This is a three-part series about AI governance in banking QA and software testing. Part II explores how regulators are responding to AI risk, why their approaches differ, and how testing functions have become the practical enforcement mechanism for AI governance. Part I can be found here.
The expansion of testing obligations
If Part I of this special QA Financial series explored why AI governance has landed on the QA desk, Part II examines how regulators are attempting to respond to that reality, and why their efforts are increasingly pulling testing and quality engineering into the centre of AI oversight.
Across jurisdictions, one pattern is becoming clear. Regulators are not primarily asking banks to stop using AI outright.
Instead, they are asking firms to demonstrate that AI systems are controlled, testable and accountable in practice. That emphasis places QA and software testing teams at the heart of regulatory compliance.
The EU AI Act represents the most ambitious attempt to regulate artificial intelligence globally. It introduces a horizontal, risk-based framework that applies across sectors, including banking and insurance.
Under the Act, many common financial services use cases, such as creditworthiness assessment, fraud detection and customer risk profiling, are classified as high risk.
High-risk systems must meet requirements around risk management, data governance, human oversight, robustness and post-market monitoring. For QA teams, this expands the scope of what testing means.
Testing is no longer limited to verifying functional correctness before release. QA teams are increasingly expected to validate training data quality, test for bias and drift, assess robustness under edge cases and monitor behaviour over time.
This is where regulatory ambition collides with technical reality. As Jennifer J.K. argued in Part I, regulators often assume that AI decisions can be fully traced and explained.
Yet “AI systems, especially LLMs, compress information in fundamentally non-invertible ways,” making full reconstruction impossible.
QA teams are therefore being asked to operationalise regulatory expectations, which are still evolving. They must translate high-level legal requirements into concrete test strategies, metrics and evidence artefacts that regulators can interrogate.
Governance moves from policy to practice
Regulators are increasingly aware that governance frameworks alone are insufficient. What matters is whether governance works in real systems.
This shift is visible in the growing emphasis on lifecycle controls rather than point-in-time validation. The World Economic Forum has warned that the most serious AI risks often emerge after deployment, as systems adapt, interact with other models or are exposed to new data.
For QA teams, this reinforces the need for continuous testing and monitoring. Static test cases and pre-release sign-off processes are no longer enough when AI behaviour can change over time.
Jennifer Gold, chief information security officer at Risk Aperture, has highlighted the need for visibility beyond engineering teams, asking how organisations ensure that AI use “has the right guardrails in place and provides that visibility to boards.”
That visibility increasingly depends on testing outputs: metrics, reports and evidence that demonstrate how systems behave in practice.
The FCA’s shift to live testing
In the UK, the Financial Conduct Authority has taken an explicitly experimental approach. Rather than issuing prescriptive AI rules, it has launched initiatives designed to test AI systems in real-world conditions under regulatory supervision.
Ed Towers, head of advanced analytics and data science at the FCA, described the motivation behind this approach.
“We’re providing a structured but flexible space where firms can test AI-driven services in real-world conditions,” he explained, emphasising that this happens “with our regulatory support and oversight.”
For QA teams, this signals a significant change. AI assurance is no longer about submitting documentation at the end of development. It is about demonstrating behaviour under live operating conditions.
Towers explained that a key goal is to help firms escape what he describes as “POC paralysis.” “Through live testing we want to help UK innovators move safely beyond ‘perpetual pilots’,” he says.
Crucially, the FCA is explicit that it is testing systems, not just models.
“We broadly define the AI system as the actual AI model, information on the deployment context and core risks… governance and human in-the-loop considerations, evaluation techniques as well as the input and output controls,” Towers shared.
That definition aligns closely with how QA teams already think about systems. It also reflects a regulatory expectation that governance artefacts must be grounded in observable behaviour.
As Towers put it: “we focus on both quantitative and qualitative factors to get a truly holistic understanding of the AI system.” For banks, this moves QA from a delivery function into a regulatory interface.
Singapore and pragmatic governance
Elsewhere, regulators are taking different but complementary approaches.
Singapore has positioned itself as a leader in pragmatic AI governance, emphasising human-centricity, transparency and explainability while avoiding rigid, prescriptive rules.
Speaking at the World Economic Forum in Davos, Singapore’s communications minister S. Iswaran described the country’s intent to contribute to cutting-edge AI governance by inviting global feedback on its model framework.
He emphasised that AI systems should be explainable, transparent and fair, principles that directly influence how systems must be tested.
For QA teams, Singapore’s approach reinforces the idea that governance is inseparable from engineering discipline. Testing becomes the mechanism through which principles such as fairness and transparency are assessed in practice.
“AI systems, especially LLMs, compress information in fundamentally non-invertible way.”
– Jennifer J.K.
As regulatory scrutiny increases, accountability is moving upward. Boards are being drawn deeper into AI oversight, with growing emphasis on metrics, reporting and assurance.
David Cass’s warning resonates strongly in this context. “You can never outsource your accountability,” he said, noting that if something goes wrong with an AI system, responsibility rests with the organisation that adopted it.
This principle has significant implications for QA. Testing artefacts increasingly serve as evidence not just for regulators, but for boards and senior management.
They underpin risk assessments, board reporting and strategic decisions about whether AI systems are fit for purpose.
Governance experts have argued that boards must balance innovation with responsibility. But without reliable testing evidence, that balance becomes guesswork.
Why QA becomes the enforcement layer
Across jurisdictions, one conclusion is emerging. Regulators are not asking QA teams to become lawyers. They are asking them to make governance real.
Testing is where regulatory principles such as robustness, fairness, accountability and resilience are operationalised.
When AI systems cannot be meaningfully tested or monitored, they become regulatory liabilities regardless of their performance benefits.
This explains why banks are investing heavily in testing capabilities, synthetic data governance, model monitoring and quality engineering. QA teams are being asked to do more not because regulators are obsessed with testing, but because testing is the only place where AI governance can be evidenced consistently.
Tomorrow, in the final instalment of this series, we look at why AI governance in QA has become a global concern for international banking groups, and how large firms such as Allianz and AstraZeneca are responding to this trend. Also, we scrutinise why global bodies and lawmakers are increasingly framing AI risk as a systemic issue that must be tested, not just managed on paper. Please click here if you missed Part I.
COMING IN 2026
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
READ MORE
- Why real-time monitoring and scenario testing are becoming core QA disciplines
- BankDhofar takes an automated approach to strengthen QA
- Banks warned AI still fails on real-world software testing tasks
- SEC’s AI emphasis drives new QA and testing imperatives for US banks
- Inside the chaos: The new reliability discipline reshaping banking QA
WATCH NOW
QA FINANCIAL PODCASTS
