The Moment the Calculus Changed
In April 2026, Anthropic's Claude Mythos Preview did something no AI model had done before: it completed a 32-step simulated corporate network attack from initial reconnaissance through to full network takeover, autonomously, in 3 out of 10 attempts. The simulation, built by the UK's AI Security Institute (AISI), was designed to replicate the kind of sustained operation that would take a team of human security professionals an estimated 20 hours to execute. Mythos completed it with a fraction of the human effort required.
That result, published by the AISI on April 13, 2026, was not a theoretical warning. It was a benchmark. And it arrived five months after Anthropic had already disclosed the first documented large-scale cyberattack executed without substantial human intervention, in which a Chinese state-sponsored group used Claude Code to compromise financial institutions and government agencies across roughly 30 global targets.
For banking boards, commercial leaders, and the regulators watching them, the question has shifted. It is no longer whether agentic AI can be weaponised against financial infrastructure. It can. The question now is whether your governance framework, your incident response capacity, and your board-level risk ownership are ready for what follows.
What Mythos Actually Did: The AISI Findings
The AISI has been tracking AI cyber capabilities since 2023. Two years ago, the best available models could barely complete beginner-level cyber tasks. By April 2026, the trajectory had accelerated to a degree that the Institute itself described as a step-change rather than an incremental improvement.
On expert-level capture-the-flag (CTF) challenges, tasks that no model could complete before April 2025, Mythos Preview succeeded 73% of the time. But CTF challenges test specific skills in isolation. The more significant result came from "The Last Ones" (TLO), the AISI's 32-step corporate network attack simulation spanning initial reconnaissance through to full network takeover.
Mythos Preview is the first model to solve TLO from start to finish. Across all its attempts, it completed an average of 22 out of 32 steps. The previous best performer, Claude Opus 4.6, averaged 16 steps. The AISI also noted that performance continues to scale with additional compute, tested up to a 100 million token budget, with no ceiling yet identified.
The AISI was careful to note the limitations of its evaluation. The ranges lack active defenders, defensive tooling, and penalties for actions that would trigger security alerts. Mythos could not complete the Institute's operational technology-focused range. But the directional signal is unambiguous: "capable of autonomously attacking small, weakly defended and vulnerable enterprise systems where access to a network has been gained."
The financial sector's legacy infrastructure, patchwork integrations, and decades of accumulated technical debt represent precisely the kind of environment where that capability becomes a material risk.
The Espionage Campaign That Came First
The AISI evaluation was not the first warning. In November 2025, Anthropic disclosed what it described as the first documented case of a large-scale cyberattack executed without substantial human intervention.
In mid-September 2025, Anthropic detected suspicious activity from a Chinese state-sponsored group that had manipulated Claude Code into executing a multi-phase espionage campaign against roughly 30 global targets, including financial institutions, large technology companies, chemical manufacturers, and government agencies. The attackers bypassed Claude's safety guardrails by jailbreaking the model: breaking the attack into small, seemingly innocent tasks, and telling Claude it was an employee of a legitimate cybersecurity firm conducting defensive testing.
The attack proceeded in phases. Claude conducted reconnaissance, identifying high-value databases. It then researched and wrote its own exploit code, harvested credentials, created backdoors, exfiltrated data categorised by intelligence value, and produced comprehensive documentation of the operation for use in future campaigns. AI performed 80 to 90 percent of the campaign. Human operators intervened at only 4 to 6 critical decision points per campaign. At peak, the AI made thousands of requests, often multiple per second, a speed that would have been, as Anthropic noted, "simply impossible to match" for human hackers.
The WEF reported in June 2026 that AI-enabled hackers increased their attacks by 89% year-on-year in 2025. The September 2025 campaign was not an isolated incident. It was the documented leading edge of a structural shift.
Project Glasswing and the Vulnerability Disclosure Problem
In April 2026, Anthropic announced Project Glasswing: a controlled pilot programme designed to prepare organisations for the arrival of Mythos. The model, described by Anthropic as too risky to release publicly, had already discovered thousands of high-severity vulnerabilities in virtually every major operating system and web browser.
Several major US banks received pilot access. Jamie Dimon, CEO of JPMorgan, confirmed publicly that Mythos had identified vulnerabilities in JPMorgan's systems that required remediation. The model's capabilities were presented at the IMF and World Bank Spring 2026 meetings, where the reaction from the most senior financial officials in the world was notable for its directness.
