As financial institutions accelerate AI adoption across software delivery, a growing concern is emerging among QA and testing teams: the gap between what AI can generate and what can actually be validated, governed and reproduced in production environments.
While AI is driving faster code generation and provisioning, it is also introducing new layers of fragility, particularly in complex, regulated banking environments where traceability and auditability are non-negotiable.
That tension is forcing QA leaders to confront a deeper question: is AI improving DevOps outcomes, or simply exposing long-standing structural weaknesses in infrastructure, testing and governance?
Texas-based Lior Koriat, CEO of test automation firm Quali, which serves a range of banks and financial institutions, thinks both dynamics are playing out simultaneously.
“Both are true, and in financial services the tension between those two realities is sharper than almost anywhere else.”
He told QA Financial in an exclusive interview that “AI is delivering genuine productivity gains, faster code generation, more responsive pipelines, quicker incident pattern recognition. Those are real. But financial institutions carry decades of accumulated infrastructure complexity.”
Koriat, who has been heading the cloud testing and DevOps firm that runs the Torque platform since 2008, stressed that AI does not remove that complexity, but accelerates its impact. “AI doesn’t simplify that complexity. It moves through it faster, which is a very different thing.”
AI shifts risk to QA
Koriat argued that while AI improves the front end of delivery, it creates new risks further down the lifecycle, particularly for QA and testing functions.
“What we’re seeing in practice is that AI accelerates the front end of the delivery lifecycle, design, generation, initial provisioning, while quietly loading the back end with infrastructure that is harder to validate, harder to audit, and harder to explain to a regulator,” he said.
In financial services, that creates a dual risk profile.
“In most industries that creates operational risk. In financial services it creates operational and regulatory risk simultaneously,” he noted.
According to Koriat, the institutions managing this shift most effectively are those prioritising governance over speed.
“The institutions that are navigating this well are the ones who treated AI adoption as an infrastructure governance question first, and a productivity question second.”
A key issue for QA teams lies in the growing disconnect between AI-generated infrastructure-as-code and the environments it is deployed into.
“The failures are almost never in the code itself. AI-generated IaC is syntactically sound. It passes linting, it satisfies static analysis, it looks like something a senior engineer wrote on a careful afternoon,” Koriat said.
Instead, the problem lies in environmental context. “The failures come from the gap between the code and the environment it runs in,” he explained.
“AI is delivering genuine productivity gains … but financial institutions carry decades of accumulated infrastructure complexity.”
– Lior Koriat
Koriat pointed to hidden dependencies, undocumented constraints and configuration drift as major contributors.
“Live environment state, resource dependencies that aren’t captured in any template, IAM boundaries that exist in practice but not in documentation, configuration drift that has accumulated since the last planned deployment.”
For QA teams, this creates a fundamental validation challenge. “The thing you are validating against may not be what actually gets deployed,” he shared.
Koriat warned that passing tests may offer false confidence. “You have validated the code. You haven’t validated the environment.”
He stressed that in regulated banking environments, that gap has compliance implications. “In regulated financial services, where the audit trail needs to demonstrate that what was tested is what was deployed, that gap is not just an operational inconvenience. It is a compliance exposure.”
Environment sprawl becomes an audit risk
Koriat highlighted “environment sprawl” as a growing issue in banking, driven by rapid environment creation without corresponding governance.
“In banking, environment sprawl is not primarily a cost problem, though it is that too. It is a governance and audit problem, and it is larger than most institutions are prepared to acknowledge.”
He described how unmanaged environments evolve into unofficial production references.
“That pattern, repeated across dozens of teams and hundreds of environments, produces an infrastructure estate where the actual state of any given environment is unknown, the history of changes is unrecoverable, and the relationship between what was tested and what was deployed cannot be demonstrated,” Koriat said.
For regulators, this is a critical failure point. “For a bank, that is not a technical debt problem. It is an audit finding waiting to happen.”
Fragmented toolchains
The introduction of AI into already fragmented DevOps and QA toolchains further compounds the problem. “It makes it categorically worse, for a reason that isn’t always obvious,” Koriat said.
He contrasted human engineers with AI systems operating in fragmented environments.
“Human engineers navigating a fragmented toolchain bring judgment, institutional knowledge, and the ability to resolve ambiguity informally… AI does none of those things,” Koriat said.
Instead, AI operates on incomplete data. “It operates on what it can see, and in a fragmented toolchain, what it can see is always partial.”
He thinks this creates a dangerous combination. “So, it makes decisions based on incomplete context, at speed, and with confidence.”
For QA and compliance teams, the result is a breakdown in traceability. “You end up with a change that is recorded in three systems, none of which has the complete picture,” he argued.
Koriat believes this shift elevates the role of QA within financial institutions, particularly as platform engineering moves toward governance and control.
“QA teams in financial services should interpret that shift as a direct elevation of their strategic importance.”
Koriat emphasised that QA principles are now required at the infrastructure level. “The move toward governance and control in platform engineering is, at its core, a move toward the values that QA has always held, precision, repeatability, auditability, evidence.”
Critically, QA teams must now take ownership of environment integrity. “The QA function needs to own the question of environment fidelity, not just test case coverage.”
He added that unreliable environments undermine the credibility of testing itself. “A test result is only as credible as the environment it was produced in.”
To address these challenges, Koriat pointed to Environment-as-a-Service as a potential control plane for AI-driven infrastructure.
“With a mature Environment-as-a-Service layer, that environment is defined as a blueprint, version-controlled, policy-embedded, approved in advance.”
This enables consistent, reproducible environments for testing and deployment. “The resulting environment is identical to every other environment provisioned from the same blueprint.”
For QA teams, this has direct benefits, Koriat stressed. “Test environment fidelity becomes provable… test cycle time compresses significantly… the audit trail that regulators require is produced as a natural output of the process.”
Governance gap
Looking ahead, Koriat warned that the rise of autonomous AI agents managing infrastructure introduces an additional layer of risk.
“We are entering a period where the infrastructure decisions being made in a financial institution are no longer made exclusively by human engineers… They are increasingly being made by AI agents… operating autonomously, at speed, on shared infrastructure.”
The risk lies in how these agents interact. “The interaction between them… is where the governance frameworks of most institutions have a significant gap,” he said.
In financial services, that gap is critical, Koriat stressed. “In financial services, that gap is not theoretical. It is a systemic risk.”
He argued that institutions must establish oversight at a higher level. “Do you have a governance layer that operates above your agentic layer… and ensure that the collective behavior of your AI systems is aligned with your institution’s risk appetite, regulatory obligations, and business intent?”
Without it, Koriat warned, consequences are inevitable. “The institutions that build the control plane first will be the ones that can scale AI with confidence,” he added.
“The ones that don’t will find that the audit findings and operational incidents do the work of forcing that conversation, at a much higher cost,” Koriat concluded.
WATCH OUR PODCAST WITH SRINI CHELIAN
NEXT MONTH
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
READ MORE
- Inside banking’s shift to smarter QA to tackle complexity and risk
- SmartBear CPTO on AI in banking QA: ‘Impressive metrics but no critical scenarios’
- Banks push beyond traditional QA as resilience testing gains ground
- Banking QA professionals warn AI still doesn’t know ‘where the bodies are buried’
- RECAP: The QA Financial Healthcare & Insurance Forum Philadelphia 2026
WATCH NOW
QA FINANCIAL PODCASTS
CLICK HERE TO LISTEN TO OUR EXCLUSIVE CONVERSATIONS
