With AI adoption now mainstream but governance still immature, new Robossist survey benchmarks APAC financial services readiness ahead of the EU AI Act’s August 2026 application date
HONG KONG—Hong Kong’s financial services sector is adopting AI faster than its governance infrastructure can keep up. According to McKinsey’s 2025 “State of AI” analysis, 88% of organizations now report using AI in at least one business function, up sharply from 55% in 2023. Yet most companies remain in the early stages of responsible AI maturity. A 2025 cross-industry survey that assessed 1,500 organizations against a four-stage responsible AI maturity scale found that 81% were still in the first two stages. Separate research on AI governance shows that smaller companies lag in assigning clear accountability: only 36% of small firms report having a dedicated AI or data governance officer, compared with over 60% of larger enterprises.
For Hong Kong’s internationally connected financial institutions, this gap now has direct regulatory consequences. The European Union’s Artificial Intelligence Act entered into force in 2024 and is being phased in over several years. Most of the remaining provisions, including key obligations for high-risk AI systems and enforcement mechanisms, take effect from 2 August 2026. The Act has extraterritorial reach: non-EU providers and users of AI can fall within scope where AI systems, or their outputs, are placed on the EU market or used in the Union, even if the systems are developed or hosted elsewhere. That means Hong Kong institutions providing AI-enabled services to EU clients, counterparties or markets cannot treat the EU AI Act as a distant European issue; it is a concrete compliance obligation with a defined timeline.
Domestically, regulatory expectations around AI are hardening. On 19 August 2024, the Hong Kong Monetary Authority (HKMA) issued a circular on “Consumer Protection in respect of Use of Generative Artificial Intelligence,” setting out guiding principles for customer-facing GenAI applications. The circular requires authorized institutions to put in place ongoing monitoring of GenAI outputs, provide mechanisms for human intervention, and offer customers options to opt out or request human review where practicable. The HKMA has also expanded its earlier guidance on the use of big data analytics and AI to emphasize governance, transparency, and data protection as core expectations for banks.
Beyond banking, other Hong Kong financial regulators are moving in parallel. The Securities and Futures Commission (SFC) has issued principles for licensed corporations using generative AI language models in regulated activities, covering model validation, ongoing monitoring, cybersecurity and third-party provider risk. Together, these developments create an environment where AI use is encouraged, but only where firms can evidence adequate controls, documentation and senior management accountability. The result is a patchwork of circulars and guidance rather than a single unified AI statute, leaving institutions to interpret and align requirements from multiple regulators at once.
“The conversations I’m having with compliance leaders and CISOs across Hong Kong keep returning to the same structural issue,” said Dhruv Jain, Founder of Robossist, an AI governance consultancy based in Hong Kong. “Teams want to use AI, and leadership wants to see adoption. But the layer that tells employees what they can and cannot do with these tools, and records those decisions in an auditable way, is missing in most organizations. That missing layer is what turns AI adoption into AI risk.”
MEASURING THE GAP: NEW REGIONAL SURVEY
To move the discussion from anecdote to data, Robossist has launched an AI Governance Readiness Survey targeting compliance officers, CISOs, heads of technology and operational risk leaders across the Asia-Pacific financial services sector. The survey is designed to establish a clear baseline of how far institutions have progressed in translating AI ambition into practical governance.
The survey focuses on four areas: current AI usage and internal policy status; governance committee structures and approval workflows; awareness and preparedness for the EU AI Act and regional regulatory guidance; and budget allocation for AI-related compliance infrastructure. All participants will receive anonymized, aggregated results when the survey closes, providing a benchmarking tool to compare their own readiness against industry peers across APAC.
“Most leaders suspect their organizations are behind on AI governance, but they lack concrete benchmarks,” Jain said. “This survey is intended to show where the real gaps are, by sector, by size and by function, so firms can prioritize investment before the EU AI Act’s 2026 deadline.”
THE GOVERNANCE INFRASTRUCTURE PROBLEM
Emerging evidence suggests that formal governance pays off. Recent industry analyses indicate that organizations with structured AI governance frameworks experience significantly fewer compliance incidents and higher rates of successful AI deployment than those relying on ad-hoc oversight. At the same time, most enterprise AI stacks now rely on third-party models and services, from foundation models and APIs to vendor-hosted platforms. Regulators have consistently emphasized that outsourcing technology does not outsource accountability: regulated firms remain responsible for how AI is used in their business, regardless of whether models are built in-house or procured from external providers.
Robossist works with regulated organizations to design and implement AI governance infrastructure that fits within existing risk and compliance frameworks. This includes systems that classify AI requests by tool, data type, use case and requester role; apply policy-driven rules to approve, deny or escalate requests; and maintain comprehensive audit trails of AI-assisted decisions. By replacing informal judgment calls with documented workflows, institutions can reduce operational risk while enabling responsible experimentation with new AI capabilities.
“The GDPR created a compliance ecosystem almost overnight,” Jain noted. “The EU AI Act will have a similar effect, but with AI systems embedded much more deeply into core processes. Firms that build governance infrastructure now will be able to move faster and with more confidence as enforcement kicks in. Those that wait will be trying to retrofit controls under regulatory pressure.”
SURVEY PARTICIPATION AND CONTACT
The AI Governance Readiness Survey is open to compliance, risk, technology and operations leaders across APAC financial services. Participation takes approximately five minutes, and all responses are anonymized.
To participate or learn more about Robossist’s AI governance advisory services, visit robossist.com or contact Dhruv Jain at dhruv@robossist.com.
ABOUT ROBOSSIST
Robossist is a Hong Kong-based AI governance consultancy that helps regulated organizations build policy infrastructure for AI adoption. Its services include AI governance assessments, policy and control framework design, implementation of AI usage approval and monitoring systems, and ongoing compliance advisory. Founded by Dhruv Jain, Robossist works with banks, insurers and technology firms across the Asia-Pacific region.