Andrew Bailey, Governor of the Bank of England and Chair of the Financial Stability Board, called it "a very serious challenge for us all." Christine Lagarde, President of the ECB, warned that if the technology falls into the wrong hands, the consequences could be "really bad." François-Louis Michaud, head of the European Banking Authority, stated that the risks and opportunities from the new technology were one of the EBA's top priorities.
Anthropic's own guidance to organisations was stark: review vulnerability disclosure policies to account for the scale of bugs that language models may soon reveal; automate incident response pipelines because most programmes are not adequately staffed for the expected volume of incidents; and prepare for a trajectory that may lead to a rapid increase in detected vulnerabilities until software is hardened, ironically in large part through code written by these same models.
The ECB's June 2026 Warning: A Structural Shift in Cyber Economics
On June 3, 2026, ECB Executive Board member Frank Elderson delivered a keynote at the Goldman Sachs European Financials Conference in Zurich that went significantly further than standard supervisory language. Speaking on operational resilience in the age of AI, Elderson described Mythos as representing "a structural shift in the economics of cyber risk" and identified three specific characteristics that distinguish it from previous threats.
First, it can discover and exploit vulnerabilities at a speed and scale far beyond what has been seen before. Second, it can combine seemingly minor vulnerabilities into serious attacks. Third, it can help reverse-engineer patches into exploitable vulnerabilities, and do so at unprecedented speed. The cumulative effect, Elderson argued, is that "the marginal cost of identifying and exploiting vulnerabilities in IT systems will decline, possibly by orders of magnitude."
He was explicit about the implications for institutions that consider themselves well-defended: "Current evidence suggests that these models may be effective not only against environments with weak levels of defense but also against standards that were once previously considered state of the art."
The ECB's response was not limited to speeches. The following week, the ECB sent a "dear CEO letter" to all banks under its supervision, requesting proactive measures. Elderson also framed the governance imperative in terms that should register at board level: AI cyber challenges "should not be viewed solely as a cybersecurity issue. They are a firm-wide strategic challenge with potential implications for banks' safety and soundness. It is therefore essential that banks' management bodies take clear ownership of the issue."
For context, more than 85% of banks under European banking supervision already use AI in some form. The ECB is not warning about a future risk. It is warning about a risk embedded in systems that are already running.
DORA and the Regulatory Framework That Now Has to Stretch
The EU's Digital Operational Resilience Act (DORA) became applicable in January 2025. It was designed to create a single regime for ICT risk management across the European financial sector, with explicit recognition that a localised breach does not merely affect one institution but can propagate across the broader financial ecosystem.
Legal analysis published by Stibbe in May 2026 examined the specific DORA obligations that AI-driven threats like Mythos now stress-test. Article 13 requires firms to monitor technological developments continuously and keep ICT risk management processes up to date to counter the latest forms of cyberattacks. Article 26 requires identified financial entities to carry out threat-led penetration testing (TLPT) every three years, mimicking the techniques of real-life threat actors. With Mythos, using an AI model to autonomously chain vulnerabilities within a system may now be part of the required testing capabilities.
The more urgent concern sits in Articles 10 and 11, which govern detection, response, and recovery. Stibbe's analysis concluded that AI-generated exploits may soon no longer be appropriately addressed by traditional cybersecurity software, and that financial entities may need to fundamentally review their implementation of both articles, including the deployment of AI-assisted detection mechanisms.
Third-party risk is an additional pressure point. DORA requires that contracts with ICT providers supporting critical functions contain adequate security measures. As AI models become capable of discovering vulnerabilities at scale in the software that underpins financial infrastructure, the contractual and governance requirements for third-party ICT relationships will need to reflect that reality.
BaFin, the PRA, and the Regulatory Layer That Is Coming
The ECB is not acting alone. BaFin, Germany's federal financial regulator, published its Risks in Focus 2026 report identifying digitalisation, including AI, as a primary supervisory priority. In 2026, BaFin is developing a concept for anchoring supervision of AI systems within its framework in accordance with the EU AI Act, building on existing AI supervision already in place for the German financial sector.
In the UK, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) are operating within a parliamentary inquiry into AI in financial services, launched in February 2025, which is examining both the opportunities and the systemic risks posed by AI. The Bank of England's Andrew Bailey has already placed AI cyber risk at the level of the Financial Stability Board's agenda.
The US Office of the Comptroller of the Currency (OCC) signalled in May 2026 that AI governance guidance is on the horizon, recognising both the threat and the opportunity for banks to deploy AI defensively. The pattern across jurisdictions is consistent: regulators are moving from observation to mandate, and the mandate will arrive faster than most boards currently anticipate.
