Frontier AI in CNI: the regulators are paying attention

Post 16 of the AI series. The autumn joint statements from the BoE, FCA and HM Treasury on frontier AI and operational resilience signal where financial-services regulators have arrived. The implications for AI in cyber security are sharper than the public conversation suggests.

_Post 16 of the AI in cyber series._

The autumn 2025 regulatory cycle has produced, in financial services specifically, a tighter signal about what frontier AI in regulated firms is going to look like under supervision. The Bank of England, FCA and HM Treasury joint statements on frontier AI models — the formal version is expected in the autumn statement window — sit alongside earlier work from the PRA and the FCA's AI sandbox programme. Read together, they describe a regulatory shape that has consequences for AI in cyber security beyond financial services.

This post is about that shape and what it implies for the next eighteen months of procurement, deployment, and architectural decisions.

What the three institutions have, between them, signalled

Three substantive points the autumn cycle has clarified.

Frontier AI use inside regulated firms is in supervisory scope. This was implicit through 2024; it is now explicit. A regulated firm using a frontier AI model for any operationally meaningful purpose — risk modelling, customer interaction, security operations, fraud detection — is expected to be able to demonstrate to the regulator that it has done so under appropriate governance. The model is not exempt because it is provided by a third party. The firm carries the obligation.

The operational-resilience framework applies to AI dependencies. The PRA's Operational Resilience Policy requires regulated firms to identify important business services and set impact tolerances for disruption. A firm whose security operations depend on a third-party AI model is dependent, structurally, on that AI provider's continuity. The regulator wants the firm to have modelled that dependency and to have impact tolerances that account for it.

Frontier AI is going to be named, not abstracted. The supervisory letters that follow the joint statement will, on the trajectory the language suggests, ask firms specifically which frontier AI providers they depend on, in what use cases, and with what fallback arrangements. We use AI will not be a sufficient answer. We use Anthropic Claude 3.5 for case summarisation in our SOC, via this contractual route, with this specific data-handling agreement, and our fallback is this — that is the shape of answer the regulator wants.

Why this matters beyond financial services

Three reasons it generalises.

The PRA / FCA expectations set the tone for the wider regulatory community. The ICO, the Cyber Security and Resilience Bill implementation team, and the sectoral regulators of CNI watch what the financial-services regulators do and converge over time. The shape of expectations on frontier AI in financial services is going to be, within eighteen months, the shape of expectations on frontier AI in CNI, in health, in transport.

Cyber security is one of the most concrete examples of frontier AI use. Most regulated firms have, by autumn 2025, deployed some form of AI in their security operations — at minimum a copilot, more frequently several. The AI cyber category is therefore one of the most useful concrete grounds on which the regulators can develop their expectations. The cyber AI category will be a leading category in regulatory expectations rather than a lagging one.

Operational-resilience thinking applied to AI converges on architectural properties. Can you keep operating if your AI provider has an outage is the question. The architectural answers — on-premises deployment, redundant provider, fallback to non-AI processes — are the same answers that have been good architectural practice for a long time. The regulator is, in effect, formalising what good practice has always required.

How this reads against EmilyAI's posture

The architectural decisions I have described through this series read against the new regulatory shape with little friction.

The single-tin on-premises deployment topology (post 15) gives the customer an AI dependency that is, by construction, under their direct operational control. The provider risk is bounded by the customer's own continuity arrangements, not by ours.

The deterministic inference and audit chain (post 2, post 14) give the regulator the reproducibility and audit-trail properties they have been moving toward.

The continuous learning loop with structural feedback as data (post 11) gives the regulator an answer to how does the model improve, and how is that improvement governed, and how is the customer's data used in that improvement.

The cross-tenant intelligence model with seven privacy principles (post 12) gives the regulator an answer to what happens to my customer's data in this shared-intelligence model, and can I demonstrate the customer's consent on every record.

I am not claiming we are the only vendor whose architecture aligns with where the regulators are arriving. We are one of several. The wider point is that aligning with the regulators is an architectural matter rather than a documentation matter, and the regulator's questions are now sharp enough to distinguish the two.

What customers should be doing this quarter

For regulated firms — financial services first, but increasingly CNI and health — three pieces of work that are, in 2025, the right work to start.

Inventory the AI in your security operations specifically. Name the products, the providers, the use cases, the data flows, the contractual terms. Read your current contracts against the supervisory expectations that are visible in the autumn cycle. The list is shorter than most firms expect; the gaps in it are usually obvious once it is written down.

Run an AI-specific operational resilience exercise. Your primary AI security provider has a 48-hour outage. What is your fallback? The right answers in 2025 are not the same as the right answers in 2024. The hyperscaler-LLM-dependent firm will struggle with this; the firm with an on-premises or multi-vendor deployment will have a cleaner answer.

Map your audit chain for AI-driven decisions. Pick a specific AI-driven security verdict from the past month. Can you, today, demonstrate which model produced it, what the input was, what the output was, and what model version is in production now? If the answer is yes, you are in a good place. If the answer is partially, the gap is the work for Q1 2026.

What is next

In six weeks: the year-in-cyber-AI 2025 retrospective. The agentic year that mostly was not, the determinism property going mainstream, the regulator-side conversation maturing. What 2026 looks like from where we sit at the end of November.