5
mins to read
•
AI
The New Math of Risk: Foundation Models Rewrite the Quant Playbook
Principal, Capital Markets and AI
Finance
foundation models
model risk management
The model that read Deutsche Bank's last annual report before its analysts did was not a quant. It was a transformer. That sentence would have sounded silly two years ago. It is now a procurement reality at every major European bank.
At ATCON, we work with risk teams racing to catch up. Foundation models have crossed from the research desk into production. The math is the easy part. The EU AI Act now classifies many of these tools as high-risk systems. DORA is already in force. Nobody on your model risk team trained for this.
Where foundation models are already on the desk
The deployment numbers are no longer experimental. Deutsche Bank, BNP Paribas and ING run internal LLM platforms that thousands of bankers use every day. JPMorgan's LLM Suite is used by more than 200,000 employees. In January, the bank built a new quant trading group around these tools. This is not a chatbot rollout. It is workflow infrastructure.
The use cases are concrete. HSBC and Santander use LLMs to read earnings transcripts before human analysts get them. UBS pipes summarized supply-chain text into signal generation. Société Générale runs LLMs against satellite-imagery commentary. JPMorgan's IndexGPT builds thematic equity baskets that clients actually trade. BloombergGPT lives inside research workflows on both sides of the Atlantic.
None of this replaces the quant. It changes what the quant does between 7am and 9am.
The math has not been the hard part of risk for years. The hard part is governing a model your bank does not own and cannot fully see.
Why the old playbook was built for a world that is gone
Old model risk rules assumed a model you could draw a box around. Deterministic outputs. Code your team wrote. A clean back-test. A validation team that could rerun the model on a Tuesday and get the same answer it got on Monday. That world produced a generation of model risk managers, and they are very good at it.
Foundation models break every one of those assumptions:
Stochastic by design: The same prompt can produce different outputs at any temperature above zero. That covers most production settings.
Third-party hosted: The weights sit at OpenAI, Anthropic or a hyperscaler. Your validators cannot see them.
Continuously updated: The vendor pushes a new checkpoint. Your "validated" model is now a different model.
Trained on opaque data: The data lineage your old framework demanded does not exist in any form a regulator would accept.
The Bank for International Settlements has been blunt about the second-order effect. When every major bank runs inference against the same three or four foundation models, you do not just have model risk. You have correlated risk across the system, plus vendor concentration that supervisors have not begun to price.
The EU AI Act, DORA and EBA guidance now stack on top of bank model risk frameworks.
The 2026 reset and why "high-risk" is the most important phrase in European banking
From August 2, 2026, the EU AI Act applies its full high-risk regime to AI used in credit scoring and other regulated bank decisions. DORA has been in force since January 2025. It puts strict rules on critical third-party tech providers and information-sharing about incidents. Together, these two laws cover almost every foundation-model use case a bank can name. The European Banking Authority has signaled more guidance is coming. The European Central Bank is already asking supervised banks how they plan to control these tools.
For risk and quant leaders, this is not a free pass. The Federal Reserve and the OCC retired their old guidance, SR 11-7, on April 17, 2026 and pushed generative AI out of formal scope while they collect input. Examiners on both sides of the Atlantic are already applying old expectations by analogy to LLM underwriting assistants, AML triage agents and credit-memo drafters. The bank that walks into a 2027 exam with no governance posture on its foundation-model stack will be graded against rules that were not written down when it deployed them. That is an expensive place to stand.
Treat every foundation model as high-risk until proven otherwise
Examiners are not waiting for new rules. They are grading you against old ones, by analogy, and they will keep doing it until the law catches up.
The EU AI Act's high-risk classification is decision-based, not technology-based. A model that touches credit, capital, AML or client-facing investment selection is structurally high-risk. Do not let "it is just a copilot" framing downgrade the inventory. If a person signs off on output the model produced, the model is in the decision chain. Document it that way.
Govern the vendor stack like it is part of your model
The classical risk move still works. Build a deterministic challenger model your team can rerun against the same data. Run it on a fixed cadence, not just at deployment. That is the cleanest way to catch silent vendor drift. Pair it with contractual visibility into checkpoint changes. Pin down a defensible position on data residency for Azure OpenAI Service or Azure AI Foundry. Add an exit plan that does not assume the vendor will be there in 2028. Recent academic work on generative AI risk makes the same point. Continuous adaptation by the vendor is itself a model change. Your governance has to treat it that way. The model card alone is not enough.
If your foundation-model stack is in production but not in your inventory, that is the first conversation. ATCON's Capital Markets and AI team runs model-inventory walkthroughs ahead of supervisory exams. We help risk and quant leaders build a governance posture that holds up under EU AI Act, DORA and EBA review.