The practical implication for any bank or financial institution operating across multiple jurisdictions is that AI cyber risk governance is no longer a single-regulator conversation. It is a multi-regulator, multi-framework obligation that requires board-level ownership, not delegation to IT middle management.
Finance Is the Opening Act
The financial sector is being called first because it presents the most concentrated combination of systemic interdependency, legacy infrastructure, and regulatory accountability. A breach that propagates through a major bank's settlement systems, as the 2023 ICBC ransomware attack demonstrated, can disrupt markets that are entirely unrelated to the original target. When the largest bank in the world by assets had to dispatch a courier with a USB stick across Manhattan to meet its Treasury settlement obligations, the fragility of the underlying architecture became impossible to ignore.
Mythos and its successors will not stop at financial services. Every sector with networked infrastructure, legacy code, and meaningful interdependencies faces the same structural shift in attack economics. Healthcare, energy, telecommunications, and defence procurement are all on the same trajectory. Finance is simply the sector where the regulatory accountability is most clearly defined and the consequences of failure are most immediately systemic.
The organisations that will be best positioned are those that treat this as a board-level governance question now, before the regulatory mandate arrives. That means investing in agentic AI defence capabilities alongside agentic AI offence awareness, building incident response capacity that can handle AI-scale vulnerability discovery, and ensuring that third-party ICT contracts reflect the new threat environment.
It also means being honest about the content and communications dimension of AI risk governance. When regulators, investors, and counterparties begin asking "what safeguards do you have against AI-assisted attacks?", the answer will need to be specific, evidenced, and board-endorsed. That question will sound as basic as "how are you patching vulnerabilities?" within 18 months. The organisations that have already built the answer will be at a material advantage.
For commercial and marketing leaders, the implication extends beyond IT governance. AI strategy that does not account for the risk dimension of agentic AI deployment, including the reputational and regulatory exposure of AI-assisted operations, is incomplete. The same capabilities that make AI valuable for pipeline generation, content automation, and demand generation also make AI a vector for reputational and operational risk if governance frameworks are not in place.
The ECB's Frank Elderson put it plainly: "In musical terms, andante may have previously been good enough, but now we need to move to presto." For banking boards and commercial leaders, the tempo has already changed. The question is whether your governance framework has kept pace.
What Commercial and Marketing Leaders Should Do Now
The regulatory and security dimensions of AI cyber risk are not the exclusive concern of CISOs and risk committees. Commercial leaders who are deploying agentic AI in GTM operations, content pipelines, and demand generation programmes need to understand the governance environment in which those deployments operate. Three actions are immediately relevant.
First, ensure that your AI deployment governance includes an explicit assessment of how agentic AI tools in your stack could be misused or weaponised, and that this assessment has been reviewed at board level. The ECB's framing is instructive: this is a fiduciary question, not an IT question. For a deeper look at how agentic AI is reshaping B2B pipeline strategy, see our analysis of Agent-Qualified Leads and the shift from MQL frameworks.
Second, review your incident response capacity against the scale of vulnerability discovery that AI models are now capable of generating. If your programme was designed for a pre-AI threat environment, it is likely under-resourced for what is coming. The AI visibility and citation gap that commercial teams are navigating in search is a parallel signal: the organisations that invest in AI-native capabilities now will be better positioned across both the opportunity and the risk dimensions.
Third, engage with the regulatory timeline proactively. The ECB's "dear CEO letter" has already been sent. BaFin's AI supervision framework is in development. The PRA and FCA are mid-inquiry. The organisations that arrive at the regulatory conversation with a documented, board-endorsed AI risk governance framework will have a materially different experience than those that are still building one when the mandate arrives. If you want to understand how AI governance intersects with your commercial strategy, start with a free AI growth audit.
About the Author
Modi Elnadi is Founder and Director of Marketing and AI Growth at Integrated.Social, a London-based B2B AI growth marketing agency. Modi has spent over a decade building commercial AI strategy for enterprise technology, financial services, and professional services clients, with a particular focus on the governance and risk dimensions of agentic AI deployment. His work spans AI-native GTM architecture, demand generation, and the intersection of AI capability and regulatory accountability that is now reshaping how boards think about AI investment. He advises commercial and technology leaders on building AI programmes that are both commercially effective and governance-ready for the regulatory environment that is rapidly taking shape across the ECB, PRA, BaFin, and OCC jurisdictions.
