Skip to content
Robossist
All posts

The boring AI your risk committee can approve

May 17, 20265 min readDhruv Jain

I’ve been watching risk committee reviews at regulated firms in Hong Kong and Singapore this quarter, and the same pattern keeps playing out in nearly every one.

A team proposes an AI tool. Someone on the committee asks whether this is state of the art. The answer is yes. The approval process then takes 4 more months.

The tools that cleared review fastest all shared a common description: auditable, documented, and defensible. Not the latest model and not the best benchmarks, just defensible.

This isn’t a failure of the committee. It’s the committee doing exactly what it’s supposed to do, because risk committees at regulated firms don’t evaluate AI for performance. They evaluate it for explainability, and those are very different questions.

The 2023 model that cleared faster than GPT-4

At one firm I spoke to this quarter, a model from 2023 with full documentation cleared approval in 3 weeks. A newer model with no audit trail has been sitting in review for 6 months at the same firm, and both went through the same risk committee using the same standards and the same process.

The difference was entirely in the documentation.

The 2023 model came with a named oversight person, a complete change log, a 6-month track record of stable operation, and an explanation that a non-technical auditor could follow from start to finish. The newer model came with a benchmark sheet showing better performance on 7 out of 9 metrics, and nothing else.

The committee doesn’t care about benchmarks. The committee cares about whether the firm can defend its use of this tool when a regulator walks in and starts asking follow-up questions.

What “defensible” actually means

When risk committees evaluate an AI tool, they’re running a mental simulation. The simulation goes like this: an auditor walks in, asks about this tool, and follows up three times with increasingly specific questions. Can the firm answer every single one without scrambling?

When I break down what defensible actually means in a risk committee context, it comes down to five specific things.

The first is having a named person responsible. “Who’s responsible for oversight of this system?” needs an actual name attached to it, not “the compliance team” as a collective noun.

The second is an audit trail showing every decision about the system: when it was approved, when it was last reviewed, what changes were made since then, and who approved those changes.

The third is explainability. A non-technical board member needs to be able to understand what the system does and why the firm uses it. If the explanation requires a machine learning background to parse, the tool isn’t defensible for a regulated firm regardless of how well it performs on its intended task.

The fourth is output tracking, meaning the firm knows exactly where the tool’s output goes after it’s generated and who ends up receiving it. If the output reaches clients, counterparties, or regulators, the documentation needs to say so explicitly.

The fifth is risk classification under whatever regulatory framework applies to your jurisdiction. For firms with EU exposure, this means knowing whether the system falls into the EU AI Act’s high-risk category (credit scoring, employment screening), limited-risk category (customer-facing chatbots), or minimal-risk category.

The practical filter

For compliance leads trying to get AI tools approved at their firms, here’s the filter I’ve been recommending in conversations this quarter.

Before you bring a tool to the risk committee, answer these five questions honestly. Can you name the specific person who will own ongoing oversight of this system? Can you describe what it does in two sentences that a non-technical board member would understand without follow-up? Do you know where the system’s output goes, and if it reaches EU residents, do you know your firm’s relevant obligations under the EU AI Act? Is there a change log and review schedule already documented somewhere accessible? And if an auditor asked why you chose this tool over alternatives, could you answer without referencing benchmarks?

If you can answer all five, the committee review will go dramatically faster because you’ve already done the work the committee would have sent you back to do. If you can’t answer any of them, that’s the work to do first, not the vendor demo and not the performance comparison.

Why this matters beyond compliance

There’s a business reason to embrace boring AI, not just a regulatory one.

The firms I’ve talked to that extract the most value from AI tools aren’t running the most sophisticated stack. They’re the ones whose teams actually use the tools every day, because the tools are approved, the teams trust them, and nobody’s worried about getting flagged for using something they shouldn’t be using.

Shadow AI creates a drag on the entire organization that’s hard to measure but easy to feel. People use tools they suspect they shouldn’t be using, so they don’t integrate them into real workflows because those tools might get taken away. They don’t share what they’ve learned with colleagues because they’d have to admit they were using something unapproved. Knowledge stays siloed, and the organization pays a hidden tax on every hour of productivity those tools could have generated.

Approved, documented, boring AI removes all of that friction at once. Teams use the tool openly, they integrate it into actual workflows, they share what works with other departments, and productivity compounds instead of staying trapped in individual workarounds.

The boring tool your risk committee approves in 3 weeks generates more value over a year than the sophisticated tool that never gets out of review.

The floor, not the ceiling

I want to be clear about what I’m recommending here. Boring AI isn’t the ceiling for what your firm should aspire to. It’s the floor that your entire AI governance program needs to be built on before you start reaching for anything more capable.

Start with the tools your risk committee can approve quickly. Build the documentation, the oversight structures, and the review cycles. Get comfortable with AI that’s fully defensible and build internal confidence that the firm can govern these tools effectively.

Then, from that position of compliance strength, evaluate whether newer tools add enough incremental value to justify the additional documentation work required to make them defensible too. Some will clear that bar and be worth the effort, but many won’t once you account for the real cost of governance at a regulated firm.

The firms that start with boring AI and expand from a position of strength will outperform the ones that start with the most capable tools available and spend two years trying to retroactively make them compliant.

If you’d like the 5-question pre-approval checklist I mentioned above, reply to this email and I’ll send it over. It’s free, takes about 30 minutes to work through, and it’ll tell you exactly where your AI register stands before any committee review.

Private AI review

Book the private AI review.

Bring one live workflow. Leave with a governed next step leadership can review.

Full Cal.com scheduler

Select a time without leaving this page.

The calendar has its own section, full width, with timezone controls visible and a direct Cal.com fallback.
Open Cal.com
Loading the full scheduler.
Cal.com handles timezone selection and confirmation.Open direct booking page