Notifications
Clear all
Topic starter
06/06/2026 2:32 am
TL;DR: AI adoption is widening the ICT surface area that DORA must govern, and financial institutions are struggling to translate the regulation’s five pillars into defensible operational controls, according to WitnessAI. The compliance problem is no longer policy intent but evidence, inventory, and third-party visibility across AI-driven systems.
NHIMG editorial — based on content published by WitnessAI: DORA compliance gaps widen as AI expands ICT risk scope
Questions worth separating out
Q: How should financial institutions include AI systems in DORA compliance programmes?
A: They should treat AI systems as in-scope ICT assets and connect them to inventory, incident reporting, resilience testing, and third-party governance.
Q: Why do AI tools create DORA governance gaps in financial institutions?
A: AI tools often enter through shadow adoption, embedded features, or external APIs, which means they can be active before they are formally inventoried or contracted.
Q: How do organisations know whether DORA controls are actually covering AI risk?
A: They should test whether AI-related assets appear in the inventory, whether contracts include audit and exit terms, and whether monitoring detects AI-specific failure modes.
Practitioner guidance
- Build a complete AI and ICT inventory Identify every AI tool, model, agent, API integration, and shadow deployment, then tie each item back to DORA scope, ownership, and business purpose.
- Map AI systems to DORA’s five functions Link each AI-related dependency to identify, protect, detect, respond, and learn so control ownership is explicit across the operating model.
- Extend third-party governance to AI vendors and subcontractors Update contracts, exit terms, audit rights, data location clauses, and subcontracting visibility for every AI provider in scope.
What's in the full article
WitnessAI's full article covers the operational detail this post intentionally leaves for the source:
- A pillar-by-pillar DORA walkthrough with control expectations tied to ICT risk, incident reporting, testing, third-party oversight, and information sharing.
- Specific examples of where AI adoption creates blind spots in the Article 8 inventory, Article 28(3) register, and concentration-risk assessments.
- Practical steps for extending contracts, audit rights, and exit clauses to AI providers and subcontracting chains.
- Discussion of how runtime AI threats map to resilience testing and incident classification requirements.
👉 Read WitnessAI's analysis of DORA compliance gaps created by AI adoption →
DORA and AI adoption: where financial controls break down?
Explore further
06/06/2026 4:16 am
Shadow AI is now a DORA evidence problem, not just a technology problem. When AI tools are adopted outside procurement and inventory workflows, the institution loses the ability to prove which ICT assets are in scope. That breaks the evidentiary chain behind Article 8 inventory discipline, Article 28(3) registers, and Article 29 concentration analysis. The implication is that governance programmes must treat discovery coverage as a regulated control surface, not an operational convenience.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows that control gaps tend to recur rather than remain isolated.
A question worth separating out:
Q: Who is accountable when an AI-driven ICT incident triggers DORA reporting?
A: The management body remains accountable for ICT risk governance, even when the incident originates in a third-party AI service. Operational teams can support detection and reporting, but responsibility cannot be delegated away from the institution’s governing body.
👉 Read our full editorial: DORA compliance gaps widen as AI expands ICT risk scope
