In early 2025, the Commonwealth Bank of Australia (CBA) attempted to make headlines for innovation. The bank announced it would replace dozens of call-center employees with an AI-powered voice chatbot designed to cut costs, streamline services, and improve customer experience. But within weeks, the rollout unraveled. Call volumes soared instead of shrinking, managers were pulled away from oversight duties to handle customer complaints, and frustrated clients faced longer wait times.

The backlash was swift. Facing union pressure, public criticism, and mounting operational costs, the bank reversed course, rehired the displaced staff, and acknowledged that its workforce planning had been flawed. What was intended as a showcase of digital transformation became a cautionary tale of how poorly governed AI can create reputational and financial liabilities overnight.

AI in Banking: A Risk Multiplier Without Governance

Customer-facing AI systems—particularly chatbots—are uniquely high-stakes. They interact directly with clients in real time, meaning every misstep is immediately visible. A single inaccurate answer about loan eligibility, fees, or compliance obligations can not only frustrate a customer but also trigger regulatory scrutiny.

CBA’s chatbot did not fail because AI is inherently unreliable. It failed because there was no clear governance framework ensuring performance testing, policy enforcement, and oversight. The absence of these guardrails turned a promising tool into a public liability. This is precisely where Information Governance (IG) must step in.

Provenance: Knowing What Powers the Bot

IG begins with provenance—understanding the origins and integrity of the data and models behind AI systems. For banking chatbots, this means more than simply training on customer FAQs. It requires disciplined classification of input data, confirmation that data sources are current and lawfully retained, and alignment with regulatory requirements such as the EU AI Act and GDPR.

Under the AI Act, systems like chatbots can be classified as high-risk if they affect customer rights or financial outcomes. High-risk systems must provide documentation, human oversight, monitoring, and audit logs—requirements that go well beyond traditional IT controls. Inadequate classification or retention policies, as CBA’s case showed, allow outdated or sensitive data to enter training pipelines. The result is not only inaccurate responses but also compliance exposure.

Enforcing Policy Through the Deployment Lifecycle

A chatbot is not ready for prime time just because it can converse. It must pass through governance checkpoints where policies are actively enforced. This includes:

• Evaluation benchmarks: Testing the model’s ability to resolve customer queries accurately and consistently.

• Fallback mechanisms: Ensuring seamless escalation to human agents when the bot fails to provide an answer.

• Rollback triggers: Predefined conditions—such as a sudden spike in call volume—that automatically suspend deployment before customer trust is eroded.

In the CBA case, such gates would have exposed weaknesses before the bot was unleashed on the public. Instead, the absence of enforcement allowed the bank to test its experiment in full view of customers, with predictable consequences.

Human Oversight: The Essential Safeguard

Both the EU AI Act and the NIST AI Risk Management Framework stress the principle of “human in the loop.” Oversight is not a formality; it is a safeguard against systemic failure.

For chatbots, this translates into dedicated monitoring of key performance metrics—customer satisfaction, escalation frequency, and compliance accuracy—combined with clear accountability roles. The NIST framework highlights governance functions such as govern, map, measure, and manage, and emphasizes trustworthiness traits like accountability, transparency, and explainability.

CBA’s rapid crisis response—recalling staff to handle calls—was essentially a last-minute human intervention. With IG in place, oversight would have been proactive, not reactive, and reputational damage could have been avoided.

Auditability and Liability

Audit trails are no longer optional in AI deployment—they are a regulatory expectation. IG ensures that every stage of the chatbot’s lifecycle, from training to live interaction, is logged and reviewable.

The stakes are rising. The Revised EU AI Product Liability Directive —which covers AI systems and software—will be implemented by December 2026 acts as the primary legal framework for product liability, including risks from AI. If a chatbot misinforms a customer about loan terms or account obligations, institutions could face product liability claims alongside regulatory fines. Logs documenting chatbot outputs, escalation pathways, and oversight decisions are not just operational aids—they are legal shields.

Training and Culture: Beyond the Engineering Team

The governance of AI chatbots cannot rest solely on technical staff. Compliance officers, customer service managers, and executives all play a role in embedding IG into operations.

The AIGP framework reminds us that AI systems are socio-technical—shaped not just by data and code but by human judgment, organizational culture, and customer expectations. Building a culture of compliance by design means ensuring that frontline staff, executives, and engineers all understand how their decisions intersect with AI governance.

Scenario-based training, where teams rehearse chatbot incident responses, significantly improves both detection speed and mitigation effectiveness. This is essential when human error—still the root cause of most breaches—can be magnified exponentially by automated systems.

Turning Risk into Opportunity

When deployed under IG guardrails, AI chatbots can deliver enormous benefits. Banks gain the ability to provide around-the-clock service, scale to meet customer demand, and deliver consistent information.

More importantly, institutions that embed IG principles into their AI deployments build trust. Customers who know their bank prioritizes accuracy, accountability, and compliance are more likely to adopt digital channels. Regulators, too, view these institutions more favorably, reducing the resource strain of inquiries and investigations.

Conclusion: AI Needs IG to Earn Trust

The CBA chatbot episode illustrates a universal lesson for financial institutions: AI without governance is not innovation—it is risk magnified. Chatbots are not just IT projects; they are customer trust projects, compliance projects, and brand reputation projects.

Information Governance best practices provide a crucial framework for ensuring that regulated-industry AI systems deliver value rather than liability. By embedding provenance tracking, policy enforcement, human oversight, and auditability into the chatbot lifecycle—and aligning with frameworks like the EU AI Act and NIST AI RMF—banks can turn AI into an enabler of trust instead of a source of crisis.

The message is clear: banks may power their future with AI, but only IG will make that future sustainable.