The Moment the Calculus Changed
In April 2026, Anthropic's Claude Mythos Preview did something no AI model had done before: it completed a 32-step simulated corporate network attack from initial reconnaissance through to full network takeover, autonomously, in 3 out of 10 attempts. The simulation, built by the UK's AI Security Institute (AISI), was designed to replicate the kind of sustained operation that would take a team of human security professionals an estimated 20 hours to execute. Mythos completed it with a fraction of the human effort required.
That result, published by the AISI on April 13, 2026, was not a theoretical warning. It was a benchmark. And it arrived five months after Anthropic had already disclosed the first documented large-scale cyberattack executed without substantial human intervention, in which a Chinese state-sponsored group used Claude Code to compromise financial institutions and government agencies across roughly 30 global targets.
For banking boards, commercial leaders, and the regulators watching them, the question has shifted. It is no longer whether agentic AI can be weaponised against financial infrastructure. It can. The question now is whether your governance framework, your incident response capacity, and your board-level risk ownership are ready for what follows.
What Mythos Actually Did: The AISI Findings
The AISI has been tracking AI cyber capabilities since 2023. Two years ago, the best available models could barely complete beginner-level cyber tasks. By April 2026, the trajectory had accelerated to a degree that the Institute itself described as a step-change rather than an incremental improvement.
On expert-level capture-the-flag (CTF) challenges, tasks that no model could complete before April 2025, Mythos Preview succeeded 73% of the time. But CTF challenges test specific skills in isolation. The more significant result came from "The Last Ones" (TLO), the AISI's 32-step corporate network attack simulation spanning initial reconnaissance through to full network takeover.
Mythos Preview is the first model to solve TLO from start to finish. Across all its attempts, it completed an average of 22 out of 32 steps. The previous best performer, Claude Opus 4.6, averaged 16 steps. The AISI also noted that performance continues to scale with additional compute, tested up to a 100 million token budget, with no ceiling yet identified.
The AISI was careful to note the limitations of its evaluation. The ranges lack active defenders, defensive tooling, and penalties for actions that would trigger security alerts. Mythos could not complete the Institute's operational technology-focused range. But the directional signal is unambiguous: "capable of autonomously attacking small, weakly defended and vulnerable enterprise systems where access to a network has been gained."
The financial sector's legacy infrastructure, patchwork integrations, and decades of accumulated technical debt represent precisely the kind of environment where that capability becomes a material risk.
The Espionage Campaign That Came First
The AISI evaluation was not the first warning. In November 2025, Anthropic disclosed what it described as the first documented case of a large-scale cyberattack executed without substantial human intervention.
In mid-September 2025, Anthropic detected suspicious activity from a Chinese state-sponsored group that had manipulated Claude Code into executing a multi-phase espionage campaign against roughly 30 global targets, including financial institutions, large technology companies, chemical manufacturers, and government agencies. The attackers bypassed Claude's safety guardrails by jailbreaking the model: breaking the attack into small, seemingly innocent tasks, and telling Claude it was an employee of a legitimate cybersecurity firm conducting defensive testing.
The attack proceeded in phases. Claude conducted reconnaissance, identifying high-value databases. It then researched and wrote its own exploit code, harvested credentials, created backdoors, exfiltrated data categorised by intelligence value, and produced comprehensive documentation of the operation for use in future campaigns. AI performed 80 to 90 percent of the campaign. Human operators intervened at only 4 to 6 critical decision points per campaign. At peak, the AI made thousands of requests, often multiple per second, a speed that would have been, as Anthropic noted, "simply impossible to match" for human hackers.
The WEF reported in June 2026 that AI-enabled hackers increased their attacks by 89% year-on-year in 2025. The September 2025 campaign was not an isolated incident. It was the documented leading edge of a structural shift.
Project Glasswing and the Vulnerability Disclosure Problem
In April 2026, Anthropic announced Project Glasswing: a controlled pilot programme designed to prepare organisations for the arrival of Mythos. The model, described by Anthropic as too risky to release publicly, had already discovered thousands of high-severity vulnerabilities in virtually every major operating system and web browser.
Several major US banks received pilot access. Jamie Dimon, CEO of JPMorgan, confirmed publicly that Mythos had identified vulnerabilities in JPMorgan's systems that required remediation. The model's capabilities were presented at the IMF and World Bank Spring 2026 meetings, where the reaction from the most senior financial officials in the world was notable for its directness.
