Generative AI Is Steering Banks Toward Autonomous IRM—But the Bridge Isn’t Finished Yet

The McKinsey Signal

When McKinsey & Company published “How generative AI can help banks manage risk and compliance” in March 2024, it put blue-chip credibility behind a growing consensus: large-language models and related GenAI tools will automate swaths of the three-lines-of-defense and up-end conventional governance, risk, and compliance (GRC) workflows. What McKinsey did not say—but unmistakably implied—is that the old compliance-first paradigm is now on borrowed time. The firm’s use-case catalogue—from virtual regulatory advisors to code-generating “risk bots”—maps neatly onto the early layers of Autonomous Integrated Risk Management (IRM): continuously sensing risk, generating controls, and feeding decision-grade insight back into the business.

Yet the report also reveals a tension. McKinsey still frames GenAI as a helper inside discrete risk silos, guarded by human-in-the-loop checkpoints. Autonomous IRM envisions something bolder: an AI-directed control fabric that dissolves those silos, embeds itself in front-line processes, and—over time—lets the machine take the first swing at routine risk decisions while humans govern the exceptions.

What GenAI Already Gets Right for IRM

GenAI does align with many aspects of IRM. The most prominent features include:

1. From Attestation to Action

   Drafting suspicious-activity reports, reconciling policy gaps, and generating climate-risk disclosures are rote tasks GenAI can now perform in seconds. McKinsey’s examples confirm that banks can redeploy talent toward preventive analytics rather than backward-looking attestations.

2. Unified Intelligence Hubs

   The proposed “risk-intelligence center” anticipates the shared data layer and analytics core that IRM frameworks—Autonomous IRM in particular—treat as non-negotiable.

3. Integrated Risk Thinking

   Embedding controls “at the outset of new customer journeys” mirrors IRM’s mandate to push risk analysis to the design phase—well before products hit the market.

Market Context: Tailwinds for a Structural Reset

The prospects for continued development of Autonomous IRM capabilities is strong for the near future. When combined, the following indicators signal a major push toward further AI development and deployment of agentic AI in support of the evolving risk management discipline.

1. TRM as the Growth Engine

   According to the IRM Navigator™ TRM Report – Q1 2025, the broader IRM technology market is projected to grow from $61.6 billion in 2025 to $134.0 billion by 2032, at a CAGR of 11.7% . Within this, Technology Risk Management (TRM) is identified as the fastest-growing segment, expanding from $25.5 billion in 2025 to $59.8 billion by 2032, representing a CAGR of 12.9%.

2. Governance Gaps Create Opportunity

   Deloitte’s 2025 “AI at a Crossroads” report finds fewer than 10% of organizations have mature AI-governance frameworks, a trust gap that Autonomous IRM directly addresses.

3. Talent & ROI Pressures

   NTT DATA’s February 2025 banking survey shows 58% of global banks have fully embraced GenAI but remain split on whether to pursue productivity gains or outright cost cuts—evidence that operating-model design, not technology alone, will separate winners from laggards.

4. Regulatory Acceleration

   Europe’s AI Act, finalized in 2024, imposes tiered obligations based on model risk. Autonomous IRM provides continuous monitoring and auditable controls regulators now demand.

5. AI-TRiSM Maturity

   Gartner predicts by 2026 organizations instituting end-to-end AI trust, risk, and security management (AI-TRiSM) will see a 50% improvement in model adoption and business outcomes.

Strategic Implications for Banks

What are our recommendations for next steps?

1. Stop Treating GenAI as a Point Solution

   Narrow “Win Fast” pilots lock value inside functional stovepipes. Banks should design for horizontal scale: shared vector databases, AI policy engines, and cross-domain ontologies.

2. Build a Two-Speed Control Fabric

   • Speed 1: Real-time AI agents autonomously execute low-impact policy checks and fraud triage.

   • Speed 2: Human analysts oversee high-impact judgment calls, gradually ceding territory as model confidence and regulatory clarity grow.

3. Converge AI-TRiSM and IRM

   Embedding fairness, explainability, privacy, and adversarial robustness directly into the IRM data plane ensures that the system protecting the bank is itself governable.

4. Measure What Matters

   Shift KPIs from throughput metrics (reports filed, alerts cleared) to risk-adjusted value: capital efficiency gains, loss-event reduction, and cycle-time cuts in new-product approvals.

The Road to Autonomy

McKinsey’s analysis confirms GenAI can shoulder today’s compliance burden and lay the groundwork for intelligent, enterprise-wide risk insight. But Autonomous IRM demands more than smarter tooling. It requires re-architecting risk as a continuous, AI-driven control loop that learns, predicts, and acts at machine speed.

Banks that seize this moment will graduate from “AI-supported compliance” to something transformational: AI-managed risk. Those that tinker at the margins may find themselves living in a world where risk is managed for them—by faster, more adaptive competitors.

⸻

References

• McKinsey & Company, “How generative AI can help banks manage risk and compliance,” 2024.

• Wheelhouse Advisors, IRM Navigator™ TRM Report – Q1 2025.

• Deloitte, “AI at a Crossroads,” 2025.

• NTT DATA, “Intelligent Banking in the Age of AI,” 2025.

• European Commission, EU Artificial Intelligence Act Overview, 2024.

• Gartner, “Tackling Trust, Risk and Security in AI Models,” 2024.