Every risk function says it wants a seat at the table. Most are still standing at the door with a clipboard, waiting to say no.
Commonwealth Bank’s May 2026 AI transparency report shows what happens when a large, regulated organisation stops treating risk as a checkpoint and starts building it into the product itself — and the gap between that model and a “send it up for sign-off” committee is now showing up in market outcomes, not just maturity scorecards.
The 30-second take
Risk teams that only advise — reviewing decisions after the business has already made them — are becoming a bottleneck as AI adoption accelerates.
The organisations pulling ahead have moved risk into the build process itself: real-time controls, embedded governance, and risk owners who can say yes to more, faster, because the guardrails are already running.
The evidence isn’t theoretical. It’s showing up in named companies’ disclosures and in the return-on-investment data.
What “active enablement” looks like in practice: Commonwealth Bank
In May 2026, Commonwealth Bank published a detailed, organisation-wide account of how it develops, tests and monitors AI in production — a rare level of transparency from Australia’s largest bank. The report is a useful case study precisely because it shows governance operating as infrastructure, not as a gate.
CBA classified AI as a material risk category in its enterprise risk framework, with dedicated committees reviewing higher-risk use cases and approving models before deployment — board accountability retained throughout.
But the more telling detail is what happens after approval. Inside its chatbot environment, the bank runs what it calls “groundedness guardrails”: real-time checks that block or flag any AI-generated response that isn’t supported by verified data, before it reaches a customer. Models are monitored continuously in production — for performance drift, behavioural change and emerging risk — because, as the bank acknowledged, large language models don’t guarantee factual accuracy and a system validated once isn’t validated forever.
Executive general manager Alex Matthews summed up the shift: governance had stopped being applied after the fact and was instead being embedded directly into engineering workflows, with pre-screening, documentation and approval gates built into how developers work — not bolted on afterward.
That’s the advisory-to-enabler shift in one sentence: risk isn’t reviewing the work anymore, it’s part of how the work gets built.
The literacy gap sitting underneath the problem
The advisory-only model persists partly because the people risk teams report to often can’t challenge them on the substance.
Deloitte’s board governance research found that a majority of boards still have limited to no working knowledge of AI — down from the year before, but still the norm rather than the exception. A board that can’t interrogate an AI risk framework will default to trusting whoever presented it last, usually a vendor. That’s exactly the dynamic regulators have flagged in other markets: oversight that rubber-stamps rather than tests.
This is why “shift to active enabler” isn’t just a risk-function ambition — it has to be paired with board and executive capability.
A risk team that builds strong controls but reports to a board that can’t ask a hard question about them is still, functionally, running an advisory model. Someone still has to be equipped to push back.
The money is already sorting winners from watchers
PwC’s 2026 AI Performance Study puts a number on what’s at stake. Across the organisations it surveyed, nearly three-quarters of AI’s economic value is being captured by just one-fifth of companies — and the leaders share a common trait:
strong AI governance infrastructure, not just faster deployment.
CEOs whose organisations have established Responsible AI frameworks are three times more likely to report meaningful financial returns from AI. AI leaders are 1.7 times more likely to have a formal Responsible AI framework and 1.5 times more likely to have a cross-functional AI governance board than the rest of the market.
Read that alongside CBA’s approach and the pattern is hard to miss: governance that’s embedded and fast is now correlated with better commercial outcomes, not just fewer incidents. The “risk vs. speed” trade-off that advisory-model risk teams have defended for years is increasingly not the trade-off boards are actually facing.
Questions to ask your organisation
- Is your risk function reviewing AI use cases before they’re built, or auditing them after the business has already shipped them?
- Do you have runtime controls — something equivalent to CBA’s groundedness guardrails — or only a one-off sign-off before launch?
- Has AI been formally classified as its own risk category in your enterprise risk framework, or is it still filed under general technology risk?
- Can your board ask a substantive question about your highest-risk AI model without relying on the vendor’s own briefing to do it?
- Is your risk team’s performance measured by how much it enabled safely, or only by how much it blocked or delayed?
- If a regulator or customer asked for the audit trail on your highest-risk model tomorrow — who approved it, on what evidence — could you produce it in a day?
The organisations separating themselves aren’t the ones with the most cautious risk teams. They’re the ones where risk, engineering and the board are working off the same real-time picture. If you want to see where your organisation sits on that spectrum, the Innovation of Risk has a readiness snapshot that takes less than ten minutes and gives you a straight answer.

