lousqui highlighted a growing “patch gap” problem, where firms must develop more robust testing methodologies to tackle vulnerabilities, especially as AI-driven attacks become more sophisticated. Training and internal awareness, he stressed, are essential. He also pointed out that expertise around the EU AI Act remains limited within asset management, with industry bodies stepping in to push for clearer standards.
Ulf Herbig, data, AI enthusiast and CEO, Kreios, said that firms must assess the EU AI Act from both implementation and compliance angles. The EU AI Act is being rolled out in stages, beginning in early 2025. Key provisions are set to take effect from August 2, 2026, while certain elements—such as aspects linked to high-risk system classification—will apply later.
The EU’s proposed digital omnibus initiative is designed to simplify and harmonise overlapping directives. If endorsed before August, it could potentially delay the application of high-risk AI requirements until December 2027. In the meantime, however, firms are left “in limbo”, unsure whether to prepare immediately or assume they have more time.
According to Herbig, the EU AI Act cannot be treated in isolation. Instead, firms must consider their interaction with frameworks such as MiFID II and GDPR, particularly given the importance of data quality. He also warned that trust and transparency in AI are inconsistently defined, requiring closer collaboration between legal, business and technology teams.
Work by Efama, the voice of the European asset management industry, on AI guidance reflects a shift toward a more holistic view of both corporate and technological risks.
Herbig, who is the chairman of the Efama AI Task Force, also pointed to less obvious but immediate risks, including prompt injection attacks. Firms should be asking their IT teams whether AI systems can detect such vulnerabilities, he said. Unlike traditional cyber threats, prompt injection can occur through seemingly benign inputs—such as documents uploaded into a system—that manipulate outputs without breaching perimeter security.
However, Herbig noted that while regulatory documentation is abundant, it is “not as much operationalised,” making collaboration and the definition of best practices essential. Firms must also guard against “overregulating” themselves and using compliance as an “excuse for avoiding innovation”.
Robert Maddox, partner, Debevoise & Plimpton, highlighted a “unique intersection” between the growing reliance on AI systems and the requirements of the Digital Operational Resilience Act. As asset managers embed more AI-enabled tools across their operations, systems become increasingly complex, interconnected and critical to business functions. This shift, he suggested, materially raises operational risk exposure.
Over the next year, firms should expect a surge in patching demands, said Maddox, requiring changes to existing policies.
As automation increases, human oversight becomes more critical, particularly in addressing concentration risk and ensuring effective intervention when systems fail, added Maddox. “The conversation has shifted: the risk is no longer just how AI is used, but the competitive disadvantage of not using it at all,” said Maddox.
