As the largest bank in the United States and one of the most complex financial institutions in the world, JPMorgan Chase has long treated technology investment as a strategic pillar rather than a cost centre.
Across 2024–2025, the firm has committed more than $18 billion annually to modernising its systems, embedding AI into core processes, and consolidating its engineering stack into reusable, enterprise-wide platforms.
For QA and software-testing leaders, this shift offers one of the clearest examples of how a global bank is industrialising model operations, scaling automation and tightening digital resilience at unprecedented scale.
The centrepiece of that strategy is OmniAI, JPMorgan’s in-house AI and machine-learning platform. Designed and built by the firm’s Chief Technology Office, OmniAI is an enterprise-grade environment that standardises data access, model training, testing and deployment across all business lines.
It was developed in response to the bank’s early success applying AI to fraud detection and other data-driven use cases, and to the rapid advances in AI tooling emerging from the major tech companies.
Rather than rely on fragmented, team-specific solutions, the bank opted to build a unified platform capable of supporting model development “at speed and scale.”
All eyes on OmniAI
OmniAI was engineered specifically to eliminate friction for data scientists and developers: sourcing, preparing and validating datasets; providing governed compute environments for experimentation; and preventing duplicated effort across the enterprise.
Because it is cloud-native, the platform offers flexibility while embedding the security, controls and auditability required for financial-grade AI, a crucial factor for testing teams working with sensitive data.
The bank claims the platform reduces the time it takes to extract meaningful insights from the vast datasets to which it has access and enables “deeper, more comprehensive, and more thorough analysis … at a much lower operational cost.”
Those gains translate directly into operational resilience, from accelerating fraud-detection pipelines to improving the responsiveness of client-facing tools.
The scale of adoption is growing rapidly. “Just a year ago, OmniAI released its very first capability, single-node model training into production, and only a handful of projects were using the product as early testers,” said the company’s Global Head of AI Technology.
“Fast forward to today, and engineers and data scientists driving hundreds of projects across every line of business are using the platform for end-to-end capabilities, from discovery and model training through production serving on ML models.”
For QA and engineering teams, the platformisation of AI changes both the testing workload and the operating model. Instead of bespoke pipelines, teams are increasingly working with common components, consistent data foundations and centralised model-ops workflows.
That consistency makes test automation more scalable and makes it easier to harden controls around versioning, monitoring, drift detection and rollback, key pillars of safe AI deployment in regulated markets.
The bank also highlights practical examples of how AI is improving day-to-day operations. Internal employees receive real-time technical help through AI-supported knowledge recommendations; risk and customer-support teams were able to retrain models within days during the pandemic; and portfolio managers now analyse investment data through simplified, point-and-click interfaces.
Each of these use cases reflects the firm’s broader push toward making AI accessible and production-ready, not experimental.
JPMorgan Chase positions OmniAI alongside its other big technology bets, from blockchain to quantum computing, as part of a long-term strategy to build reusable, future-proof digital infrastructure.
For testing organisations across financial services, the message is clear: enterprise-grade AI depends on disciplined data management, unified engineering platforms and investment on a scale that treats resilience as a competitive advantage rather than a compliance exercise.
SaaS-induced systemic risk
The tech push comes amid a recent warning from Patrick Opet, Chief Information Security Officer at the bank, as he called for immediate reform in how cloud-based services are designed, integrated, and secured.
In an open letter earlier this year, Opet argues that the rapid rise of software-as-a-service (SaaS) quietly introduced a systemic vulnerability into the digital infrastructure of the global economy.
“SaaS has become the default and is often the only format in which software is now delivered,” Opet stated. “This leaves organizations with little choice but to rely heavily on a small set of leading service providers, embedding concentration risk into global critical infrastructure.”
While SaaS models offer speed and efficiency, New York City-based Opet emphasised that they also consolidate cyber risk, allowing a single point of failure, such as an outage or breach, to ripple across multiple sectors simultaneously.
“Historically, software was distributed across diverse environments, each with unique security practices,” he explained. “Today, an attack on one major SaaS or PaaS provider can immediately ripple through its customers.”
Drawing on JPMorgan Chase’s own experience, Opet revealed that third-party incidents have already impacted the bank’s security landscape.
“Over the past three years, our third-party providers experienced a number of incidents within their environments. These required us to act swiftly and decisively, including isolating compromised providers and dedicating substantial resources to threat mitigation,” he wrote.
“SaaS has become the default and is often the only format in which software is now delivered.”
– Pat Opet
Opet attributes some of this growing risk to a commercial race among software vendors, where rapid feature delivery is prioritized over foundational security.
“The pursuit of market share at the expense of security exposes entire customer ecosystems to significant risk and will result in an unsustainable situation for the economic system,” he warned.
Central to Opet’s critique is the evolution of modern integration patterns, which he says have eroded decades of security architecture. Instead of strict segmentation and layered access, today’s SaaS models create direct pathways between third-party applications and core internal systems.
“These integration models collapse authentication and authorization into overly simplified interactions, effectively creating single-factor explicit trust between systems on the internet and private internal resources,” Opet said.
The letter also highlights emerging attack trends. According to Opet, state-sponsored actors are increasingly targeting trusted integration partners as a way to bypass traditional defences.
He referenced a recent Microsoft Threat Intelligence report that Chinese state actors are shifting focus to “common IT solutions like remote management tools and cloud applications.”
‘Resilient by design’
In response, Opet is calling on providers to re-engineer their platforms with “secure and resilient by design” principles that go beyond compliance.
“This requires continuous, demonstrable evidence that controls are working effectively, not simply relying on annual checks,” he wrote. “Customers should be afforded secure-by-default configurations and transparency into risks.”
Opet also recommended deploying techniques like confidential computing, customer self-hosting, and “bring your own cloud” models as interim safeguards.
“Traditional measures like network segmentation and protocol termination may no longer be viable. Instead, we need sophisticated authorization methods, advanced detection capabilities, and proactive measures to prevent the abuse of interconnected systems,” he argued.
His concluding message was a blunt challenge to the software community: reject insecure integration models until better alternatives emerge.
“The most effective way to begin change is to reject these integration models without better solutions,” Opet urged. “I hope you’ll join me in recognizing this challenge and responding decisively, collaboratively, and immediately.”
Why not become a QA Financial subscriber?
It’s entirely FREE!
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
READ MORE
- Leapwork engineering head: Why test automation so often fails to deliver
- World Economic Forum warns financial sector must strengthen AI risk controls
- How Banca Progetto is hard-wiring quality into Italy’s digital banking space
- How Wealthsimple builds quality into the product, not around it
- Digital revamp puts spotlight on internal controls at China Construction Bank
WATCH NOW
