Banking Dive this week made a claim that should sit uncomfortably with anyone still treating AI as a sandbox experiment: artificial intelligence is already reshaping financial services, and the rules will arrive afterwards — not before. It is a familiar pattern. Technology moves, deployment scales, and supervisors codify the expectations later, often around the very failures early adopters could not explain.
That sequencing matters. It means the institutions exposed to future enforcement are precisely those shipping AI today without the controls tomorrow's regulators will demand. And the direction of travel is not a mystery. Between the EU AI Act's phase-in, FINMA's governance expectations and the ECB's supervisory tone, the substance is already visible: traceability, human oversight, model risk management, and data sovereignty. "Regulation will follow" is not permission to wait. It is a warning about what you will have to retrofit.
Retrofitting compliance is the expensive path
Most generative AI stacks were built to be convincing, not accountable. They summarise plausibly, cite loosely, and reason over embeddings that quietly drift out of date. In a pension fund or a bank, a confident answer with no verifiable source is not a feature — it is an audit finding waiting to happen. Bolting governance onto that architecture after the fact means re-engineering the core, not adding a policy PDF.
We take the opposite view. At Operal we build to the audit bar first, a principle we call Jurisdictional Integrity: no source, no answer; output validation before anything reaches a member or client; human oversight by design; full data sovereignty on Swiss-hosted infrastructure; and live data rather than stale embeddings.
Proof that compliant and useful are not opposites
The objection is always that rigour kills usefulness. It does not. Our fully compliant chatbot for the ASGA Pension Fund serves members around the clock in four languages and won the SonntagsZeitung and Finanz und Wirtschaft Innovationspreis — precisely because it refuses to answer beyond its verified sources. That is not a constraint on the product; it is the product.
If regulation is going to follow AI, the smart move is to already be standing where it lands. Build for the audit you know is coming, and the compliance conversation becomes a formality rather than a fire drill.