Summary
- The FCA’s operational resilience page now points firms to CMORG guidance on frontier AI and cyber security.
- CMORG says advanced AI capabilities could increase the speed, scale, and sophistication of cyber threats.
- The guidance gives financial institutions a practical route for assessing vulnerability discovery, exploitation timelines, suppliers, and governance.
The Financial Conduct Authority has directed firms towards new guidance on frontier AI and cyber security, linking advanced model capability with operational resilience in UK financial services.
The regulator’s operational resilience page now highlights work by the Cross Market Operational Resilience Group, known as CMORG, whose AI taskforce has published guidance for firms preparing for frontier AI. CMORG says advanced AI capabilities will materially increase the speed, scale, and sophistication of cyber threats, reducing the time available for vulnerability discovery, exploitation response, and remediation.
The FCA says the guidance sets out 38 key activities and 31 questions. That gives firms a practical baseline for assessing how frontier AI could change cyber risk, incident response, technology governance, supplier oversight, and resilience planning.
CMORG is co-chaired by the Bank of England and UK Finance, with the FCA as a member. Its guidance follows a May joint statement from the Bank of England, FCA, and HM Treasury on frontier AI models and cyber resilience. The authorities described frontier models as a source of potential defensive benefit and new threat capability.
The FCA’s operational resilience resource page already requires firms to consider important business services, impact tolerances, mapping, testing, and third-party dependencies. Frontier AI adds a faster-moving technical pressure to that framework. A model that accelerates code analysis, vulnerability discovery, phishing, fraud automation, or exploitation can change the assumptions behind recovery time, patch prioritisation, and control effectiveness.
The financial-sector concern is not confined to attackers using AI. Defensive processes built around human-paced triage and manual investigation may not keep up with machine-assisted attack development. Vulnerability management, threat intelligence, software assurance, red teaming, fraud controls, and identity monitoring all depend on time. When AI shortens attack development cycles, resilience planning has to account for shorter decision windows.
Introducing frontier AI into security operations without governance creates its own exposure. Systems that support detection, code review, alert enrichment, and incident analysis may also connect to sensitive data, internal tooling, privileged workflows, or production systems. Model access, prompt logging, data retention, supplier assurance, testing, and human approval points all become part of the control environment.
The guidance lands in a sector already dealing with DORA in the EU, UK operational resilience rules, cyber insurance scrutiny, cloud concentration, and rising board accountability for technology outages. Frontier AI cannot sit apart from those obligations once it appears inside security operations, software development, fraud detection, customer interaction, or third-party services.
Firms will need to identify where AI is already being used across the estate. That includes sanctioned tools, developer assistants, outsourced managed services, vendor features embedded in security products, and informal employee use. Without that map, a firm cannot assess whether AI has changed attack exposure, resilience assumptions, or the evidence needed for supervision.
The FCA has not turned CMORG’s guidance into a formal rulebook. Its decision to direct firms towards the work still gives supervisors a clear reference point. When a credible emerging threat affects important business services, firms will need to show how the risk has been assessed, governed, and tested.





