The Prudential Authority, housed within the South African Reserve Bank, regulates the prudential safety and soundness of financial institutions. AI raises specific prudential considerations that the PA examines through its supervisory practice and emerging AI-specific guidance.
This article walks through what PA prudential expectations require for AI in SA-licensed banks and other prudentially regulated institutions, with specific attention to model risk, operational resilience, cyber resilience, and outsourcing.
Model risk management for AI
PA model risk management expectations apply to AI models used in regulated activities. The expectations align with international model risk practice, SR 11-7 in the US, SS1-23 in the UK, MAS MRM in Singapore, calibrated to SA context.
Core model risk expectations applied to AI
● Model inventory, every material model including generative AI, foundation models, RAG systems, AI agents
● Model documentation, purpose, methodology, training data where known, performance characteristics, limitations, intended use, monitoring approach
● Initial validation by an independent function before deployment in production, with appropriate technical capability
● Performance monitoring ongoing post-deployment, with defined metrics and triggers for revalidation
● Periodic revalidation calibrated to criticality
● Change management for material model changes including model updates, prompt template changes, RAG knowledge base updates
● Model risk reporting to senior management and the Board with appropriate periodicity
● Decommissioning documented when a model is retired
For generative AI specifically, the institution remains accountable for model risk regardless of where in the AI supply chain the risk originates. Foundation models that the institution did not train still attract model risk obligations, the institution validates what it can validate, documents what it cannot, and accepts residual risk explicitly with appropriate senior management visibility.
Operational risk and resilience
AI is part of the institution's broader operational risk profile. PA expectations on operational risk extend to AI workloads.
● AI risk classification within the broader operational risk framework, concentration, complexity, dependency
● Availability and capacity planning for AI workloads, recognising that AI infrastructure has different scaling characteristics than traditional banking infrastructure
● Disaster recovery for AI components including model artefacts, training data, inference systems, knowledge bases
● Business continuity planning for AI-dependent customer-facing functions, what the institution delivers if foundation model vendors are unavailable, how degraded modes operate
● Cost management for AI workloads, production AI costs can scale unpredictably; cost monitoring is part of operational risk management
Cyber resilience for AI
PA cyber resilience expectations cover AI-specific cyber risks. AI workloads are not exempt from cyber resilience expectations; they attract additional considerations specific to AI.
● Prompt injection defences for LLM workloads, including for both adversarial inputs from external sources and inadvertent injection from documents or knowledge bases
● Model security, protecting deployed models from extraction, weights from theft, fine-tuned variants from unauthorised access
● Training data poisoning defences for institutions training or fine-tuning on their own data
● Model extraction attack defences for institutions exposing model behaviour through APIs
● Supply chain security for foundation model dependencies
● Identity and access management for AI systems, deployment access, prompt management, RAG administration, agent configuration
● Logging and detection of AI-specific incident patterns
Outsourcing and third-party arrangements
Material AI dependencies, foundation model vendors, cloud AI services, specialised AI tooling, are typically material outsourcing arrangements under PA expectations.
● Due diligence on AI vendors covering capability, financial strength, security posture, supervisory engagement history
● Contractual provisions addressing supervisory access, operational requirements, breach notification, exit support
● Ongoing oversight, performance monitoring at the institution level, periodic reassessment, contract review
● Exit planning that is operationally credible, what does the institution do if a critical AI vendor relationship terminates, becomes commercially unviable, or is the subject of regulatory action
● Cross-border data flow implications where AI vendors are foreign-located, with attention to POPIA cross-border requirements and supervisory access expectations
● Sub-contractor visibility, foundation model vendors may depend on other parties (training compute, base model providers, content moderation services); the institution needs to understand the chain
Senior management responsibility
PA expectations on senior management responsibility extend to AI. Specific senior management functions have AI implications:
● Risk management, the CRO or equivalent has accountability for AI risk integration into the broader risk framework
● Technology and operations, accountability for AI infrastructure, AI operational resilience, AI vendor management
● Compliance, accountability for AI compliance with POPIA, FSCA, NCR, FICA, and other applicable frameworks
● Information security, accountability for AI security including AI-specific cyber risks
● Internal audit, independent review of AI governance, model risk management, and AI risk integration
The institution's senior management framework should explicitly address AI rather than leaving AI responsibilities ambiguous between traditional functions. Documented allocation of AI-related senior management responsibilities supports PA examination engagement.
Common implementation pitfalls
● AI workloads treated as exempt from prudential expectations because they are 'experimental', until they aren't experimental anymore but prudential coverage hasn't followed
● Model risk management treated as a Basel-driven exercise without extension to generative AI workloads
● Foundation model vendor contracts signed by procurement without prudential governance review
● Cyber resilience defences inherited from general technology workloads without AI-specific additions
● Exit planning that is theoretical, no demonstrated capability to actually exit a critical AI vendor relationship
● Senior management responsibilities for AI ambiguously allocated, leaving gaps under examination
The shift to make
Stop treating AI workloads as a special category outside the institution's prudential operating model.
Start treating them as fully in scope for prudential expectations, with AI-specific operational additions where the standard playbook does not adequately cover the workload type. The prudential framework remains sound for AI; the operating discipline within each prudential domain needs AI-specific calibration.
Institutions that operate this way pass PA examinations constructively and scale AI capability with the operational discipline the workloads require. Institutions that treat AI as prudentially exempt eventually discover otherwise, typically during an incident or examination, at a higher cost than the cost of integrating AI into prudential operations from the start.
