What happened
This arXiv preprint (posted 8 July 2026, not peer-reviewed) argues that existing AI governance frameworks (EU AI Act, ISO/IEC 42001, NIST AI RMF, UK principles-based approach) address trustworthiness but fail to cover operational resilience — the continuity of business services under severe disruption and the concentration risk from dependency on a small number of frontier model suppliers. The author proposes the "AI Resilience Framework," comprising dependency mapping, criticality-substitutability tiering, extension of impact tolerances to AI-specific failure modes, an explicit fallback doctrine, and provider-level concentration management, mapped against the UK Financial Policy Committee's systemic analysis and Critical Third Parties regime.
Why it matters
Gives CISOs, security architects, and boards in regulated financial services a concrete, actionable route from AI governance policy to demonstrable operational resilience — closing a gap current AI risk frameworks do not address.
Action needed
Evaluate current AI vendor concentration and fallback arrangements against the proposed criticality-substitutability tiering model.