Where banks are stuck, and the moves.
The substrate is the differentiator now. Core modernisation, GenAI in customer journeys, supply-chain attestation, EU DORA operational resilience — the work is no longer about picking vendors. It’s about whether identity, observability, policy-as-code and audit are encoded properties of the platform, or theatre.
The regulatory floor — banking
- APRA CPS 230 (operational risk management) · live in AU FS
- APRA CPS 234 (information security) · auditable today
- EU DORA (digital operational resilience) · enforced 17 Jan 2025
- EU AI Act · high-risk obligations from 2 Aug 2026 (credit scoring → Annex III)
- BCBS 239 (risk data aggregation) · the perennial benchmark
- SLSA v1.0 + SSDF (SP 800-218) · the supply-chain attestation floor for vendor integrations
Run first.
The two diagnostics that surface the most banking-specific exposure. Each takes 2–4 minutes; results are shareable via URL hash; nothing is stored.
DevSecOps Maturity
Identity, supply-chain, secrets, scanning. CPS 234 and DORA both reduce to whether these are real. ~10 capabilities, 3 minutes.
Open →DiagnosticGenAI Readiness
12 capabilities scored against ISO 42001 / NIST AI RMF function shape. The most direct read for an EU AI Act high-risk use-case (credit scoring, employment, biometrics).
Open →Reference architectures.
Opinionated paved-paths sized for banking constraints — data residency, audit, supply-chain attestation, change-control.
Regulated GenAI Platform
Gateway, prompt registry, evals, layered guardrails, signed per-decision audit. Sized for high-risk use-cases.
Open →Reference architectureDevSecOps SLSA L3+ Paved Path
Build provenance, signed images, OPA/Kyverno admission, SBOM-to-owner alert loop. CPS 234 / SSDF / SLSA aligned.
Open →Reference architectureModern Data Platform
Lineage, contracts, BCBS 239 data-quality controls. The substrate for risk + finance + AML data feeds.
Open →Where banking teams typically get stuck.
The most-common Tier 2 stuck-points in this sector, with the three substrate moves to the next tier.
DevSecOps — Repeatable
Vault theatre + SBOM shelfware + SAST-as-strategy. Three substrate moves to Defined: workload identity, SBOM→owner loop, one policy enforced at admission.
Open →Stuck tier · ~25% of enterprisesGenAI — Piloting
Inline prompts + un-run eval sets + un-tested guardrails. Three moves: prompt registry + eval-gated CI, adversarial-tested guardrails, per-decision audit pipeline.
Open →Stuck tier · ~40% of EA functionsEA — Consultative
PDF principles + architect-as-reviewer + capability-model theatre. Three moves: encode top-3 principles, federate the function, tie capability investment to outcomes.
Open →Read next.
The essays and reference content that go furthest in banking conversations.
The nine controls that make GenAI defensible
Mapped to NIST AI RMF, ISO 42001, OWASP LLM Top 10 — the operational distillation for regulated FS.
Open →EssayDevSecOps is supply-chain
Why the centre of gravity moved from SAST to provenance + signing + SBOM owner-loops; the CPS 234 / SSDF implications.
Open →Annual reportState of Enterprise Tech in Regulated Industries 2026
12-page board-ready briefing — the data and the gaps.
Open →Common anti-patterns in banking.
The named failure modes that show up most across banking engagements. The catalogue has all 15; these four are the ones that recur here.
Vault Theatre
Static credentials in a vault that doesn’t change the risk posture. CPS 234 audits find this.
Open →Anti-patternSBOM Shelfware
SBOMs generated, never wired to owner-alerts. Burns 30 days on a KEV-listed CVE.
Open →Anti-patternPDF Principles
Architecture principles that aren’t encoded as policy. Treated as suggestions in delivery.
Open →Anti-patternInline Prompt Pattern
Prompts hard-coded in service code. No versioning, no evals, no audit trail for a high-risk decision.
Open →Working on this in Banks & Financial Services?
If you’re standing up GenAI under EU AI Act, hardening the supply chain for CPS 234, or rebuilding the platform under DORA — I run focused engagements that ship the substrate, not the slide deck.
How I work → contact@hellouchit.com →