AI-visible institutions could not fully demonstrate governance controls
Across the corpus, the public web layer rarely exposed enough evidence to support a complete governance-control story for visible AI interfaces.
AIGovXRay field intelligence
AI Governance in European Banking, 2026.
A web-surface analysis of Systemically Important Banks and adjacent financial entities under the EU AI Act governance lens.
Central finding
Public AI visibility is moving faster than public governance evidence.
The report's central signal is a demonstrability gap: within the scanned corpus, institutions with visible AI interfaces rarely exposed enough public evidence to demonstrate the governance controls expected by AI assurance, resilience, and transparency frameworks.
This does not mean the controls do not exist internally. It means that, from the public web layer alone, the control story is often not audit-ready, user-visible, or operationally attributable.
Key findings
Concrete signals, not abstract compliance claims.
AI disclosure gaps were the dominant signal
The primary SI Bank corpus showed visible AI interfaces where user-facing disclosure and operational accountability evidence were often thin or absent.
Backend exposure artifacts carry disproportionate governance weight
A single client-side application identifier, endpoint, or integration artifact may matter more than several policy-text gaps because it points to architecture, not only disclosure.
Group-level remediation can be uneven
The report documents a governance propagation pattern where some shared signals improved while specific customer-facing subsidiaries retained elevated web-surface governance signals.
Proof of impact
Drift detection turned the finding into a measurable timeline.
In April 2026, Mechapiens sent a group-level web-surface governance observation package covering recurring Erste ecosystem signals. Follow-up scans on June 2 showed remediation-like drift across every Erste entity with paired evidence.
This is presented as an impact signal, not a claim of causation: AIGovXRay can preserve the before/after record and detect whether governance exposure is improving, unchanged, or regressing over time.
6/6
Erste follow-up scans improved
-11
net findings delta across Erste entities
0
regressions detected in drift timelines
Apr 27-Jun 2
notification-to-rescan window
Entity
April scan
June scan
Erste AM
3 findings / medium
2 findings / low
Erste Digital
4 findings / high
2 findings / low
Erste Group HQ
2 findings / medium
1 finding / low
Erste Bank Hungary
3 findings / high
2 findings / medium
SLSP Slovakia
5 findings / high
2 findings / low
Sparkasse Austria
5 findings / high
2 findings / low
Methodology
Web-surface scanning with explicit limits.
Public website layer only: HTML, JavaScript, metadata, and client-side artifacts visible to a normal web visitor.
No backend access, credentialed testing, internal logs, runtime traces, or privileged evidence review.
Framework lens: EU AI Act, DORA, ISO/IEC 42001, and NIST AI RMF.
Findings are framed as demonstrability gaps and web-surface governance signals, not allegations of non-compliance.
Full report
Download the AIGovXRay European Banking Report.
Submit the short form to receive the download link. Mechapiens logs the request by email for follow-up; the website application does not store the form submission.
This report is not a compliance certification, legal opinion, supervisory finding, security advisory, or allegation of non-compliance by any named institution.