Andrew Bailey, Governor of the Bank of England and Chair of the Financial Stability Board, called it "a very serious challenge for us all." Christine Lagarde, President of the ECB, warned that if the technology falls into the wrong hands, the consequences could be "really bad." François-Louis Michaud, head of the European Banking Authority, stated that the risks and opportunities from the new technology were one of the EBA's top priorities.
Anthropic's own guidance to organisations was stark: review vulnerability disclosure policies to account for the scale of bugs that language models may soon reveal; automate incident response pipelines because most programmes are not adequately staffed for the expected volume of incidents; and prepare for a trajectory that may lead to a rapid increase in detected vulnerabilities until software is hardened, ironically in large part through code written by these same models.
The ECB's June 2026 Warning: A Structural Shift in Cyber Economics
On June 3, 2026, ECB Executive Board member Frank Elderson delivered a keynote at the Goldman Sachs European Financials Conference in Zurich that went significantly further than standard supervisory language. Speaking on operational resilience in the age of AI, Elderson described Mythos as representing "a structural shift in the economics of cyber risk" and identified three specific characteristics that distinguish it from previous threats.
First, it can discover and exploit vulnerabilities at a speed and scale far beyond what has been seen before. Second, it can combine seemingly minor vulnerabilities into serious attacks. Third, it can help reverse-engineer patches into exploitable vulnerabilities, and do so at unprecedented speed. The cumulative effect, Elderson argued, is that "the marginal cost of identifying and exploiting vulnerabilities in IT systems will decline, possibly by orders of magnitude."
He was explicit about the implications for institutions that consider themselves well-defended: "Current evidence suggests that these models may be effective not only against environments with weak levels of defense but also against standards that were once previously considered state of the art."
The ECB's response was not limited to speeches. The following week, the ECB sent a "dear CEO letter" to all banks under its supervision, requesting proactive measures. Elderson also framed the governance imperative in terms that should register at board level: AI cyber challenges "should not be viewed solely as a cybersecurity issue. They are a firm-wide strategic challenge with potential implications for banks' safety and soundness. It is therefore essential that banks' management bodies take clear ownership of the issue."
For context, more than 85% of banks under European banking supervision already use AI in some form. The ECB is not warning about a future risk. It is warning about a risk embedded in systems that are already running.
DORA and the Regulatory Framework That Now Has to Stretch
The EU's Digital Operational Resilience Act (DORA) became applicable in January 2025. It was designed to create a single regime for ICT risk management across the European financial sector, with explicit recognition that a localised breach does not merely affect one institution but can propagate across the broader financial ecosystem.
Legal analysis published by Stibbe in May 2026 examined the specific DORA obligations that AI-driven threats like Mythos now stress-test. Article 13 requires firms to monitor technological developments continuously and keep ICT risk management processes up to date to counter the latest forms of cyberattacks. Article 26 requires identified financial entities to carry out threat-led penetration testing (TLPT) every three years, mimicking the techniques of real-life threat actors. With Mythos, using an AI model to autonomously chain vulnerabilities within a system may now be part of the required testing capabilities.
The more urgent concern sits in Articles 10 and 11, which govern detection, response, and recovery. Stibbe's analysis concluded that AI-generated exploits may soon no longer be appropriately addressed by traditional cybersecurity software, and that financial entities may need to fundamentally review their implementation of both articles, including the deployment of AI-assisted detection mechanisms.
Third-party risk is an additional pressure point. DORA requires that contracts with ICT providers supporting critical functions contain adequate security measures. As AI models become capable of discovering vulnerabilities at scale in the software that underpins financial infrastructure, the contractual and governance requirements for third-party ICT relationships will need to reflect that reality.
BaFin, the PRA, and the Regulatory Layer That Is Coming
The ECB is not acting alone. BaFin, Germany's federal financial regulator, published its Risks in Focus 2026 report identifying digitalisation, including AI, as a primary supervisory priority. In 2026, BaFin is developing a concept for anchoring supervision of AI systems within its framework in accordance with the EU AI Act, building on existing AI supervision already in place for the German financial sector.
In the UK, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) are operating within a parliamentary inquiry into AI in financial services, launched in February 2025, which is examining both the opportunities and the systemic risks posed by AI. The Bank of England's Andrew Bailey has already placed AI cyber risk at the level of the Financial Stability Board's agenda.
The US Office of the Comptroller of the Currency (OCC) signalled in May 2026 that AI governance guidance is on the horizon, recognising both the threat and the opportunity for banks to deploy AI defensively. The pattern across jurisdictions is consistent: regulators are moving from observation to mandate, and the mandate will arrive faster than most boards currently anticipate.
