Why Banks' AI Herding Could Slip Through Existing Regulatory Nets
Regulators built rules for single firm model risk. Correlated agent behavior is a different animal — and current UK supervisory stack may not be able to see it.
Regulators built rules for single firm model risk. Correlated agent behavior is a different animal — and current UK supervisory stack may not be able to see it.
The Bank of England has identified a financial stability risk that none of its existing supervisory rules were written to handle: AI agents at different firms reaching similar conclusions at the same time, fast enough to look like herding, even when no single institution intended it that way.
Speaking at the European Central Bank's Forum on Central Banking in Sintra in June 2026, Deputy Governor Sarah Breeden described this correlated behavior as different in kind from the model-risk and cyber questions that have dominated the AI-in-finance debate so far. Her framing matters because adoption has crossed the threshold where systemic effects become plausible. A 2026 Cambridge Centre for Alternative Finance survey, cited by the BoE, found that 81% of surveyed financial services firms are adopting AI at some level and 52% are already actively using agentic AI, the kind that plans and executes multi-step tasks without waiting for a human prompt.
When that many firms are running agents trained on overlapping datasets, optimizing for similar objectives, and reading the same market signals, the resulting decisions can synchronize in ways that look rational firm by firm but become a system-level problem in aggregate. That is the herding risk Breeden is naming, and it is the one the BoE says no current rule was built to detect.
The UK supervisory stack was assembled for an earlier era. The Financial Services and Markets Act, the PRA and FCA's model risk expectations, and the operational resilience regime under PS21/3 were all written on the assumption that a single firm runs a single model under human oversight. They were not designed for software that operates continuously, takes actions across trading, payments, and operations, and can be deployed across many firms at once. The BoE's review, signalled in Breeden's speech, is asking whether these tools can be stretched to cover agentic AI at all, or whether something new is needed.
The financial-stability concern is not the cyber angle, though Breeden called cyber resilience "the closest" near-term worry. She pointed to a "step change" in AI-driven cyber capability, including faster identification of vulnerabilities and the chaining of attacks at scale, with open-source models trailing the most advanced closed models by roughly four months on some cyber tasks. That gap is a BoE characterization of an evolving landscape rather than a benchmarked figure, and any rule built on it would have to absorb that uncertainty. But cyber is a problem where the perpetrator is identifiable and the loss is localizable. Herding is not.
When agents behave similarly across firms, no individual institution has failed its own model governance tests. Each firm can show that its system performs within tolerance on its own data, and its risk team has signed off on its own controls. The correlated move only becomes visible after the fact, when markets have already repriced. By then, the supervisory response is post-mortem rather than preventive. That is what makes the herding risk structurally different from the single-firm model risk the PRA's existing supervisory papers, DP5/22 and FS2/23, were written to address.
The BoE is not the first regulator to look at this question, but it is the first major central bank to elevate correlated agent behavior to the top of the financial stability list in a public speech. The Financial Stability Board's June 2026 consultation on sound practices for responsible AI adoption sets voluntary expectations at the international level. The BoE's posture is a national-level fit-for-purpose review, not a new rule, and that distinction matters. The Bank is asking whether current rules work, not announcing that they do not.
Two things to watch. First, whether the BoE concludes that herding risk can be monitored through existing supervisory tools, with guidance rather than new law, or whether it concludes that the Financial Services and Markets Act and the operational resilience regime need to be amended. Second, whether the BoE's 2024 AI in UK Financial Services survey is updated to capture agentic deployment specifically, so the gap between 81% general adoption and 52% active agentic use stops being a proxy and starts being a measured pipeline.
The unresolved question for now is whether the BoE's own analytical tools can keep up with the systems they are being asked to supervise. As Breeden noted in an earlier Hong Kong Monetary Authority keynote, AI capability is advancing faster than the supervisor's ability to model its consequences. That gap is the policy problem the herding risk now lives inside.