Senior Manager accountability for AI: what the named individual is actually on the hook for

When AI fails in a regulated function, the supervisor's first question is not technical — it is personal. What SM&CR, BaFin's Geschäftsleiter framework, FINMA's senior-management regime and DORA Article 5 mean for the individual named accountable for AI.

Blog Collection Athour img
Jarek Glowka
Co-founder, Compliance & Operations
shape

A regulated lender deploys an AI model into its consumer-credit workflow. Six months later, a customer brings a complaint that escalates through the Financial Ombudsman Service. The regulator's review surfaces a pattern of AI declines affecting a protected segment. The supervisor's first question to the institution is not technical. It is procedural. Who, on this senior management team, was personally accountable for the AI's decisions while it was running?

In every European regulated financial services jurisdiction, the answer to that question is a specific named individual, identified in advance, with their accountabilities documented in a statement the regulator has on file. AI does not dilute that accountability. It amplifies it. And as the August 2026 EU AI Act high-risk obligations become enforceable, the surface area for which named individuals are personally exposed expands with each AI system that touches a critical function.

The conversation about AI accountability has been dominated by abstractions — algorithmic fairness, ethics frameworks, principles documents. The lived regulatory reality is more concrete. There is a person whose name is on the line.

On the hook

In the United Kingdom, the Senior Managers and Certification Regime (SM&CR) requires every regulated firm to identify named individuals — Senior Managers — and document their responsibilities in a Statement of Responsibilities held by the FCA and, for dual-regulated firms, the PRA. Each Senior Manager carries a Duty of Responsibility: a personal obligation to take "reasonable steps" to prevent a regulatory breach in their area of responsibility. The duty is enforceable directly against the individual, not only against the firm. Penalties include fines, prohibitions, and public censure.

In Germany, §25a KWG and the MaRisk framework place equivalent responsibility on the Geschäftsleiter — the named managing directors of the institution. Each director's areas of responsibility are documented; the framework expects personal oversight of risk and compliance arrangements, including ICT and outsourcing. Switzerland's FINMA framework operates similarly, with senior-management accountability codified in the FINMA Banking Ordinance and reinforced through circular guidance on outsourcing and operational risk.

DORA layered onto this in 2025. Article 5 places the responsibility for ICT risk management — including third-party ICT risk and the AI deployments running on it — at the management body level, with explicit personal oversight obligations. The named individual is now on the hook for the AI in the institution's ICT register and for the DORA register entries themselves.

What unites these regimes is the irreducibility of personal accountability. The institution carries the corporate liability. The named senior individual carries the individual one. There is no AI exception.

What "reasonable steps" looks like now

The operative legal test in most jurisdictions is whether the named individual took "reasonable steps" to prevent the breach. Five years ago, "reasonable steps" in a consumer-credit function meant approving the credit policy, reviewing the validation reports, ensuring the underwriting team was appropriately staffed, and signing off on the audit trail.

The same test applied to AI-augmented credit decisioning today demands more. Reasonable steps now plausibly include: understanding the AI's role in the decision chain well enough to defend it; reviewing the human-oversight evidence the institution maintains under Article 14 of the AI Act; signing off on the model's bias-monitoring posture under Article 17; ensuring the Article 11 technical documentation is current; confirming that the AI's place in the institution's DORA register is accurate; and reviewing what the regulator would ask in a review. The standard is not algorithmic literacy. It is documentary diligence — being able to demonstrate, when asked, that one engaged with the AI as a substantive part of one's responsibilities.

The phrase regulators reach for when AI fails is "should reasonably have known." The senior manager who can produce a paper trail of substantive engagement with the AI clears that bar. The senior manager who delegated AI oversight to a technical team and signed quarterly governance papers without reading them does not.

Where DACH and the UK converge

The DACH-UK divide on individual accountability has narrowed over the past five years. SM&CR remains the most named-individual-specific framework, but BaFin's MaRisk-driven approach to Geschäftsleiter responsibility has tightened materially since the 6th MaRisk amendment in 2023. FINMA has been moving in the same direction. The European Banking Authority's guidelines on internal governance now read similarly to the FCA's expectations of senior-management oversight.

For AI specifically, the convergence is sharper still. The EU AI Act's Article 14 human oversight obligations apply identically across member states. The Article 27 Fundamental Rights Impact Assessment is required of the same categories of deployer regardless of jurisdiction. DORA's management-body accountability under Article 5 binds Germany, Switzerland (via equivalent), the UK insofar as cross-border arrangements apply, and every other regulated jurisdiction in the European market.

The result is that a senior individual at a German Landesbank, a Swiss private bank, and a UK consumer-credit lender all face structurally similar personal accountability for the AI in their regulated functions. The legal hooks differ in name. The exposure converges.

Where this leaves the named individual

Three implications follow.

The first is that the named individual cannot delegate AI accountability to a vendor. Article 26 of the EU AI Act makes the deploying institution responsible for using a high-risk AI system in accordance with its instructions, monitoring its operation, and retaining logs. The vendor sells the capability. The institution — and the named individual within it — owns the accountability. There is no contractual structure that transfers this. Vendor selection, including the discipline applied to build versus buy decisions, is therefore part of the senior individual's accountability, not separate from it.

The second is that the institution's documentation surface is the senior individual's defensive perimeter. When a regulator reviews an AI deployment and asks what the named senior individual knew, what they did about it, and when, the answer comes from the documentation. The Annex IV technical pack, the human oversight records, the post-market monitoring logs, the FRIA, the DORA register entries — these are not technical artefacts that exist for the AI team's convenience. They are the materials the named individual will rely on if their personal conduct is examined.

The third is that scope expands with each deployment. A senior individual responsible for one AI system carries one set of obligations. A senior individual responsible for ten AI systems across credit, fraud, complaints, AML, and call-centre carries ten times the documentation, ten times the oversight evidence, ten times the surface for a regulator finding. Most institutions deploying AI in 2026 have not yet redesigned the senior-accountability map to reflect this. Most will have to within the next eighteen months.

The technical conversation about AI in regulated financial services is well-developed. The accountability conversation is less so. Yet the regulator's first question, when something goes wrong, will not be about the model. It will be about the person who was supposed to be paying attention. The named individual who has done the work — who can produce the engagement evidence, the oversight records, the rationale for the deployment shape — is in a different position from the one who relied on the assumption that AI accountability sits with someone else. There is no one else. That is the point of personal accountability, and AI does not change it.

If your institution is mapping senior-manager accountability against the AI systems running in regulated functions — particularly ahead of the August deadline — we can help you work through it.

Related reading:

Ready to Own Your AI?

Stop renting generic models. Start building specialized AI that runs on your infrastructure, knows your business, and stays under your control.