AI Controls Architecture
/ 2 min read
Risk teams in banks know how to do risk management. Taxonomy, tiering, accountability structures, residual risk acceptance — these are established disciplines. Applying them to AI is necessary work, but it is adaptation, not invention.
The invention is in the controls layer.
Most of what makes AI governance hard is not the risk identification. It is that three properties of AI systems make traditional controls insufficient. The first is non-deterministic output: the same input produces different outputs, you cannot certify by sampling, and every code path in traditional software is reviewable while in an agentic system paths do not exist until runtime. The second is probabilistic controls: a firewall is binary, on or off, but a model guardrail works most of the time, and risk acceptance must account for probability reduction rather than elimination — one content filter is a suggestion, three independent ones are a control. The third is natural language as attack surface: traditional systems separate data from instructions, but any text input to an LLM can attempt to alter its behaviour, and the adversarial input looks exactly like the legitimate input.
These three properties do not need better risk frameworks. They need different controls — controls designed for non-determinism, tested for probabilistic failure, and enforced automatically because manual review decays the moment the reviewer walks away.
Nobody has a tested, enforced control for prompt injection that they can point to and say “this is our control, here is its effectiveness rate, here is our testing regime.” The catalogue is being written as we go. The questions are architectural. What controls map to which novel property. Where in the platform stack does each control enforce. How do you test a probabilistic control — not once, but continuously. What is the structural separation between the model reasoning and the enforcement layer.
Cloud platforms are shipping the primitives — structured output, sandboxed execution, content filtering APIs. But primitives are not architecture. The governance layer above the platform — what controls apply to which use case, how they compose, how you know they are working — that is the design problem.
Risk professionals do not need help identifying that AI introduces new risks. They need help designing controls that actually work against non-deterministic, probabilistically-controlled systems with natural language attack surfaces. That is an architecture problem, not a framework problem. And it is the part that is genuinely unsolved.