The practical implication for any bank or financial institution operating across multiple jurisdictions is that AI cyber risk governance is no longer a single-regulator conversation. It is a multi-regulator, multi-framework obligation that requires board-level ownership, not delegation to IT middle management.
Finance Is the Opening Act
The financial sector is being called first because it presents the most concentrated combination of systemic interdependency, legacy infrastructure, and regulatory accountability. A breach that propagates through a major bank's settlement systems, as the 2023 ICBC ransomware attack demonstrated, can disrupt markets that are entirely unrelated to the original target. When the largest bank in the world by assets had to dispatch a courier with a USB stick across Manhattan to meet its Treasury settlement obligations, the fragility of the underlying architecture became impossible to ignore.
Mythos and its successors will not stop at financial services. Every sector with networked infrastructure, legacy code, and meaningful interdependencies faces the same structural shift in attack economics. Healthcare, energy, telecommunications, and defence procurement are all on the same trajectory. Finance is simply the sector where the regulatory accountability is most clearly defined and the consequences of failure are most immediately systemic.
The organisations that will be best positioned are those that treat this as a board-level governance question now, before the regulatory mandate arrives. That means investing in agentic AI defence capabilities alongside agentic AI offence awareness, building incident response capacity that can handle AI-scale vulnerability discovery, and ensuring that third-party ICT contracts reflect the new threat environment.
It also means being honest about the content and communications dimension of AI risk governance. When regulators, investors, and counterparties begin asking "what safeguards do you have against AI-assisted attacks?", the answer will need to be specific, evidenced, and board-endorsed. That question will sound as basic as "how are you patching vulnerabilities?" within 18 months. The organisations that have already built the answer will be at a material advantage.
For commercial and marketing leaders, the implication extends beyond IT governance. AI strategy that does not account for the risk dimension of agentic AI deployment, including the reputational and regulatory exposure of AI-assisted operations, is incomplete. The same capabilities that make AI valuable for pipeline generation, content automation, and demand generation also make AI a vector for reputational and operational risk if governance frameworks are not in place.
The ECB's Frank Elderson put it plainly: "In musical terms, andante may have previously been good enough, but now we need to move to presto." For banking boards and commercial leaders, the tempo has already changed. The question is whether your governance framework has kept pace.
What Commercial and Marketing Leaders Should Do Now
The regulatory and security dimensions of AI cyber risk are not the exclusive concern of CISOs and risk committees. Commercial leaders who are deploying agentic AI in GTM operations, content pipelines, and demand generation programmes need to understand the governance environment in which those deployments operate. Three actions are immediately relevant.
First, ensure that your AI deployment governance includes an explicit assessment of how agentic AI tools in your stack could be misused or weaponised, and that this assessment has been reviewed at board level. The ECB's framing is instructive: this is a fiduciary question, not an IT question. For a deeper look at how agentic AI is reshaping B2B pipeline strategy, see our analysis of Agent-Qualified Leads and the shift from MQL frameworks.
Second, review your incident response capacity against the scale of vulnerability discovery that AI models are now capable of generating. If your programme was designed for a pre-AI threat environment, it is likely under-resourced for what is coming. The AI visibility and citation gap that commercial teams are navigating in search is a parallel signal: the organisations that invest in AI-native capabilities now will be better positioned across both the opportunity and the risk dimensions.
Third, engage with the regulatory timeline proactively. The ECB's "dear CEO letter" has already been sent. BaFin's AI supervision framework is in development. The PRA and FCA are mid-inquiry. The organisations that arrive at the regulatory conversation with a documented, board-endorsed AI risk governance framework will have a materially different experience than those that are still building one when the mandate arrives. If you want to understand how AI governance intersects with your commercial strategy, start with a free AI growth audit.
About the Author
Modi Elnadi is Founder and Director of Marketing and AI Growth at Integrated.Social, a London-based B2B AI growth marketing agency. Modi has spent over a decade building commercial AI strategy for enterprise technology, financial services, and professional services clients, with a particular focus on the governance and risk dimensions of agentic AI deployment. His work spans AI-native GTM architecture, demand generation, and the intersection of AI capability and regulatory accountability that is now reshaping how boards think about AI investment. He advises commercial and technology leaders on building AI programmes that are both commercially effective and governance-ready for the regulatory environment that is rapidly taking shape across the ECB, PRA, BaFin, and OCC jurisdictions.



